fabookie | 669ae7546f43d4f4c06680ccf97908e524ad1ccd818d13e2cc8460619ce753a3

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e937f29320a38d6ed0e384bc19cc45dd3b06c32edb635a905663d063d226277.exe
Size

6.0MB
MD5

86ccfd1a65f0462d8e9f0f6f8afdfb56
SHA1

81d24059fc2153dcee703c5a15ddbf05bdf40dc0
SHA256

7e937f29320a38d6ed0e384bc19cc45dd3b06c32edb635a905663d063d226277
SHA512

a57371adebbe59510b6068f8b204ab296d34f8f0bdc97926ed2c239ff5d4d4521cc2b7fbd39cd26045a219754a087dca9e0f07189fafbeb77f93c3da2d467372
SSDEEP

196608:JCkC/es5dTeoJSnAaokBCXno+6Rj815MJxQP:JEmsXTeE5ahonJX6e

Score

10^/10

fabookie nullmixer redline socelars vidar 915 media14n aspackv2 discovery dropper execution infostealer spyware stealer

Malware Config

Extracted

Family

socelars

http://www.yarchworkshop.com/

Extracted

Family

vidar

Version

49.1

Botnet

915

https://noc.social/@sergeev46

https://c.im/@sergeev47

Attributes

profile_id
915

Extracted

Family

redline

Botnet

media14n

65.108.69.168:13293

Attributes

auth_value
db1bd9b56a9c8bae94bb9c3ceead1829

Signatures

Detect Fabookie payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\Wed15cf9217ee25.exe	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Fabookie family
fabookie
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
Nullmixer family
nullmixer
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4344-227-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Redline family
redline
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars

Socelars payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\Wed15a496b9738c79.exe	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\Wed15cf9217ee25.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\11111.exe	Nirsoft
behavioral2/memory/2652-178-0x0000000000400000-0x0000000000455000-memory.dmp	Nirsoft

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\Wed15cf9217ee25.exe	WebBrowserPassView

Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/4144-216-0x0000000000400000-0x0000000000892000-memory.dmp	family_vidar

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

1580 powershell.exe
3520 powershell.exe

pid	process
1580	powershell.exe
3520	powershell.exe

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\libcurlpp.dll	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7e937f29320a38d6ed0e384bc19cc45dd3b06c32edb635a905663d063d226277.exesetup_installer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7e937f29320a38d6ed0e384bc19cc45dd3b06c32edb635a905663d063d226277.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	setup_installer.exe

Executes dropped EXE 13 IoCs

Processes:

setup_installer.exesetup_install.exeWed15a496b9738c79.exeWed15b1f483121d7.exeWed15cf9217ee25.exeWed15b688725f14e50ec.exeWed15df05b995.exeWed15ada196cda5299.exe11111.exeWed15b1f483121d7.exeWed15b1f483121d7.exeWed15b1f483121d7.exeWed15b1f483121d7.exe

pid	process
4816	setup_installer.exe
3420	setup_install.exe
2696	Wed15a496b9738c79.exe
4684	Wed15b1f483121d7.exe
4148	Wed15cf9217ee25.exe
1388	Wed15b688725f14e50ec.exe
4144	Wed15df05b995.exe
4196	Wed15ada196cda5299.exe
2652	11111.exe
4800	Wed15b1f483121d7.exe
4456	Wed15b1f483121d7.exe
2344	Wed15b1f483121d7.exe
4344	Wed15b1f483121d7.exe

Loads dropped DLL 6 IoCs

Processes:

setup_install.exe

pid process

3420 setup_install.exe
3420 setup_install.exe
3420 setup_install.exe
3420 setup_install.exe
3420 setup_install.exe
3420 setup_install.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
3420	setup_install.exe
3420	setup_install.exe
3420	setup_install.exe
3420	setup_install.exe
3420	setup_install.exe
3420	setup_install.exe

Drops Chrome extension 1 IoCs

Processes:

Wed15a496b9738c79.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfhgpjbcoignfibliobpclhpfnadhofn\10.59.13_0\manifest.json	Wed15a496b9738c79.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

34 iplogger.org
36 iplogger.org
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 ip-api.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of SetThreadContext 1 IoCs

Processes:

Wed15b1f483121d7.exe

description pid process target process

PID 4684 set thread context of 4344 4684 Wed15b1f483121d7.exe Wed15b1f483121d7.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

5060 4196 WerFault.exe Wed15ada196cda5299.exe
4816 4144 WerFault.exe Wed15df05b995.exe

flow	ioc
34	iplogger.org
36	iplogger.org

flow	ioc
10	ip-api.com

description	pid	process	target process
PID 4684 set thread context of 4344	4684	Wed15b1f483121d7.exe	Wed15b1f483121d7.exe

pid	pid_target	process	target process
5060	4196	WerFault.exe	Wed15ada196cda5299.exe
4816	4144	WerFault.exe	Wed15df05b995.exe

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Wed15b1f483121d7.execmd.execmd.execmd.execmd.execmd.exepowershell.execmd.exeWed15cf9217ee25.execmd.exeWed15b688725f14e50ec.exesetup_installer.execmd.execmd.execmd.execmd.exe11111.execmd.exe7e937f29320a38d6ed0e384bc19cc45dd3b06c32edb635a905663d063d226277.exesetup_install.exeWed15a496b9738c79.exeWed15ada196cda5299.exepowershell.execmd.execmd.execmd.execmd.execmd.execmd.exeWed15b1f483121d7.exeWed15df05b995.exetaskkill.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed15b1f483121d7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed15cf9217ee25.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed15b688725f14e50ec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e937f29320a38d6ed0e384bc19cc45dd3b06c32edb635a905663d063d226277.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed15a496b9738c79.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed15ada196cda5299.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed15b1f483121d7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed15df05b995.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Wed15ada196cda5299.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Wed15ada196cda5299.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Wed15ada196cda5299.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Wed15ada196cda5299.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3944 taskkill.exe

pid	process
3944	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133753759269679372"	chrome.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exechrome.exechrome.exe

pid	process
3520	powershell.exe
1580	powershell.exe
1580	powershell.exe
3520	powershell.exe
3520	powershell.exe
1580	powershell.exe
3056	chrome.exe
3056	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

3056 chrome.exe
3056 chrome.exe
3056 chrome.exe
3056 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeWed15a496b9738c79.exepowershell.exeWed15b1f483121d7.exetaskkill.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeCreateTokenPrivilege	2696	Wed15a496b9738c79.exe
Token: SeAssignPrimaryTokenPrivilege	2696	Wed15a496b9738c79.exe
Token: SeLockMemoryPrivilege	2696	Wed15a496b9738c79.exe
Token: SeIncreaseQuotaPrivilege	2696	Wed15a496b9738c79.exe
Token: SeMachineAccountPrivilege	2696	Wed15a496b9738c79.exe
Token: SeTcbPrivilege	2696	Wed15a496b9738c79.exe
Token: SeSecurityPrivilege	2696	Wed15a496b9738c79.exe
Token: SeTakeOwnershipPrivilege	2696	Wed15a496b9738c79.exe
Token: SeLoadDriverPrivilege	2696	Wed15a496b9738c79.exe
Token: SeSystemProfilePrivilege	2696	Wed15a496b9738c79.exe
Token: SeSystemtimePrivilege	2696	Wed15a496b9738c79.exe
Token: SeProfSingleProcessPrivilege	2696	Wed15a496b9738c79.exe
Token: SeIncBasePriorityPrivilege	2696	Wed15a496b9738c79.exe
Token: SeCreatePagefilePrivilege	2696	Wed15a496b9738c79.exe
Token: SeCreatePermanentPrivilege	2696	Wed15a496b9738c79.exe
Token: SeBackupPrivilege	2696	Wed15a496b9738c79.exe
Token: SeRestorePrivilege	2696	Wed15a496b9738c79.exe
Token: SeShutdownPrivilege	2696	Wed15a496b9738c79.exe
Token: SeDebugPrivilege	2696	Wed15a496b9738c79.exe
Token: SeAuditPrivilege	2696	Wed15a496b9738c79.exe
Token: SeSystemEnvironmentPrivilege	2696	Wed15a496b9738c79.exe
Token: SeChangeNotifyPrivilege	2696	Wed15a496b9738c79.exe
Token: SeRemoteShutdownPrivilege	2696	Wed15a496b9738c79.exe
Token: SeUndockPrivilege	2696	Wed15a496b9738c79.exe
Token: SeSyncAgentPrivilege	2696	Wed15a496b9738c79.exe
Token: SeEnableDelegationPrivilege	2696	Wed15a496b9738c79.exe
Token: SeManageVolumePrivilege	2696	Wed15a496b9738c79.exe
Token: SeImpersonatePrivilege	2696	Wed15a496b9738c79.exe
Token: SeCreateGlobalPrivilege	2696	Wed15a496b9738c79.exe
Token: 31	2696	Wed15a496b9738c79.exe
Token: 32	2696	Wed15a496b9738c79.exe
Token: 33	2696	Wed15a496b9738c79.exe
Token: 34	2696	Wed15a496b9738c79.exe
Token: 35	2696	Wed15a496b9738c79.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	4684	Wed15b1f483121d7.exe
Token: SeDebugPrivilege	3944	taskkill.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7e937f29320a38d6ed0e384bc19cc45dd3b06c32edb635a905663d063d226277.exesetup_installer.exesetup_install.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2668 wrote to memory of 4816	2668	7e937f29320a38d6ed0e384bc19cc45dd3b06c32edb635a905663d063d226277.exe	setup_installer.exe
PID 2668 wrote to memory of 4816	2668	7e937f29320a38d6ed0e384bc19cc45dd3b06c32edb635a905663d063d226277.exe	setup_installer.exe
PID 2668 wrote to memory of 4816	2668	7e937f29320a38d6ed0e384bc19cc45dd3b06c32edb635a905663d063d226277.exe	setup_installer.exe
PID 4816 wrote to memory of 3420	4816	setup_installer.exe	setup_install.exe
PID 4816 wrote to memory of 3420	4816	setup_installer.exe	setup_install.exe
PID 4816 wrote to memory of 3420	4816	setup_installer.exe	setup_install.exe
PID 3420 wrote to memory of 1060	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 1060	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 1060	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 4248	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 4248	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 4248	3420	setup_install.exe	cmd.exe
PID 4248 wrote to memory of 3520	4248	cmd.exe	powershell.exe
PID 4248 wrote to memory of 3520	4248	cmd.exe	powershell.exe
PID 4248 wrote to memory of 3520	4248	cmd.exe	powershell.exe
PID 1060 wrote to memory of 1580	1060	cmd.exe	powershell.exe
PID 1060 wrote to memory of 1580	1060	cmd.exe	powershell.exe
PID 1060 wrote to memory of 1580	1060	cmd.exe	powershell.exe
PID 3420 wrote to memory of 4832	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 4832	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 4832	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 3668	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 3668	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 3668	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 2108	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 2108	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 2108	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 4628	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 4628	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 4628	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 3804	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 3804	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 3804	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 3800	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 3800	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 3800	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 4384	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 4384	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 4384	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 2144	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 2144	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 2144	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 1236	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 1236	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 1236	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 3376	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 3376	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 3376	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 3956	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 3956	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 3956	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 4948	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 4948	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 4948	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 3856	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 3856	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 3856	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 3624	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 3624	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 3624	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 4996	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 4996	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 4996	3420	setup_install.exe	cmd.exe
PID 3956 wrote to memory of 2696	3956	cmd.exe	Wed15a496b9738c79.exe

C:\Users\Admin\AppData\Local\Temp\7e937f29320a38d6ed0e384bc19cc45dd3b06c32edb635a905663d063d226277.exe
"C:\Users\Admin\AppData\Local\Temp\7e937f29320a38d6ed0e384bc19cc45dd3b06c32edb635a905663d063d226277.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3420
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1060
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4248
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3520
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed15ada196cda5299.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4832
    - - C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\Wed15ada196cda5299.exe
        
        Wed15ada196cda5299.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        
        PID:4196
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 356
        6⤵
        Program crash
        
        PID:5060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed150fa420cf1b07ced.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed151063a67e4fb25.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2108
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed15348d008c3887.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed15cf9217ee25.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3804
    - - C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\Wed15cf9217ee25.exe
        
        Wed15cf9217ee25.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4148
      - C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2652
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed15462d0908875cc7.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3800
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed158c4d832483dca5.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4384
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed15293e7a1888b.exe /mixtwo
      4⤵
      System Location Discovery: System Language Discovery
      PID:2144
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed156eff953b0ec.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1236
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed15b1f483121d7.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3376
    - - C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\Wed15b1f483121d7.exe
        
        Wed15b1f483121d7.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4684
      - C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\Wed15b1f483121d7.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\Wed15b1f483121d7.exe
        6⤵
        Executes dropped EXE
        
        PID:4800
      - C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\Wed15b1f483121d7.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\Wed15b1f483121d7.exe
        6⤵
        Executes dropped EXE
        
        PID:4456
      - C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\Wed15b1f483121d7.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\Wed15b1f483121d7.exe
        6⤵
        Executes dropped EXE
        
        PID:2344
      - C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\Wed15b1f483121d7.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\Wed15b1f483121d7.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4344
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed15a496b9738c79.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3956
    - - C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\Wed15a496b9738c79.exe
        
        Wed15a496b9738c79.exe
        5⤵
        Executes dropped EXE
        Drops Chrome extension
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3944
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        6⤵
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3056
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf8,0x124,0x7fffa6a1cc40,0x7fffa6a1cc4c,0x7fffa6a1cc58
        7⤵
        
        PID:4252
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1844,i,11911287837186249467,14820133446209863950,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1840 /prefetch:2
        7⤵
        
        PID:5060
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1964,i,11911287837186249467,14820133446209863950,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1972 /prefetch:3
        7⤵
        
        PID:2592
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2328,i,11911287837186249467,14820133446209863950,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2284 /prefetch:8
        7⤵
        
        PID:2736
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,11911287837186249467,14820133446209863950,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:1
        7⤵
        
        PID:548
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3284,i,11911287837186249467,14820133446209863950,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3296 /prefetch:1
        7⤵
        
        PID:1400
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4476,i,11911287837186249467,14820133446209863950,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4528 /prefetch:1
        7⤵
        
        PID:1480
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4368,i,11911287837186249467,14820133446209863950,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4692 /prefetch:8
        7⤵
        
        PID:1932
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4360,i,11911287837186249467,14820133446209863950,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4816 /prefetch:8
        7⤵
        
        PID:4568
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4688,i,11911287837186249467,14820133446209863950,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4724 /prefetch:8
        7⤵
        
        PID:4000
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4968,i,11911287837186249467,14820133446209863950,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4980 /prefetch:8
        7⤵
        
        PID:940
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4952,i,11911287837186249467,14820133446209863950,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5028 /prefetch:8
        7⤵
        
        PID:5100
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5208,i,11911287837186249467,14820133446209863950,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5204 /prefetch:8
        7⤵
        
        PID:1420
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5200,i,11911287837186249467,14820133446209863950,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5348 /prefetch:8
        7⤵
        
        PID:3312
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5008,i,11911287837186249467,14820133446209863950,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5492 /prefetch:8
        7⤵
        
        PID:396
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5412,i,11911287837186249467,14820133446209863950,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5452 /prefetch:2
        7⤵
        
        PID:3884
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5516,i,11911287837186249467,14820133446209863950,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5188 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed1541b8f98f.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed15df05b995.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3856
    - - C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\Wed15df05b995.exe
        
        Wed15df05b995.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4144
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 1636
        6⤵
        Program crash
        
        PID:4816
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed1585cf7372.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed15b688725f14e50ec.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4996
    - - C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\Wed15b688725f14e50ec.exe
        
        Wed15b688725f14e50ec.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4196 -ip 4196
1⤵
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4144 -ip 4144
1⤵
PID:4616

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
74bcfc60587f50ab81630b00f36a4cad

SHA1
c88efb61eebafa40a4f636a458a94ccb1b36f261

SHA256
0cd64dcbeb84a489ecfd5da92910737faf2d2ff62c54e0d845579ad820324891

SHA512
7f8e271f0d27b4c17df7ee733b62b86e2114ca31f328d866cf0d41dd2287ca3ee455faa6ba34f80676e6ab7c3e1ab75b9334e68894590742d4e93b7a4abcf60a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
cce6a6c12675474cfa2512e288dd85c3

SHA1
b87c1fd4f60e4b3f98e18baf2a05107725922e4a

SHA256
5d531326d6895fd3795b5b8448d3b5987625054cc5e8eb861d3cf8e997c35213

SHA512
d0a87d67690caff65c974ba9556b3cbe1f837b58c584b83d1815698c2cff2e1e29d4cef973a09efd499c47737bc4ea61100c3ef51044926da0c199ca827b908e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
3f685f68970cfa9c789a24445f7c61ea

SHA1
a0a89a6e9748c67ad1a050bf88c4bfff59b9faa9

SHA256
02d99c679c6b82bcbaee16ac77b16f2eaa759c841226446851bee0898c2d6438

SHA512
3b47e96fc7f87a1031c241654b68f1a1b7503372844975dae886e5354f362ac690c56a6df7552e08196830e6be63fb307ba8b9677f488142ca0ee066ee6a6dc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
9c9183b6bbf7b815986a7e18988cd454

SHA1
557c4ed1848fbd6a43922b2f365bad060f73cf69

SHA256
6f52a0036ff7d313af0272956b408d61f4b1c514776a061df0af9d6440afddfa

SHA512
597bf8f54ccb73e063eb3421f5698c1beb342b040e47e80da5ed9c09f0369a30e7d93bd177951bf558cfbf38e71751214a8605044655fdd73c742ec009c97e7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
012b15954ce3ca75760fcc2747bbe57a

SHA1
ddf638fb91617f66ad9657fd6cb69e65d3707e99

SHA256
09c7fc6b4e5f9431db17b9198c370f3705fe4fdf473e86884c45fa2e6e1cc139

SHA512
49a97564ad60fb0be58601ad06dcd88b4f52500ab4153782ebb2ea9ab929cfbc4b4a847eda01b5b7d3c1d7e8952a4ee029d1c29c6699474e549d360cd696801d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2fb360754a78839b948c2f675db13934

SHA1
ab4c73475adc45aa796b8105ebd8998b8b29cf8f

SHA256
1ccc86fc0854c37c149f09a53c7b021b6d15c9779b757d315fc237689049c537

SHA512
c22780a3be704ada28c621a5602c87603c03e287eb974e6d4fcc0f5b43c419951441394d00fe71c9a09ee9b6c2cf57c3f72703a1997471f82014c7806d550c69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1eae082cf3995e23d1d2d515a43f4723

SHA1
f1385accf51e61998c986959b8af842a5873597f

SHA256
6e7182ec8ed6ddfd5e4b99a095e1a67870489c9d23699a91586eb683fd9cf8f8

SHA512
bab0a5cf5f874af7dd2205729204025d0e0fb37bdf4b567b98c67ed392791dc763a6880fb8ee939f30607d9ab7ead5453868f96afee31876c18d7ac3a38c926f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
622d1cd05b87e4289e1381b3c24f8ed5

SHA1
b87dd44189b1878853c2faf8fdc69f047688ca64

SHA256
b4e00eacd8c1d4d0aa4ed628a2785f9c43e3ab13e642c648522bcb02b9dc22cd

SHA512
265d76bbba84a1659701d931344cbf8f6efdd1622c3a85be88df09aab26cffd8b391e2125ef4ed5fec0f12d430d7049809304540c46af818f513ad84768b57cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
797c978f87f837eb4aa92d7a3c9ebc03

SHA1
66b3620c13bf6c032f0b53c5fcda048b94061573

SHA256
930922733ec433f5babaebade6adabc2c25462df3bb90e93f05dd931e08941ba

SHA512
b2bf5892b76a37bb4bfd71a882fef380dd6248bc5b7e393d33da649b6af93eec28364e9070d9ea4fd4d7f3e4f49f0586822fc36648063319458aba4c2010efad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b3bcb1536467250f7c604e821e3ce1f4

SHA1
d32380282950e07fdaa6888ba2a6c606bdb264e6

SHA256
7049b0d04e645e46b5c8d5d47b3839c4f5708390b35dc38406d08c0c65765657

SHA512
60da7f26199b6e3210d15a9e6bfe93dfae9d4151230354f20b112f0429b9278bb1e82816df62076aecec8799e26aa69b536287d1c1e4dcd55ae44d69c0fa6e2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
80c5b4b929ac03139fb9551d83d10efd

SHA1
a49311eecbcd6f583ddb6982aea1dbb59b1e7159

SHA256
8f49def3bc72009744258d71f48f1a7cebca1aa8af5f15641b6f922f0f1dff6e

SHA512
329d197aa0039221c00dd0382a9e2d687458206f86cecfae01ed208b872cc7e5f18526c0343372ef838738bf9297c200172cacd624920782c77ee752c716499d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2750a8fdda85377ccb45a5d33f964a27

SHA1
e50b074bfa9412ca5a19841c53c2a7f2beb4a537

SHA256
b06a1224f34f8ca96296c9c5cd66dd1bfca4bf15ba253bf3cf190fd2b5c2455b

SHA512
97b3fc8968f65530cfe160a9d540fb249f97cc6a5d853021ac09b3d4ac3da51c51f8e993c76733f3032b463b4357991579ebd526afdd65b38e6b69357a028591

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
95a2a81e6f8a67826f29c1f2023d6a13

SHA1
f476d45ed2b6c9a424f549ba708cd441961d4a34

SHA256
9025fe6c688ad6e7cf5f8c67b797313afed7e3220005d00bbfe603b600c9f916

SHA512
40b7893b800290636679deaf6b19f37f92c72403ceab767b2861254470276abd4a2bdf3efadee73a71208d13df6125f4ec7a63e083650a08b8a07cc6d97f7495

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
09ed7abe7f53f088a521e8d81f6c3dc6

SHA1
d8b0fceab80957b44e24fb0f11dec0dbf8a944db

SHA256
0452f6ded757cc1b7cba91b9ef98912d44c33d8b3613c6901f997b4bdbf47b6d

SHA512
1c9ebefcc5512d1737c736a68c24cb9888018c65e297121fe175ccdc117999545742170ce04ddfa6812136636eb8c5c7b53b329a7719f6c406617c67770d3c7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
1cc968affd4f7061cf5a884d94aef24c

SHA1
02159a4c5094f1632e40d211fef94b15d5cb055b

SHA256
55a33c0513901ec193b71dd301604bdec9359cdaa5f6e929b383d977691e09d3

SHA512
43ab8563f15fd61bba6fceed2312c8c44f69edb1c5167c5e9e107367650c150715c80d8dc6d08c58ea98e3bed77be5edea4a5d6623d5f7deb394f2f60068734a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
1104bdf06c9b829d083d18f015cd6529

SHA1
15464dc4522a3ef7178d57b08b1644584ac9302d

SHA256
b18e5210650d71b49a467da4c68727d36132b43494bb52f4d14ec22cfe33e3db

SHA512
6eace6802e79f7fe18d107eb04d7d6b7b91e13a947e1f11e074d057d9bc6fcbad14806809b3f8b1a734bee255fa4df4b468e20f77a4b6af252704b2fdda34f28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
03991e721c9d81146090afee91cd6b52

SHA1
64f3d8b9530fcc7c7b6792e2325b84a356eb1c46

SHA256
9393ffc529349991a9809b81294a6d094c9885d2e4c484445c1d624796512077

SHA512
e6729307ec3b492bd471e083c9715f3fed838558bbd8b32bcf9b348ee2535e857db69991f886d84fbaa5c8f7ce73ad37e823c70cb257b4f4dcbbc47b815075b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Wed15b1f483121d7.exe.log

Filesize
700B

MD5
e5352797047ad2c91b83e933b24fbc4f

SHA1
9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772

SHA256
b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c

SHA512
dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
ba8ceb328c2f66f84e90237ab0dbc58c

SHA1
6253d63c212d6cbb20f21b2e097e12331b33eb94

SHA256
8a9311085fbbc6333f944b8ae09fae20afe3a0741138a819803bae46c637b2e4

SHA512
957247365a1db63de744a746f9e0498cd2ed67d00f8874fe98f7f4962d874f35eccf146fbf843ae145bbb8710625fb3af0b0e99e7e4158b902e2e6d96d12063a

Download Submit
C:\Users\Admin\AppData\Local\Temp\11111.exe

Filesize
311KB

MD5
cc0d6b6813f92dbf5be3ecacf44d662a

SHA1
b968c57a14ddada4128356f6e39fb66c6d864d3f

SHA256
0c2ade2993927f6de828e30c07156c19751b55650a05c965631ca0ea1c983498

SHA512
4d4275338cd8a089c25757440b876654b569d39bfd970109cceb09c29ca79c8f3b1fdfcc6316ef18a9eb68cddf0c2d6daa0fa27fafc1f27b8103b4aa1db1fbc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\Wed150fa420cf1b07ced.exe

Filesize
120KB

MD5
dcde74f81ad6361c53ebdc164879a25c

SHA1
640f7b475864bd266edba226e86672101bf6f5c9

SHA256
cc10c90381719811def4bc31ff3c8e32c483c0eeffcb149df0b071e5a60d517b

SHA512
821b1a05601bbaee21cbd0b3cf2859359795ae55a3df8dea81f1142ede74b52af31273ffbbba772d77e40477853e6b02c9df8c44fc2ddad1cf3d248530427fc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\Wed151063a67e4fb25.exe

Filesize
151KB

MD5
3b31cac552dc741631b567493f238a2f

SHA1
d92c09126462846d41365a0180a1572a4b5838e0

SHA256
f593c276fffb9961b488a71f33b2675ac50331f704020f7017bd0bf4b469079c

SHA512
631bcb3ecdf59daf9b3c007844928302bb837c16f9df04a419a7aed57bd73a809febab69c0ea412216fc7d666e59a94c1e85432a059152d26f29a91c63ebfe11

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\Wed15293e7a1888b.exe

Filesize
1.1MB

MD5
aa75aa3f07c593b1cd7441f7d8723e14

SHA1
f8e9190ccb6b36474c63ed65a74629ad490f2620

SHA256
af890b72e50681eee069a7024c0649ac99f60e781cb267d4849dae4b310d59c1

SHA512
b1984c431939e92ea6918afbbc226691d1e46e48f11db906fec3b7e5c49075f33027a2c6a16ab4861c906faa6b50fddc44201922e44a0243f9883b701316ca2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\Wed15348d008c3887.exe

Filesize
147KB

MD5
c709426184c7d412e0770fdcece52c60

SHA1
ba5caaa72a7f1338815a6f61767fbbcda3f61e52

SHA256
279d55e004ded5923888a2a5bf2e9e8295fa669a436e426396734def04565ea4

SHA512
7f5310126428128851249ce07f08c9d9410274eda04fbe4d8d5a0e4d6256f3fee96846fa0d3ce1206ce1c592c1b87d47bbd0083a47bd1a0726ea80c9804803f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\Wed1541b8f98f.exe

Filesize
532KB

MD5
43e459f57576305386c2a225bfc0c207

SHA1
13511d3f0d41fe28981961f87c3c29dc1aa46a70

SHA256
fb58f709914380bce2e643aa0f64cd5458cb8b29c8f072cd1645e42947f89787

SHA512
33cbcc6fb73147b7b3f2007be904faf01dc04b0e773bb1cfe6290f141b1f01cb260cd4f3826e30ab8c60d981bcc1b7f60e17ab7146ba32c94c87ac3a2b717207

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\Wed15462d0908875cc7.exe

Filesize
1.8MB

MD5
ed6bba126cb98da82d5160f44c487147

SHA1
1bc0a3d09fed8a322e0e3f9399ac8efb0a556e34

SHA256
78fa012b9e7b197a0905215d0400d563524b975533c63befaf24644bab5af4c1

SHA512
e94e08bf9ff8c790fc63ac0b395736c6876b938aa3622f371cdbe7e43f67ad1baecad9680ed777a90f5d2c71eace477a63c753f47e1088afbd78fd17693ad881

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\Wed156eff953b0ec.exe

Filesize
381KB

MD5
0295436778d0d530c12a4f2576f9717f

SHA1
fc712556f67fc2ac6eef59db2783d0c4d5e45068

SHA256
8bfd2ae9f340057c1ba4c042215ccc3a461ea24277f2a77e23d915ceb495910a

SHA512
b05f7901cde3c772694a959d040eda981f67c6355611729deb3251feac60621122f0558b2ca36f9e2c6425d92b406f331267b75d4b42597f07e94825ffbfc2b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\Wed1585cf7372.exe

Filesize
8KB

MD5
7e32ef0bd7899fa465bb0bc866b21560

SHA1
115d09eeaff6bae686263d57b6069dd41f63c80c

SHA256
f45daafd61371b1f080a92eea8e9c8bfc9b710f22c82d5a06a1b1bf271c646ad

SHA512
9fbf4afc7a03460cd56f2456684108ccce9cfc8d31361bb49dd0531fa82b6b002450ab3c4c7f3d96f1dc55761615465828b1c33702d23d59fabe155a9db1b5cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\Wed158c4d832483dca5.exe

Filesize
1.5MB

MD5
204801e838e4a29f8270ab0ed7626555

SHA1
6ff2c20dc096eefa8084c97c30d95299880862b0

SHA256
13357a53f4c23bd8ac44790aa1db3233614c981ded62949559f63e841354276a

SHA512
008e6cb08094621bbcadfca32cc611a4a8c78158365e5c81eb58c4e7d5b7e3d36c88b543390120104f1c70c5393b1c1c38c33761cf65736fdf6873648df3fc8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\Wed15a496b9738c79.exe

Filesize
1.4MB

MD5
367c574185ea01ac2ba69a1c8856ad57

SHA1
0b9b5af1ce8dce38937357f47e2817d85a6aba61

SHA256
18a630270e0ab33eccfb304269b4fa5bcefa565a1dbe3bd04f3f2a269646f5e9

SHA512
7862ad92b670e7193f266473c59166a6a9081ad28c66d328521aa288ad3ab92d9b98563b0fb768442706692224a69965d697b75dc974c73be934b5fd32f80a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\Wed15ada196cda5299.exe

Filesize
166KB

MD5
da9161800860fe7026a467b0974f7616

SHA1
e53ee1e2fdfcf777d7f5b3c47111c85edeee4c5a

SHA256
6a4a2c3368555340d852697a2fc56d9c98164b93e4101803466f8b6cbe68762d

SHA512
460508b701e610404567285c020a819926319d0564c1180371922972ead9568849fe2bf2192dd28f09706cad27a0bb5d93bb08bab70d87ff55c70e51920fa7dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\Wed15b1f483121d7.exe

Filesize
532KB

MD5
394452dc2bb66b83e6763fc1542b2a87

SHA1
74b3fb5bf64f4eb3fc59152330befef67f5464c2

SHA256
037bed7bce597aec4c2320e48715ab3a387d10e1ecad7a494bc72ebd60168794

SHA512
b5f4405a672df81d4e5155247bbd5522f15b534c6edd2892fc4c9032ae3d8c42d6e239ca52f604f84fdad993e7deeff4613938403cb829b60e610f683a40ea4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\Wed15b688725f14e50ec.exe

Filesize
147KB

MD5
fb6abbe70588dd2b3fb91161410f2805

SHA1
193085164a8d2caa9e1e4e6d619be6481b5623b9

SHA256
9283fb214b006f9e2fd49fe21798a44ae5663566b1b2b08b448db7bdda996859

SHA512
9f2e7045982e61efeb4b3ec5523b0cc63d096166fcb02ea1d66fcdbf0f2fbec575baa381f7727c9222ea23b65038e4f98479514ab3168b6d9f5138cb64bb177a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\Wed15cf9217ee25.exe

Filesize
1.4MB

MD5
6a306f07fcb8c28197a292dcd39d8796

SHA1
ef25c24fd3918a0efd450c1c5c873265d5886626

SHA256
68fb1568af02a8bff326df6de053d082199db809aa925aefac2749c64f78994f

SHA512
84f938b3974be1b66872cdacb910ec580a2542068d018ac93662238de55a898a5d6df6e9a202a18138effc9308fffac1612149be879f1803bc73f5972f54b90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\Wed15df05b995.exe

Filesize
642KB

MD5
4ab9a562ae67268c6bb05b16d749bc9b

SHA1
68d495c62dfeb11a06b3c0d01d090bb56cb48140

SHA256
aae6eab70a845dacd24f6e33c7e5161b2218a784b8d6017e1d9dda95d83ddf6d

SHA512
822108a76a47edc6782c41195c5947844bb6f6e588ebd5f4de2fd3c944dab81416ef051dd4aef6d3908e1dd79c2c96043668d4e7127b595a69af312256032e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0D2B42B7\setup_install.exe

Filesize
2.1MB

MD5
912368164a5c99aacb8fcb58b4ee017a

SHA1
29f6342d0b955bd861ca83135b286f505f1c68a6

SHA256
1523475f249dac98abee0ead1f81d3d408d3bf67827c7382e034e7d330fe7c7a

SHA512
ef741ad8b9402ed5b1ddbf4ecf8440ae5304dcfe3450af21b52dd9c1fd71de6c44a2bfd5f8cd0c518fc08bc1c40a45f748287009031699a415de0f95794c90b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qs34vko1.g3p.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Filesize
31B

MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3056_411857786\428977e8-2a46-46a9-9545-c581310e7ed9.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3056_411857786\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
6.0MB

MD5
cb6ea932807f63821715e87a32d96ba6

SHA1
cc2fb753d385683d6f972adab5b3148ca30d75c9

SHA256
aa401b09d4b6ec37c7159a9b025500993642573bc32b1e78aaea25c2fe168c57

SHA512
acc3a31e1753e3185674f57c870a410e9ca6aa139fd43384845ebd51cacebb682e1a70a65acb170859b71f7562b9717d2fca8c192dfc366fcf16d9477dc4d065

Download Submit
\??\pipe\crashpad_3056_MNTQDHMFVDSJCSCF

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1580-167-0x00000000747D0000-0x000000007481C000-memory.dmp

Filesize
304KB

Download
memory/2652-178-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3420-79-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3420-71-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3420-73-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3420-74-0x0000000064941000-0x000000006494F000-memory.dmp

Filesize
56KB

Download
memory/3420-80-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3420-75-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3420-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3420-81-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3420-77-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3420-82-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3420-78-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3420-83-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3420-125-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3420-84-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3420-85-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3420-124-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3420-123-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3420-122-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3420-120-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/3420-116-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3520-145-0x00000000047C0000-0x00000000047DE000-memory.dmp

Filesize
120KB

Download
memory/3520-111-0x0000000005440000-0x0000000005794000-memory.dmp

Filesize
3.3MB

Download
memory/3520-185-0x00000000070A0000-0x00000000070A8000-memory.dmp

Filesize
32KB

Download
memory/3520-184-0x00000000070B0000-0x00000000070CA000-memory.dmp

Filesize
104KB

Download
memory/3520-86-0x0000000004480000-0x00000000044B6000-memory.dmp

Filesize
216KB

Download
memory/3520-87-0x0000000004C40000-0x0000000005268000-memory.dmp

Filesize
6.2MB

Download
memory/3520-183-0x0000000006FC0000-0x0000000006FD4000-memory.dmp

Filesize
80KB

Download
memory/3520-88-0x0000000004A90000-0x0000000004AB2000-memory.dmp

Filesize
136KB

Download
memory/3520-90-0x00000000053D0000-0x0000000005436000-memory.dmp

Filesize
408KB

Download
memory/3520-89-0x0000000005360000-0x00000000053C6000-memory.dmp

Filesize
408KB

Download
memory/3520-146-0x0000000005AF0000-0x0000000005B3C000-memory.dmp

Filesize
304KB

Download
memory/3520-149-0x00000000747D0000-0x000000007481C000-memory.dmp

Filesize
304KB

Download
memory/3520-182-0x0000000006FB0000-0x0000000006FBE000-memory.dmp

Filesize
56KB

Download
memory/3520-181-0x0000000006F80000-0x0000000006F91000-memory.dmp

Filesize
68KB

Download
memory/3520-180-0x0000000006FF0000-0x0000000007086000-memory.dmp

Filesize
600KB

Download
memory/3520-164-0x0000000006E00000-0x0000000006E0A000-memory.dmp

Filesize
40KB

Download
memory/3520-162-0x0000000006D80000-0x0000000006D9A000-memory.dmp

Filesize
104KB

Download
memory/3520-161-0x00000000073C0000-0x0000000007A3A000-memory.dmp

Filesize
6.5MB

Download
memory/3520-159-0x00000000069A0000-0x00000000069BE000-memory.dmp

Filesize
120KB

Download
memory/3520-160-0x0000000006A10000-0x0000000006AB3000-memory.dmp

Filesize
652KB

Download
memory/3520-148-0x00000000069C0000-0x00000000069F2000-memory.dmp

Filesize
200KB

Download
memory/4144-216-0x0000000000400000-0x0000000000892000-memory.dmp

Filesize
4.6MB

Download
memory/4196-191-0x0000000000400000-0x000000000081B000-memory.dmp

Filesize
4.1MB

Download
memory/4344-235-0x00000000055B0000-0x00000000055FC000-memory.dmp

Filesize
304KB

Download
memory/4344-234-0x0000000005570000-0x00000000055AC000-memory.dmp

Filesize
240KB

Download
memory/4344-233-0x0000000005640000-0x000000000574A000-memory.dmp

Filesize
1.0MB

Download
memory/4344-231-0x0000000005AD0000-0x00000000060E8000-memory.dmp

Filesize
6.1MB

Download
memory/4344-232-0x0000000005510000-0x0000000005522000-memory.dmp

Filesize
72KB

Download
memory/4344-227-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4684-144-0x0000000005CB0000-0x0000000006254000-memory.dmp

Filesize
5.6MB

Download
memory/4684-130-0x0000000005360000-0x00000000053D6000-memory.dmp

Filesize
472KB

Download
memory/4684-142-0x0000000005220000-0x000000000523E000-memory.dmp

Filesize
120KB

Download
memory/4684-128-0x0000000000AA0000-0x0000000000B2C000-memory.dmp

Filesize
560KB

Download