fabookie | 2fc7d93dc85c813ecf2157ef43e53845ad46343b17ec0648f55101a8330005d6

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2024 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_installer.exe
Size

6.9MB
MD5

d3e22d7fcc478eaf4b9e03a8a5038c12
SHA1

bfa29d4c2535b479102cd37c4a7f4245961daeb3
SHA256

6d7f35c19fef11f48a274dcf38e942635e6946eca4ecd3c39dd38de8e0cbf656
SHA512

83bc2bd9f2b5fe85a5eabdb6aab5c6ba64ac590b005780cee51d7c01f565a416b674fa9ff1b439325f9e50604fe130c3911c43c50da0254f0309beca742a1956
SSDEEP

196608:xkYTPwdk38Jcv2PH7iFO4SzNWRDLR2/oyRZ156yoJ2YWc:xkYTodk30cvIHV4ShYL8oIZ18TP

Malware Config

Extracted

Family

socelars

http://www.anquyebt.com/

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

nullmixer

http://hornygl.xyz/

Extracted

Family

redline

Botnet

media262231

92.255.57.115:11841

Attributes

auth_value
5e0e6c3491655e18f0126b2b32773d57

Extracted

Family

gcleaner

appwebstat.biz

ads-memory.biz

Signatures

Detect Fabookie payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292b465d58_Thu127ed1404d.exe	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Fabookie family
fabookie
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
Nullmixer family
nullmixer
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Onlylogger family
onlylogger
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral4/memory/2628-222-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Redline family
redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Smokeloader family
smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars

Socelars payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292a3b1188_Thu12926eaf6b3.exe	family_socelars

Detected Nirsoft tools 2 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

Processes:

resource	yara_rule
behavioral4/memory/1128-262-0x0000000000400000-0x0000000000480000-memory.dmp	Nirsoft
behavioral4/memory/1060-289-0x0000000000400000-0x0000000000483000-memory.dmp	Nirsoft

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral4/memory/1060-289-0x0000000000400000-0x0000000000483000-memory.dmp	WebBrowserPassView

OnlyLogger payload 2 IoCs

Processes:

resource	yara_rule
behavioral4/memory/3964-277-0x0000000000400000-0x000000000045C000-memory.dmp	family_onlylogger
behavioral4/memory/3964-304-0x0000000000400000-0x000000000045C000-memory.dmp	family_onlylogger

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\libcurl.dll	aspack_v212_v242

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

61f292a50b8fa_Thu12c85191.exe61f292aaee251_Thu12817405.tmp61f292adcd500_Thu12dd12e2c.exe61f292b2a8973_Thu12d2978de30.exesetup_installer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	61f292a50b8fa_Thu12c85191.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	61f292aaee251_Thu12817405.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	61f292adcd500_Thu12dd12e2c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	61f292b2a8973_Thu12d2978de30.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	setup_installer.exe

Executes dropped EXE 27 IoCs

Processes:

setup_install.exe61f292a688404_Thu122ae6bbac.exe61f292a8a0a6c_Thu12fda79da.exe61f292ac194f1_Thu1230653d.exe61f292aaee251_Thu12817405.exe61f292a3b1188_Thu12926eaf6b3.exe61f292a4b3280_Thu12692268df32.exe61f292a50b8fa_Thu12c85191.exe61f292b10868e_Thu12702ecb5.exe61f292a4b3280_Thu12692268df32.tmp61f292ad20a43_Thu120f4aad3d7.exe61f292aaee251_Thu12817405.tmp61f292b2a8973_Thu12d2978de30.exe61f292ae24e70_Thu12a74e4137.exe61f292af47cdd_Thu12168454a4a.exe61f292adcd500_Thu12dd12e2c.exe61f292b465d58_Thu127ed1404d.exe61f292ae71b3f_Thu1291f781.exe61f292aaee251_Thu12817405.exe61f292a688404_Thu122ae6bbac.exe61f292aaee251_Thu12817405.tmp61f292adcd500_Thu12dd12e2c.exe61f292af47cdd_Thu12168454a4a.exe11111.exeSul.exe.pifSul.exe.pif11111.exe

pid	process
1668	setup_install.exe
4384	61f292a688404_Thu122ae6bbac.exe
2428	61f292a8a0a6c_Thu12fda79da.exe
912	61f292ac194f1_Thu1230653d.exe
4872	61f292aaee251_Thu12817405.exe
3476	61f292a3b1188_Thu12926eaf6b3.exe
4440	61f292a4b3280_Thu12692268df32.exe
3820	61f292a50b8fa_Thu12c85191.exe
3964	61f292b10868e_Thu12702ecb5.exe
528	61f292a4b3280_Thu12692268df32.tmp
3084	61f292ad20a43_Thu120f4aad3d7.exe
2440	61f292aaee251_Thu12817405.tmp
1676	61f292b2a8973_Thu12d2978de30.exe
3804	61f292ae24e70_Thu12a74e4137.exe
1152	61f292af47cdd_Thu12168454a4a.exe
1564	61f292adcd500_Thu12dd12e2c.exe
216	61f292b465d58_Thu127ed1404d.exe
4076	61f292ae71b3f_Thu1291f781.exe
2864	61f292aaee251_Thu12817405.exe
2940	61f292a688404_Thu122ae6bbac.exe
372	61f292aaee251_Thu12817405.tmp
4808	61f292adcd500_Thu12dd12e2c.exe
2628	61f292af47cdd_Thu12168454a4a.exe
1128	11111.exe
3676	Sul.exe.pif
2228	Sul.exe.pif
1060	11111.exe

Loads dropped DLL 11 IoCs

Processes:

setup_install.exe61f292a4b3280_Thu12692268df32.tmp61f292aaee251_Thu12817405.tmp61f292aaee251_Thu12817405.tmprundll32.exe

pid	process
1668	setup_install.exe
1668	setup_install.exe
1668	setup_install.exe
1668	setup_install.exe
1668	setup_install.exe
1668	setup_install.exe
528	61f292a4b3280_Thu12692268df32.tmp
2440	61f292aaee251_Thu12817405.tmp
372	61f292aaee251_Thu12817405.tmp
1820	rundll32.exe
1820	rundll32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

61f292ae24e70_Thu12a74e4137.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\QWE00000.gol\\\""	61f292ae24e70_Thu12a74e4137.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4756 powershell.exe

Drops Chrome extension 1 IoCs

Processes:

61f292a3b1188_Thu12926eaf6b3.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfhgpjbcoignfibliobpclhpfnadhofn\10.59.13_0\manifest.json	61f292a3b1188_Thu12926eaf6b3.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 31 IoCs

Web Service

T1102

Processes:

flow	ioc
27	iplogger.org
143	iplogger.org
152	iplogger.org
12	iplogger.org
43	iplogger.org
140	iplogger.org
148	iplogger.org
11	iplogger.org
90	iplogger.org
116	iplogger.org
136	iplogger.org
138	iplogger.org
161	iplogger.org
165	iplogger.org
51	iplogger.org
134	iplogger.org
150	iplogger.org
163	iplogger.org
174	iplogger.org
113	iplogger.org
159	iplogger.org
45	iplogger.org
86	iplogger.org
121	iplogger.org
123	iplogger.org
131	iplogger.org
157	iplogger.org
168	iplogger.org
119	iplogger.org
125	iplogger.org
154	iplogger.org

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 ip-api.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates processes with tasklist 1 TTPs 1 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exe

pid process

3032 tasklist.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

61f292ad20a43_Thu120f4aad3d7.exe

pid process

3084 61f292ad20a43_Thu120f4aad3d7.exe

flow	ioc
23	ip-api.com

pid	process
3032	tasklist.exe

pid	process
3084	61f292ad20a43_Thu120f4aad3d7.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

61f292a688404_Thu122ae6bbac.exe61f292af47cdd_Thu12168454a4a.exe

description	pid	process	target process
PID 4384 set thread context of 2940	4384	61f292a688404_Thu122ae6bbac.exe	61f292a688404_Thu122ae6bbac.exe
PID 1152 set thread context of 2628	1152	61f292af47cdd_Thu12168454a4a.exe	61f292af47cdd_Thu12168454a4a.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\11111.exe	upx
behavioral4/memory/1128-262-0x0000000000400000-0x0000000000480000-memory.dmp	upx
behavioral4/memory/1060-283-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral4/memory/1060-289-0x0000000000400000-0x0000000000483000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 11 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4784	912	WerFault.exe	61f292ac194f1_Thu1230653d.exe
4920	1668	WerFault.exe	setup_install.exe
4008	3964	WerFault.exe	61f292b10868e_Thu12702ecb5.exe
3668	3964	WerFault.exe	61f292b10868e_Thu12702ecb5.exe
2436	3964	WerFault.exe	61f292b10868e_Thu12702ecb5.exe
1060	3964	WerFault.exe	61f292b10868e_Thu12702ecb5.exe
2684	3964	WerFault.exe	61f292b10868e_Thu12702ecb5.exe
4420	2428	WerFault.exe	61f292a8a0a6c_Thu12fda79da.exe
5116	3964	WerFault.exe	61f292b10868e_Thu12702ecb5.exe
3496	3964	WerFault.exe	61f292b10868e_Thu12702ecb5.exe
4192	3820	WerFault.exe	61f292a50b8fa_Thu12c85191.exe

System Location Discovery: System Language Discovery 1 TTPs 56 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

11111.exe61f292aaee251_Thu12817405.exe61f292ad20a43_Thu120f4aad3d7.exe61f292b2a8973_Thu12d2978de30.exe61f292aaee251_Thu12817405.exefind.exerundll32.exesetup_installer.execmd.execmd.exe61f292a3b1188_Thu12926eaf6b3.execmd.execmd.execmd.exe61f292a50b8fa_Thu12c85191.execmd.exe61f292a4b3280_Thu12692268df32.tmp61f292adcd500_Thu12dd12e2c.exetaskkill.exewaitfor.execmd.exe61f292af47cdd_Thu12168454a4a.execontrol.exerundll32.execmd.execmd.execmd.execmd.exeSul.exe.pifcmd.exefindstr.exesetup_install.exepowershell.exe61f292ac194f1_Thu1230653d.exeSul.exe.pifcmd.execmd.exetimeout.execmd.exe61f292b10868e_Thu12702ecb5.exetasklist.execmd.exe61f292ae24e70_Thu12a74e4137.execmd.exe61f292a688404_Thu122ae6bbac.exe11111.execmd.exe61f292aaee251_Thu12817405.tmp61f292aaee251_Thu12817405.tmp61f292a688404_Thu122ae6bbac.exe61f292af47cdd_Thu12168454a4a.exe61f292adcd500_Thu12dd12e2c.execmd.execmd.exe61f292a4b3280_Thu12692268df32.exe61f292a8a0a6c_Thu12fda79da.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61f292aaee251_Thu12817405.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61f292ad20a43_Thu120f4aad3d7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61f292b2a8973_Thu12d2978de30.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61f292aaee251_Thu12817405.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61f292a3b1188_Thu12926eaf6b3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61f292a50b8fa_Thu12c85191.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61f292a4b3280_Thu12692268df32.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61f292adcd500_Thu12dd12e2c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	waitfor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61f292af47cdd_Thu12168454a4a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sul.exe.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61f292ac194f1_Thu1230653d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sul.exe.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61f292b10868e_Thu12702ecb5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61f292ae24e70_Thu12a74e4137.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61f292a688404_Thu122ae6bbac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61f292aaee251_Thu12817405.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61f292aaee251_Thu12817405.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61f292a688404_Thu122ae6bbac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61f292af47cdd_Thu12168454a4a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61f292adcd500_Thu12dd12e2c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61f292a4b3280_Thu12692268df32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61f292a8a0a6c_Thu12fda79da.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

61f292ac194f1_Thu1230653d.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	61f292ac194f1_Thu1230653d.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	61f292ac194f1_Thu1230653d.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	61f292ac194f1_Thu1230653d.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3184 timeout.exe

pid	process
3184	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4676 taskkill.exe

pid	process
4676	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133752310563434425"	chrome.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

powershell.exe61f292ad20a43_Thu120f4aad3d7.exe11111.exechrome.exechrome.exe

pid	process
4756	powershell.exe
4756	powershell.exe
3084	61f292ad20a43_Thu120f4aad3d7.exe
3084	61f292ad20a43_Thu120f4aad3d7.exe
4756	powershell.exe
4756	powershell.exe
1060	11111.exe
1060	11111.exe
1060	11111.exe
1060	11111.exe
4988	chrome.exe
4988	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

4988 chrome.exe
4988 chrome.exe
4988 chrome.exe
4988 chrome.exe

pid	process
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

61f292a3b1188_Thu12926eaf6b3.exepowershell.exe61f292af47cdd_Thu12168454a4a.exe61f292ad20a43_Thu120f4aad3d7.exe61f292ae71b3f_Thu1291f781.exetasklist.exetaskkill.exechrome.exe61f292a50b8fa_Thu12c85191.exe

description	pid	process
Token: SeCreateTokenPrivilege	3476	61f292a3b1188_Thu12926eaf6b3.exe
Token: SeAssignPrimaryTokenPrivilege	3476	61f292a3b1188_Thu12926eaf6b3.exe
Token: SeLockMemoryPrivilege	3476	61f292a3b1188_Thu12926eaf6b3.exe
Token: SeIncreaseQuotaPrivilege	3476	61f292a3b1188_Thu12926eaf6b3.exe
Token: SeMachineAccountPrivilege	3476	61f292a3b1188_Thu12926eaf6b3.exe
Token: SeTcbPrivilege	3476	61f292a3b1188_Thu12926eaf6b3.exe
Token: SeSecurityPrivilege	3476	61f292a3b1188_Thu12926eaf6b3.exe
Token: SeTakeOwnershipPrivilege	3476	61f292a3b1188_Thu12926eaf6b3.exe
Token: SeLoadDriverPrivilege	3476	61f292a3b1188_Thu12926eaf6b3.exe
Token: SeSystemProfilePrivilege	3476	61f292a3b1188_Thu12926eaf6b3.exe
Token: SeSystemtimePrivilege	3476	61f292a3b1188_Thu12926eaf6b3.exe
Token: SeProfSingleProcessPrivilege	3476	61f292a3b1188_Thu12926eaf6b3.exe
Token: SeIncBasePriorityPrivilege	3476	61f292a3b1188_Thu12926eaf6b3.exe
Token: SeCreatePagefilePrivilege	3476	61f292a3b1188_Thu12926eaf6b3.exe
Token: SeCreatePermanentPrivilege	3476	61f292a3b1188_Thu12926eaf6b3.exe
Token: SeBackupPrivilege	3476	61f292a3b1188_Thu12926eaf6b3.exe
Token: SeRestorePrivilege	3476	61f292a3b1188_Thu12926eaf6b3.exe
Token: SeShutdownPrivilege	3476	61f292a3b1188_Thu12926eaf6b3.exe
Token: SeDebugPrivilege	3476	61f292a3b1188_Thu12926eaf6b3.exe
Token: SeAuditPrivilege	3476	61f292a3b1188_Thu12926eaf6b3.exe
Token: SeSystemEnvironmentPrivilege	3476	61f292a3b1188_Thu12926eaf6b3.exe
Token: SeChangeNotifyPrivilege	3476	61f292a3b1188_Thu12926eaf6b3.exe
Token: SeRemoteShutdownPrivilege	3476	61f292a3b1188_Thu12926eaf6b3.exe
Token: SeUndockPrivilege	3476	61f292a3b1188_Thu12926eaf6b3.exe
Token: SeSyncAgentPrivilege	3476	61f292a3b1188_Thu12926eaf6b3.exe
Token: SeEnableDelegationPrivilege	3476	61f292a3b1188_Thu12926eaf6b3.exe
Token: SeManageVolumePrivilege	3476	61f292a3b1188_Thu12926eaf6b3.exe
Token: SeImpersonatePrivilege	3476	61f292a3b1188_Thu12926eaf6b3.exe
Token: SeCreateGlobalPrivilege	3476	61f292a3b1188_Thu12926eaf6b3.exe
Token: 31	3476	61f292a3b1188_Thu12926eaf6b3.exe
Token: 32	3476	61f292a3b1188_Thu12926eaf6b3.exe
Token: 33	3476	61f292a3b1188_Thu12926eaf6b3.exe
Token: 34	3476	61f292a3b1188_Thu12926eaf6b3.exe
Token: 35	3476	61f292a3b1188_Thu12926eaf6b3.exe
Token: SeDebugPrivilege	4756	powershell.exe
Token: SeDebugPrivilege	1152	61f292af47cdd_Thu12168454a4a.exe
Token: SeDebugPrivilege	3084	61f292ad20a43_Thu120f4aad3d7.exe
Token: SeDebugPrivilege	4076	61f292ae71b3f_Thu1291f781.exe
Token: SeDebugPrivilege	3032	tasklist.exe
Token: SeDebugPrivilege	4676	taskkill.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeDebugPrivilege	3820	61f292a50b8fa_Thu12c85191.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe

Suspicious use of FindShellTrayWindow 32 IoCs

Processes:

Sul.exe.pifSul.exe.pifchrome.exe

pid	process
3676	Sul.exe.pif
3676	Sul.exe.pif
3676	Sul.exe.pif
2228	Sul.exe.pif
2228	Sul.exe.pif
2228	Sul.exe.pif
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe

Suspicious use of SendNotifyMessage 30 IoCs

Processes:

Sul.exe.pifSul.exe.pifchrome.exe

pid	process
3676	Sul.exe.pif
3676	Sul.exe.pif
3676	Sul.exe.pif
2228	Sul.exe.pif
2228	Sul.exe.pif
2228	Sul.exe.pif
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

61f292adcd500_Thu12dd12e2c.exe61f292adcd500_Thu12dd12e2c.exe

pid process

1564 61f292adcd500_Thu12dd12e2c.exe
1564 61f292adcd500_Thu12dd12e2c.exe
4808 61f292adcd500_Thu12dd12e2c.exe
4808 61f292adcd500_Thu12dd12e2c.exe

pid	process
1564	61f292adcd500_Thu12dd12e2c.exe
1564	61f292adcd500_Thu12dd12e2c.exe
4808	61f292adcd500_Thu12dd12e2c.exe
4808	61f292adcd500_Thu12dd12e2c.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4576 wrote to memory of 1668	4576	setup_installer.exe	setup_install.exe
PID 4576 wrote to memory of 1668	4576	setup_installer.exe	setup_install.exe
PID 4576 wrote to memory of 1668	4576	setup_installer.exe	setup_install.exe
PID 1668 wrote to memory of 5044	1668	setup_install.exe	cmd.exe
PID 1668 wrote to memory of 5044	1668	setup_install.exe	cmd.exe
PID 1668 wrote to memory of 5044	1668	setup_install.exe	cmd.exe
PID 1668 wrote to memory of 3888	1668	setup_install.exe	cmd.exe
PID 1668 wrote to memory of 3888	1668	setup_install.exe	cmd.exe
PID 1668 wrote to memory of 3888	1668	setup_install.exe	cmd.exe
PID 1668 wrote to memory of 2912	1668	setup_install.exe	cmd.exe
PID 1668 wrote to memory of 2912	1668	setup_install.exe	cmd.exe
PID 1668 wrote to memory of 2912	1668	setup_install.exe	cmd.exe
PID 1668 wrote to memory of 3216	1668	setup_install.exe	cmd.exe
PID 1668 wrote to memory of 3216	1668	setup_install.exe	cmd.exe
PID 1668 wrote to memory of 3216	1668	setup_install.exe	cmd.exe
PID 1668 wrote to memory of 3220	1668	setup_install.exe	cmd.exe
PID 1668 wrote to memory of 3220	1668	setup_install.exe	cmd.exe
PID 1668 wrote to memory of 3220	1668	setup_install.exe	cmd.exe
PID 1668 wrote to memory of 3260	1668	setup_install.exe	cmd.exe
PID 1668 wrote to memory of 3260	1668	setup_install.exe	cmd.exe
PID 1668 wrote to memory of 3260	1668	setup_install.exe	cmd.exe
PID 1668 wrote to memory of 2436	1668	setup_install.exe	WerFault.exe
PID 1668 wrote to memory of 2436	1668	setup_install.exe	WerFault.exe
PID 1668 wrote to memory of 2436	1668	setup_install.exe	WerFault.exe
PID 1668 wrote to memory of 4824	1668	setup_install.exe	cmd.exe
PID 1668 wrote to memory of 4824	1668	setup_install.exe	cmd.exe
PID 1668 wrote to memory of 4824	1668	setup_install.exe	cmd.exe
PID 5044 wrote to memory of 4756	5044	cmd.exe	powershell.exe
PID 5044 wrote to memory of 4756	5044	cmd.exe	powershell.exe
PID 5044 wrote to memory of 4756	5044	cmd.exe	powershell.exe
PID 1668 wrote to memory of 4736	1668	setup_install.exe	cmd.exe
PID 1668 wrote to memory of 4736	1668	setup_install.exe	cmd.exe
PID 1668 wrote to memory of 4736	1668	setup_install.exe	cmd.exe
PID 3216 wrote to memory of 3820	3216	cmd.exe	61f292a50b8fa_Thu12c85191.exe
PID 3216 wrote to memory of 3820	3216	cmd.exe	61f292a50b8fa_Thu12c85191.exe
PID 3216 wrote to memory of 3820	3216	cmd.exe	61f292a50b8fa_Thu12c85191.exe
PID 1668 wrote to memory of 2228	1668	setup_install.exe	Sul.exe.pif
PID 1668 wrote to memory of 2228	1668	setup_install.exe	Sul.exe.pif
PID 1668 wrote to memory of 2228	1668	setup_install.exe	Sul.exe.pif
PID 3220 wrote to memory of 4384	3220	cmd.exe	61f292a688404_Thu122ae6bbac.exe
PID 3220 wrote to memory of 4384	3220	cmd.exe	61f292a688404_Thu122ae6bbac.exe
PID 3220 wrote to memory of 4384	3220	cmd.exe	61f292a688404_Thu122ae6bbac.exe
PID 1668 wrote to memory of 3116	1668	setup_install.exe	cmd.exe
PID 1668 wrote to memory of 3116	1668	setup_install.exe	cmd.exe
PID 1668 wrote to memory of 3116	1668	setup_install.exe	cmd.exe
PID 3260 wrote to memory of 2428	3260	cmd.exe	61f292a8a0a6c_Thu12fda79da.exe
PID 3260 wrote to memory of 2428	3260	cmd.exe	61f292a8a0a6c_Thu12fda79da.exe
PID 3260 wrote to memory of 2428	3260	cmd.exe	61f292a8a0a6c_Thu12fda79da.exe
PID 1668 wrote to memory of 3228	1668	setup_install.exe	cmd.exe
PID 1668 wrote to memory of 3228	1668	setup_install.exe	cmd.exe
PID 1668 wrote to memory of 3228	1668	setup_install.exe	cmd.exe
PID 4824 wrote to memory of 912	4824	cmd.exe	61f292ac194f1_Thu1230653d.exe
PID 4824 wrote to memory of 912	4824	cmd.exe	61f292ac194f1_Thu1230653d.exe
PID 4824 wrote to memory of 912	4824	cmd.exe	61f292ac194f1_Thu1230653d.exe
PID 1668 wrote to memory of 5040	1668	setup_install.exe	cmd.exe
PID 1668 wrote to memory of 5040	1668	setup_install.exe	cmd.exe
PID 1668 wrote to memory of 5040	1668	setup_install.exe	cmd.exe
PID 2436 wrote to memory of 4872	2436	cmd.exe	61f292aaee251_Thu12817405.exe
PID 2436 wrote to memory of 4872	2436	cmd.exe	61f292aaee251_Thu12817405.exe
PID 2436 wrote to memory of 4872	2436	cmd.exe	61f292aaee251_Thu12817405.exe
PID 1668 wrote to memory of 3320	1668	setup_install.exe	cmd.exe
PID 1668 wrote to memory of 3320	1668	setup_install.exe	cmd.exe
PID 1668 wrote to memory of 3320	1668	setup_install.exe	cmd.exe
PID 3888 wrote to memory of 3476	3888	cmd.exe	61f292a3b1188_Thu12926eaf6b3.exe

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 61f292a3b1188_Thu12926eaf6b3.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3888
  - - C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292a3b1188_Thu12926eaf6b3.exe
      61f292a3b1188_Thu12926eaf6b3.exe
      4⤵
      Executes dropped EXE
      Drops Chrome extension
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3476
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2576
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4676
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        5⤵
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4988
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb34e6cc40,0x7ffb34e6cc4c,0x7ffb34e6cc58
        6⤵
        
        PID:4180
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1864,i,1257781796927921988,1809658363903383624,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1860 /prefetch:2
        6⤵
        
        PID:2196
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2068,i,1257781796927921988,1809658363903383624,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2108 /prefetch:3
        6⤵
        
        PID:452
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,1257781796927921988,1809658363903383624,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2420 /prefetch:8
        6⤵
        
        PID:3608
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,1257781796927921988,1809658363903383624,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:1
        6⤵
        
        PID:2948
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,1257781796927921988,1809658363903383624,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3408 /prefetch:1
        6⤵
        
        PID:1492
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4564,i,1257781796927921988,1809658363903383624,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2864 /prefetch:1
        6⤵
        
        PID:3556
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4736,i,1257781796927921988,1809658363903383624,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4756 /prefetch:8
        6⤵
        
        PID:4676
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4744,i,1257781796927921988,1809658363903383624,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4876 /prefetch:8
        6⤵
        
        PID:2676
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4940,i,1257781796927921988,1809658363903383624,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4960 /prefetch:8
        6⤵
        
        PID:5232
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4936,i,1257781796927921988,1809658363903383624,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4924 /prefetch:8
        6⤵
        
        PID:5940
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5004,i,1257781796927921988,1809658363903383624,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4996 /prefetch:8
        6⤵
        
        PID:5464
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4764,i,1257781796927921988,1809658363903383624,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5212 /prefetch:8
        6⤵
        
        PID:1544
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3660,i,1257781796927921988,1809658363903383624,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5148 /prefetch:8
        6⤵
        
        PID:5672
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4524,i,1257781796927921988,1809658363903383624,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1192 /prefetch:8
        6⤵
        
        PID:6128
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4552,i,1257781796927921988,1809658363903383624,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3856 /prefetch:2
        6⤵
        
        PID:5472
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4828,i,1257781796927921988,1809658363903383624,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4720 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 61f292a4b3280_Thu12692268df32.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2912
  - - C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292a4b3280_Thu12692268df32.exe
      61f292a4b3280_Thu12692268df32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4440
    - - C:\Users\Admin\AppData\Local\Temp\is-EI6OO.tmp\61f292a4b3280_Thu12692268df32.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-EI6OO.tmp\61f292a4b3280_Thu12692268df32.tmp" /SL5="$80230,140559,56832,C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292a4b3280_Thu12692268df32.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 61f292a50b8fa_Thu12c85191.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3216
  - - C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292a50b8fa_Thu12c85191.exe
      61f292a50b8fa_Thu12c85191.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3820
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C timeout 19
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 19
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3184
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 1296
        5⤵
        Program crash
        
        PID:4192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 61f292a688404_Thu122ae6bbac.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3220
  - - C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292a688404_Thu122ae6bbac.exe
      61f292a688404_Thu122ae6bbac.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:4384
    - - C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292a688404_Thu122ae6bbac.exe
        
        61f292a688404_Thu122ae6bbac.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 61f292a8a0a6c_Thu12fda79da.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3260
  - - C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292a8a0a6c_Thu12fda79da.exe
      61f292a8a0a6c_Thu12fda79da.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2428
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 1840
        5⤵
        Program crash
        
        PID:4420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 61f292aaee251_Thu12817405.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292aaee251_Thu12817405.exe
      61f292aaee251_Thu12817405.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4872
    - - C:\Users\Admin\AppData\Local\Temp\is-TR417.tmp\61f292aaee251_Thu12817405.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-TR417.tmp\61f292aaee251_Thu12817405.tmp" /SL5="$A005E,870458,780800,C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292aaee251_Thu12817405.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2440
      - C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292aaee251_Thu12817405.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292aaee251_Thu12817405.exe" /SILENT
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\is-FHN7Q.tmp\61f292aaee251_Thu12817405.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-FHN7Q.tmp\61f292aaee251_Thu12817405.tmp" /SL5="$40212,870458,780800,C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292aaee251_Thu12817405.exe" /SILENT
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 61f292ac194f1_Thu1230653d.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4824
  - - C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292ac194f1_Thu1230653d.exe
      61f292ac194f1_Thu1230653d.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks SCSI registry key(s)
      PID:912
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 356
        5⤵
        Program crash
        
        PID:4784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 61f292ad20a43_Thu120f4aad3d7.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4736
  - - C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292ad20a43_Thu120f4aad3d7.exe
      61f292ad20a43_Thu120f4aad3d7.exe
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 61f292adcd500_Thu12dd12e2c.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2228
  - - C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292adcd500_Thu12dd12e2c.exe
      61f292adcd500_Thu12dd12e2c.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1564
    - - C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292adcd500_Thu12dd12e2c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292adcd500_Thu12dd12e2c.exe" -a
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 61f292ae24e70_Thu12a74e4137.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3116
  - - C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292ae24e70_Thu12a74e4137.exe
      61f292ae24e70_Thu12a74e4137.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:3804
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c cmd < Esistenza.wbk
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1836
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:384
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "imagename eq BullGuardCore.exe"
        7⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
        
        C:\Windows\SysWOW64\find.exe
        
        find /I /N "bullguardcore.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3828
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^tDPdzRbUMNXkpbEMSMKZXPerlnGmckXJGXqJvnomwNbPoElbkyeDIDcfALyUkXmAQhFkvUdzDkXpshUFgogfpxwrCLpKzhhtgXYVZZwdO$" Impaziente.wbk
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif
        
        Sul.exe.pif J
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif
        
        C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif J
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2228
        
        C:\Windows\SysWOW64\waitfor.exe
        
        waitfor /t 10 citDNEKXehVmhlzMlgdNbKGouCJxkZjiUQRiy
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4008
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 61f292ae71b3f_Thu1291f781.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3228
  - - C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292ae71b3f_Thu1291f781.exe
      61f292ae71b3f_Thu1291f781.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 61f292af47cdd_Thu12168454a4a.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5040
  - - C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292af47cdd_Thu12168454a4a.exe
      61f292af47cdd_Thu12168454a4a.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1152
    - - C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292af47cdd_Thu12168454a4a.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292af47cdd_Thu12168454a4a.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 61f292b10868e_Thu12702ecb5.exe /mixtwo
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3320
  - - C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292b10868e_Thu12702ecb5.exe
      61f292b10868e_Thu12702ecb5.exe /mixtwo
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3964
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 624
        5⤵
        Program crash
        
        PID:4008
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 624
        5⤵
        Program crash
        
        PID:3668
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 756
        5⤵
        Program crash
        
        PID:2436
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 772
        5⤵
        Program crash
        
        PID:1060
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 536
        5⤵
        Program crash
        
        PID:2684
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 796
        5⤵
        Program crash
        
        PID:5116
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 900
        5⤵
        Program crash
        
        PID:3496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 61f292b2a8973_Thu12d2978de30.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:632
  - - C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292b2a8973_Thu12d2978de30.exe
      61f292b2a8973_Thu12d2978de30.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1676
    - - C:\Windows\SysWOW64\control.exe
        
        "C:\Windows\System32\control.exe" .\CZlKA.Q5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1760
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\CZlKA.Q5
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 61f292b465d58_Thu127ed1404d.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4820
  - - C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292b465d58_Thu127ed1404d.exe
      61f292b465d58_Thu127ed1404d.exe
      4⤵
      Executes dropped EXE
      PID:216
    - - C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1128
    - - C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 612
    3⤵
    - Program crash
    PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1668 -ip 1668
1⤵
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 912 -ip 912
1⤵
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3964 -ip 3964
1⤵
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3964 -ip 3964
1⤵
PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3964 -ip 3964
1⤵
PID:528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3964 -ip 3964
1⤵
PID:444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3964 -ip 3964
1⤵
PID:996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2428 -ip 2428
1⤵
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3964 -ip 3964
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3964 -ip 3964
1⤵
PID:5000

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:6032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3820 -ip 3820
1⤵
PID:5144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4437b9de329a4896dc502dff2aaf221b

SHA1
81fdf27e6c9155312ae3374b76c30c2aefcd9757

SHA256
4218d947fdafe3643edb3f89d6ff050df6eabd8ec85777c31eabf8c4e85eddb7

SHA512
842d923c53777cc183e6d01253147fdeade1a563e3e68bc7b38c2846ad9b35500b44264dec871e04826f186df2c9526c04b04081bd1caf61deab80a323199428

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
6bf30f76f2bd497e94fdea0fbc395300

SHA1
df87b726233050eef5fb4490235fb3020d212074

SHA256
98da2ecc6af50f8ea69a7de8da29fe08594c57a9d82f8b704e89c9a55918ec76

SHA512
1f39bae761ef2f882c786142d64ccf6a29b5b570c31ac8d8e52078b75f11cb1a686394a1b8425b9572f9b87613527d54c1684d03f76d122a957e8e6e54ea2ade

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
7bd4e1f55a4b252c90908bb654138fe1

SHA1
add6273334a43e599c0bd950f7da157ef7b769c2

SHA256
0db25529e377e87dadffd1461c6ec3a1216f0279d0eb2841312dee701b0d1cd6

SHA512
2fd391de6cbb5f26b8e2481cd464a3c38b0492977a7ab96928e9ab27ec17c366d83e05220eb53a2a1612d7c5e629dac5630de9f8b22e2b0ff97976b89c215ef4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e261a4c981a5da85ea22903706ca3d8e

SHA1
b1f8606482abea9da5330828854adaf37a6b24a2

SHA256
9e10d8bc35dab7425b5703dedb35258c6c85e90290d9c3436bf5b11698191898

SHA512
bd7d8756c7d6bf484d704208d5092a97654be70dc453f0abd4638ab8ee0feaa5c56d38c5befda3bcdf5da7923622fcca3bfddc85c45ff701c17069372b959297

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c59fae8726cb17366698ec900b5b7b3b

SHA1
bad1f075491c699d6e1d1da2770aa68863ea8b61

SHA256
c09618986c3a79b5f8ee6136e9485575b0976cf70324cda01e670e541938591b

SHA512
5f469cd1aab68f11b6dbf1a27d3985039bddf1b450e03f85b40f9cb104b48d7bdb75176a661e7711d52b985f69bb0c3ab35d89ca952953063def19c2b4e79d9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8ddf4fccb61d7b74e860520655a70d88

SHA1
90020dc1d3a7e1ca373c507d336b4c3f5c2b5de9

SHA256
e2cdf1f677eb3edc8da8a47f97e4ec87cab873833335b2cbbdb6f12642059dcc

SHA512
5f8c9baaf6da1c1e2d0d0756a8b576f69b39a074812972cae545cec458e52834a54f53e02cb1656ceff92a81cfaa56d558d834d70660ca8d4a455bb6f259d72b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7ebf3cc7d40d6da050dbdd457a7cf345

SHA1
9d42b314183deeb958749ff5e5242824864494c0

SHA256
29735a85c26ba1602cb10ee9ca9a376a65e45914919cb3007f0678b0dc07753a

SHA512
e9f6cd9bc6e5a7def2b44e50e2196eb28cb80f0f54e8c040b54bb7ac7db8a088705d8ddb49fccbc22a6b190d170cb21b562646ec26bcc9aa664cac10c8c9cffb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3f4c92bcc1f6c542557c2f7ac56dab20

SHA1
8869aa35014b9be5abef6fe3efb94537158e65a5

SHA256
b108538331126b38c2f7abfb779346d069e3e095f1e08bb0daf48b0e8c9b66b3

SHA512
84400c20fa15be793c0c1bd29541ce6f4bfc016a55b26b455b72d78f074ec186bdb055c9d1f103f6050ab2e5a05ca055da1c7f5639a667d07ead3b3a4b1107b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7f92b1255bbd09216472a35b9995648d

SHA1
cb787e37330817a35845906838892bdc74aeeeac

SHA256
7a3337f4024f1a71776a7e047842d38c3585a6e9ed87e38fac3590111a6f44eb

SHA512
5d7486a7abf48199a038b971c29d2ec62e6d427e331e8802828f4a40a4a394df6d502292b90885d79c410ef2281eea9022c2b0830674b039a0fa49b76d6b3c55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d0f8bfa7ec98918036cfb8bb284f5b77

SHA1
81ec08c7e2528aee2d2a3d9e7adaebb6315ce322

SHA256
be781fc83535486f0b41ef20be63fe7613dd7ac8f7b0ae80c0b77d80f221d61a

SHA512
bfd3466c8947655dc9df728b76e501da1dcb5aeb916121f050a510660722e14e6a11d56675e2b80c56c1f7d410e70e1fc3b9cd0199167c7f76986757f72ee2e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
bf17a027d7685dadd7d5af9d21ff8fc0

SHA1
d3430badcac7cf877325718f5a89cc2352b66446

SHA256
0ee10cfcad36cd0de36e663a16004db3f34d728e683b9a489dd8891e25a4fcc4

SHA512
39ba17eee55444c6028708752a448fa5014f18b2f200b804f552821f1bd85c81bbd564dab46ff0342ffba5084e3e330acb8dde603f745c82dde3df82099f3d17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
75c2a733bca297452c031557d0fdc330

SHA1
4bdff12c1cd06d281fe51b2db249599495c60386

SHA256
58d3ae2521889e0a5c4fb6d4a46884c4afd3269eade241f86da4f58b99b1b773

SHA512
f78d3c62061804cd69965a9095d88d8fcef510d1a7cb3b06446098b93c65822867fe439568359d7e6eb6c53f98e01aade5082987766b5ecd664598bf7c38dc50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
6ed8f6a3d0ca71f4aef900afdf70aefb

SHA1
f2ccff42e4779168f48f301cccd501a703989e91

SHA256
719630539645eae4dc8a485dbd2bd1c6a60ef47276534913d962ed003f71e632

SHA512
03b32f5a4f0c5505a491ca935ea8d2c161250f80cdb3b088e9ac6616ec541a5fd47630c047ff1b35f31aa1425d677ae3ac0fcfd4d39926f095bfaa843a5ce2cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\fcd64e49-f615-4ab8-945c-2d46bb10bbd7.tmp

Filesize
17KB

MD5
ea8713d473b3ee0dc0f3f4dd2cd98067

SHA1
1440bee295961100e0e4772ef06a538ba2fbde8e

SHA256
41163d663ec2c65f9f208365671dd959d93bab276a6058c251ddafc122ce1ff3

SHA512
d8cf6b64f977128b71fc50de322cfd1f6286a82b60d577a1addbd4d86e09d2cc89786b8264f51726a5294cf4fb308e5dff6ae6a37855cc01b1e69e9d0baa9454

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
207e1b4eb066e07854cf2a670e5ab361

SHA1
9fa2f28f7b3d6d311be1bde78f1f670256258831

SHA256
72671ddf2091534b7bd51d9c0ba5c959ba6f38ac7c25ad39b60dab3f43dc93e9

SHA512
d47d077c5ebe2d1ccee984e12266e740189bc15f9941bc44d8191f32490d4993fbdc865d72e17ec82c5faa06376acbfa94d0e1aa4fb5e3eb30fc08983508b5a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
229KB

MD5
fcdd2624bf54d46dd5f2ec82a4dc0ffa

SHA1
b701da7a726adae4bb08d9f59d8ba35f5a8e254f

SHA256
735d312799a0bf611e145a4e182d3bd4e9a2004c0c01aab5ea292a869c82b697

SHA512
8a0743e3cd5c34a40e733ef0d69b6f06bceabce468026e78802f9efa46ea3872669b29dae099d66f20d4008589f561000628a38cc52eef6ae4d44d71df7318c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\61f292af47cdd_Thu12168454a4a.exe.log

Filesize
700B

MD5
e5352797047ad2c91b83e933b24fbc4f

SHA1
9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772

SHA256
b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c

SHA512
dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

Download Submit
C:\Users\Admin\AppData\Local\Temp\11111.exe

Filesize
215KB

MD5
94989927a6611e1919f84e1871922b63

SHA1
b602e4c47c9c42c273b68a1ce85f0814c0e05deb

SHA256
6abf00e8457005606b0286fba4abc75bdb5d8d8267b17678d719122946db5c17

SHA512
ce69c1597f759efdb61ba441a5c16b587b77e3780e134c312dc832a502a1933b04f6b981e0e4b5c998c38d77b25763d2c2875cb790b142f44a416dcf75880b6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292a3b1188_Thu12926eaf6b3.exe

Filesize
1.5MB

MD5
fbd3940d1ad28166d8539eae23d44d5b

SHA1
55fff8a0aa435885fc86f7f33fec24558aa21ef5

SHA256
21ceb2021197d8b5f73f8f264163e1f73e6a454ff0dffad24e87037f3a0b9ac7

SHA512
26efcab71ea6ffd07c800a9ab014adc1813742d99923e17f02d92ffe5fccc8ad1efbf1e6124fd68fd1638e0d9c5f9a79b8c3faf2ae85c71ead6fb8940e26ad11

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292a4b3280_Thu12692268df32.exe

Filesize
380KB

MD5
5b14369c347439becacaa0883c07f17b

SHA1
126b0012934a2bf5aab025d931feb3b4315a2d9a

SHA256
8f362cedd16992cd2605b87129e491620b323f2a60e0cbb2f77d66a38f1e2307

SHA512
4abd011ac7e4dba50cef3d166ca3c2c4148e737291f196e68c61f3a19e0e2b13bef5bb95fa53223cbc5ae514467309da6c92f1acfa194980624282d7c88c521b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292a50b8fa_Thu12c85191.exe

Filesize
106KB

MD5
4fda4b291bdc23439208635f8b4f10e5

SHA1
6911fce737067d5bbeab05960ecd56d3a0fe0dfb

SHA256
79a77b41388477a3cb157995c0ad1757a8ced2b49fc968dc5d8c28806aaee480

SHA512
5ca7652ea5c795dd613da2ef773e048efa240d4cb5b6970d91ddb2367eda27e879d735360625725881d4940b23b6e153cb148b630f183d21025b31b4675b17cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292a688404_Thu122ae6bbac.exe

Filesize
191KB

MD5
a05b981f73e296c8edf29ea9f68b8355

SHA1
f959ea0a5569320682e194bd87ae3fbf0b382647

SHA256
3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100

SHA512
d71c1655c13a4ea043caaa5533fe8b2b25f4146f5c750a801b4b19b3df514fedda7413dd9448be1b09eb6b532384d9439b1bb0628129413706224a051ea34ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292a8a0a6c_Thu12fda79da.exe

Filesize
116KB

MD5
b8ecec542a07067a193637269973c2e8

SHA1
97178479fd0fc608d6c0fbf243a0bb136d7b0ecb

SHA256
fc6b5ec20b7f2c902e9413c71be5718eb58640d86189306fe4c592af70fe3b7e

SHA512
730d74a72c7af91b10f06ae98235792740bed2afc86eb8ddc15ecaf7c31ec757ac3803697644ac0f60c2e8e0fd875b94299763ac0fed74d392ac828b61689893

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292aaee251_Thu12817405.exe

Filesize
1.5MB

MD5
e65bf2d56fcaa18c1a8d0d481072dc62

SHA1
c7492c7e09b329bed044e9ee45e425e0817c22f4

SHA256
c24f98a0e80be8f215f9b93c9823497c1ea547ca9fdd3621ef6a96dfb1eaa895

SHA512
39c3400315055b2c9fdb3d9d9d54f4a8c7120721aa0850c29d313824846cec7aae74b1f25569636d9eb81184f211e0bc391de02c212b6f0994a42096268414a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292ac194f1_Thu1230653d.exe

Filesize
191KB

MD5
af0de0482a6545057fb04ece77e0e83e

SHA1
a5275870f175a76ae14d965211d02a5214adb5c2

SHA256
605f47756284111370f163638d93e580830db4dd10b16a274735c052ea1f2c8a

SHA512
92b76a20957a3daafd588434cb6259213af9689a1dd75c97f61f16ceff95e1e79924431ad4f8a075b90535081a00b6ced7ffada6db8a843a4f8ecaa27ca1e96d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292ad20a43_Thu120f4aad3d7.exe

Filesize
465KB

MD5
8b361d36500a8a4abd21c08235e6c0c8

SHA1
c52bb8ead2e3b7dfb45f8e1163a2ae05588d70ce

SHA256
dc791b99f5e4e21d1022fe5cf80231da85fd716cf0132a25d1596b9680e45cf5

SHA512
6ebdbd3c45d869bb8852e6662cd0f2f397322f3907377b60f6c70910a8a01d955b30b59ee93d76001688a465449bcbb061169e85a4e67b102a537440909cf10a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292adcd500_Thu12dd12e2c.exe

Filesize
372KB

MD5
b0448525c5a00135bb5b658cc6745574

SHA1
a08d53ce43ad01d47564a7dcdb87383652ef29f5

SHA256
b53ec612c61b38e29a8500f8d495e81dfdedc6b277958f36acfee6b8ee50a859

SHA512
b52e28e22916964a3d4d46e8fd09ba1f5c4867bd812d3c9af278bbeaf0ccfd9573e2bfc836c63079bc5de419b2c362247f85c3c494dfc66baf5cbadc6dbf462d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292ae24e70_Thu12a74e4137.exe

Filesize
879KB

MD5
cc722fd0bd387cf472350dc2dd7ddd1e

SHA1
49d288ddbb09265a586dd8d6629c130be7063afa

SHA256
588a87d450987dfb3a72361c012b36285a5b3087cc8c282b6f2de46ae95291f2

SHA512
893375a8816bc333a9521b50d26b4018d1a3181b502dac73cef3357755651d833744a42bfd7f2daeb6e15d420600b91cdb910a0a1fb1a28d5012697a1f92733b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292ae71b3f_Thu1291f781.exe

Filesize
8KB

MD5
ce54b9287c3e4b5733035d0be085d989

SHA1
07a17e423bf89d9b056562d822a8f651aeb33c96

SHA256
e2beaf61ef8408e20b5dd05ffab6e1a62774088b3acdebd834f51d77f9824112

SHA512
c85680a63c9e852dfee438c9b8d47443f8b998ea1f8f573b3fcf1e31abc44415a1c18bac2bc6c5fb2caed0872a69fc9be758a510b9049c854fd48e31bf0815a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292af47cdd_Thu12168454a4a.exe

Filesize
526KB

MD5
2fd3235d23e379fcca10cf25661689c8

SHA1
ac4c74c6c95693a6d9d67caf55a6106eaa408959

SHA256
a88f3682d185f01cd91890951a27f04e925f10bd61b1ded566889c0e008c3ccc

SHA512
e33873304eba441d8b5938ba1f28636c78ac751633ed209f8970d1aafcf193203941fc8ba59e151ea7d010b9d65476d486e07b4f045d0409222d6f8d99bcfbb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292b10868e_Thu12702ecb5.exe

Filesize
339KB

MD5
6cda68905cfd314c1b5dcafd6adebc96

SHA1
c6e952b5190121ab0c082a2de4bc0caf06d1dcf0

SHA256
927c40d5808645ff97bbf5fc4c1d517d37a801c81553dc54becd8a0770ee54b0

SHA512
952074dffb293dd455751a44f18409adf4afa2c4c2f130dc2b6368791b78af06cf19bdbdc4278ccdb4ca3326db100fc695245543aa5e447927c4c095640d98c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292b2a8973_Thu12d2978de30.exe

Filesize
2.0MB

MD5
9691ad5126152a385a01220ee47221c1

SHA1
48465630edcdc71525c792c0b855ef0d321f6a5e

SHA256
34da41baf54a2522aa5b332f1678400f2fb271e12dcfad3870ef47d37ac4ba67

SHA512
b7b3ac05988ec34d586f7764bbe2bce43ca3c9361ce3626f041eefb635d8ab3af047009ce74cce50cdddb6dbec35b60139a50e9f2598e86cdf484c60e4be5949

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\61f292b465d58_Thu127ed1404d.exe

Filesize
1.6MB

MD5
79400b1fd740d9cb7ec7c2c2e9a7d618

SHA1
8ab8d7dcd469853f61ca27b8afe2ab6e0f2a1bb3

SHA256
556d5c93b2ceb585711ccce22e39e3327f388b893d76a3a7974967fe99a6fa7f

SHA512
3ed024b02d7410d5ddc7bb772a2b3e8a5516a16d1cb5fac9f5d925da84b376b67117daf238fb53c7707e6bb86a0198534ad1e79b6ebed979b505b3faf9ae55ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E1F4997\setup_install.exe

Filesize
2.1MB

MD5
b14eef8f9059c67b05c710b51d150f82

SHA1
645988e081d1948cae842614cc75875aec8cf68c

SHA256
3b9601b7d67b3e2541bf93f753248aae02ea9ba0fb46186d6d0ee97634052e0e

SHA512
bdfcac2b5631b38a0555c1f0c70f3bec0d67955adf0d8f679d05a1218e2d9e5d0c7bf0a5d221235b96aec99e35d3521f9030bdab511bfbfeaa6a20f9b3c942e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Esistenza.wbk

Filesize
620B

MD5
b2a2f85b4201446b23a250f68051b4dc

SHA1
8fc39fbfb341e55a6fda1ef3e0cfd25b2b8fdba5

SHA256
910165a85877eca36cb0e43aac5a42b643627aa7de90676cbdefcbf32fba4ade

SHA512
188b1ec9f2be6994de6e74f2385b3e0849968324cca1787b237d4eef381c9ffadc2c34c3f3131026d0ec1f89da6563455fe3f3d315d7d4673d303c38b2d0d32c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Impaziente.wbk

Filesize
872KB

MD5
662676b6ae749090c43a0c5507b16131

SHA1
0aec9044c592c79aa2a44f66b73ed0c5cb62fd68

SHA256
4dd868c3015b92c1b8b520c0459c952090e08b4ba8d81d259e1b0630156dada4

SHA512
ec363e232c544f904286831f19bcc20ec0180da0e28bb2480eeccfaac7b4722e9ae5f050fec4fb7de18f6b35092e1296fd8e62022daa0b583eaba8fc4ea253f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n0unsnrs.hao.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EI6OO.tmp\61f292a4b3280_Thu12692268df32.tmp

Filesize
694KB

MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FSI07.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T6KCI.tmp\idp.dll

Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TR417.tmp\61f292aaee251_Thu12817405.tmp

Filesize
2.5MB

MD5
83b531c1515044f8241cd9627fbfbe86

SHA1
d2f7096e18531abb963fc9af7ecc543641570ac8

SHA256
565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c

SHA512
9f7304ecb7573c0b8b4d7a2f49bcb9902499523b84502609f81b6f1b84faa1152a46ea13813987567ce574bd7b9d7b3f44b2b76389d8135487dc3c7f5e314f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4988_1293474484\0b3924bd-e481-4f82-ae7c-637da663c84e.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4988_1293474484\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
memory/372-290-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/528-204-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/912-200-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1060-283-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1060-289-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1128-262-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1152-180-0x0000000004C00000-0x0000000004C1E000-memory.dmp

Filesize
120KB

Download
memory/1152-167-0x0000000000340000-0x00000000003CA000-memory.dmp

Filesize
552KB

Download
memory/1152-169-0x0000000004C20000-0x0000000004C96000-memory.dmp

Filesize
472KB

Download
memory/1668-63-0x000000006494A000-0x000000006494F000-memory.dmp

Filesize
20KB

Download
memory/1668-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1668-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1668-65-0x00000000007A0000-0x000000000082F000-memory.dmp

Filesize
572KB

Download
memory/1668-66-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1668-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1668-73-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1668-74-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1668-67-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1668-68-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1668-64-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1668-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1668-205-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1668-213-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1668-60-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1668-214-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1668-212-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1668-211-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1668-208-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/1668-61-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1668-62-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1820-358-0x0000000002720000-0x0000000003720000-memory.dmp

Filesize
16.0MB

Download
memory/1820-254-0x0000000002720000-0x0000000003720000-memory.dmp

Filesize
16.0MB

Download
memory/1820-383-0x0000000002720000-0x0000000003720000-memory.dmp

Filesize
16.0MB

Download
memory/1820-316-0x0000000002720000-0x0000000003720000-memory.dmp

Filesize
16.0MB

Download
memory/1820-368-0x0000000002720000-0x0000000003720000-memory.dmp

Filesize
16.0MB

Download
memory/2440-179-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/2628-246-0x0000000005610000-0x000000000571A000-memory.dmp

Filesize
1.0MB

Download
memory/2628-245-0x00000000054E0000-0x00000000054F2000-memory.dmp

Filesize
72KB

Download
memory/2628-247-0x0000000005540000-0x000000000557C000-memory.dmp

Filesize
240KB

Download
memory/2628-244-0x0000000005AA0000-0x00000000060B8000-memory.dmp

Filesize
6.1MB

Download
memory/2628-222-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2864-176-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2864-280-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2940-181-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2940-184-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3084-170-0x00000000004F0000-0x0000000000582000-memory.dmp

Filesize
584KB

Download
memory/3084-161-0x0000000002F70000-0x0000000002F7A000-memory.dmp

Filesize
40KB

Download
memory/3084-163-0x0000000005520000-0x0000000005AC4000-memory.dmp

Filesize
5.6MB

Download
memory/3084-115-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3084-271-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3084-134-0x00000000001A0000-0x00000000001DE000-memory.dmp

Filesize
248KB

Download
memory/3084-132-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3084-276-0x00000000001A0000-0x00000000001DE000-memory.dmp

Filesize
248KB

Download
memory/3084-219-0x0000000000170000-0x0000000000188000-memory.dmp

Filesize
96KB

Download
memory/3084-131-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3084-148-0x0000000000170000-0x0000000000188000-memory.dmp

Filesize
96KB

Download
memory/3820-99-0x0000000000570000-0x0000000000590000-memory.dmp

Filesize
128KB

Download
memory/3964-277-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3964-304-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4076-178-0x0000000000300000-0x0000000000308000-memory.dmp

Filesize
32KB

Download
memory/4440-100-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4440-215-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4756-251-0x0000000007B70000-0x0000000007B7A000-memory.dmp

Filesize
40KB

Download
memory/4756-272-0x0000000007E20000-0x0000000007E3A000-memory.dmp

Filesize
104KB

Download
memory/4756-232-0x000000006DF50000-0x000000006DF9C000-memory.dmp

Filesize
304KB

Download
memory/4756-231-0x0000000006D80000-0x0000000006DB2000-memory.dmp

Filesize
200KB

Download
memory/4756-198-0x0000000006840000-0x000000000688C000-memory.dmp

Filesize
304KB

Download
memory/4756-197-0x00000000067A0000-0x00000000067BE000-memory.dmp

Filesize
120KB

Download
memory/4756-82-0x00000000051F0000-0x0000000005226000-memory.dmp

Filesize
216KB

Download
memory/4756-243-0x0000000007990000-0x0000000007A33000-memory.dmp

Filesize
652KB

Download
memory/4756-248-0x0000000008130000-0x00000000087AA000-memory.dmp

Filesize
6.5MB

Download
memory/4756-249-0x0000000007AF0000-0x0000000007B0A000-memory.dmp

Filesize
104KB

Download
memory/4756-145-0x00000000061E0000-0x0000000006246000-memory.dmp

Filesize
408KB

Download
memory/4756-147-0x0000000006360000-0x00000000066B4000-memory.dmp

Filesize
3.3MB

Download
memory/4756-146-0x00000000062C0000-0x0000000006326000-memory.dmp

Filesize
408KB

Download
memory/4756-257-0x0000000007CF0000-0x0000000007D01000-memory.dmp

Filesize
68KB

Download
memory/4756-273-0x0000000007E10000-0x0000000007E18000-memory.dmp

Filesize
32KB

Download
memory/4756-133-0x0000000006040000-0x0000000006062000-memory.dmp

Filesize
136KB

Download
memory/4756-242-0x0000000006D60000-0x0000000006D7E000-memory.dmp

Filesize
120KB

Download
memory/4756-270-0x0000000007D30000-0x0000000007D44000-memory.dmp

Filesize
80KB

Download
memory/4756-269-0x0000000007D20000-0x0000000007D2E000-memory.dmp

Filesize
56KB

Download
memory/4756-91-0x00000000059E0000-0x0000000006008000-memory.dmp

Filesize
6.2MB

Download
memory/4756-255-0x0000000007D60000-0x0000000007DF6000-memory.dmp

Filesize
600KB

Download
memory/4872-104-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4872-186-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download