fabookie | 6d42b89a86c2e85f79f6652889209d14c641cde35d7a8c43fc7ea6a657f80957

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2024 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_installer.exe
Size

9.6MB
MD5

e71bedc46122099d570715a1a7114d29
SHA1

b54aaf5dc06da686481e1801e1d7c84b731034c9
SHA256

bd2d33ab5f78ad9f2d7bb562dd217022694b7b737e131ee4e8ed6abc3610e3f8
SHA512

4435f7735acb93666960790f8dfebc0a1374121f6295cd638eeb4c1d80199d0422d982c539fb1ebaec22b22baab8d514725a81427c7bf2ec618c911e42cefb2f
SSDEEP

196608:xOri6u89eoFT6Sg+Sjp7SmWlEohbqE0fNGZDHbfxtC14kFVGlZAjxav4oKmuS5:xL6umeSTu+SjproRq8DHbf78wlZkYvl9

Score

10^/10

fabookie gcleaner nullmixer onlylogger smokeloader socelars pub3 aspackv2 backdoor discovery dropper execution loader spyware stealer trojan vmprotect

Malware Config

Extracted

Family

socelars

https://sa-us-bucket.s3.us-east-2.amazonaws.com/jhvre24/

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

nullmixer

http://6242487de156a.com/

Extracted

Family

gcleaner

appwebstat.biz

ads-memory.biz

Signatures

Detect Fabookie payload 1 IoCs

resource	yara_rule
behavioral4/memory/956-129-0x0000000140000000-0x00000001406C5000-memory.dmp	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Fabookie family
fabookie
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
Nullmixer family
nullmixer
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Onlylogger family
onlylogger
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Smokeloader family
smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars

Socelars payload 1 IoCs

resource	yara_rule
behavioral4/files/0x000a000000023b6f-138.dat	family_socelars

OnlyLogger payload 2 IoCs

resource	yara_rule
behavioral4/memory/4760-275-0x0000000000400000-0x00000000004AB000-memory.dmp	family_onlylogger
behavioral4/memory/4760-305-0x0000000000400000-0x00000000004AB000-memory.dmp	family_onlylogger

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4832	powershell.exe
2208	powershell.exe

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral4/files/0x000a000000023b71-47.dat	aspack_v212_v242
behavioral4/files/0x000a000000023b64-94.dat	aspack_v212_v242
behavioral4/files/0x000a000000023b74-99.dat	aspack_v212_v242
behavioral4/files/0x000a000000023b72-49.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	setup_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	62424880dba59_Mon2373ae22.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	62424882a2d43_Mon2366e91c07.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	624248871e3ed_Mon2348d8b4e.exe

Executes dropped EXE 21 IoCs

pid	Process
4724	setup_install.exe
4352	6242487ebee69_Mon2360fbbe475.exe
4944	6242487fd82aa_Mon2391599e.exe
4524	62424880dba59_Mon2373ae22.exe
3872	624248845c537_Mon23d60fef.exe
5008	624248871e3ed_Mon2348d8b4e.exe
4760	624248bae0b4f_Mon2315c1392c.exe
2608	62424882a2d43_Mon2366e91c07.exe
956	624248bc6d13c_Mon235f07b88ae.exe
4496	624248bd917de_Mon2341a56212.exe
5116	624248bf51749_Mon23fd163f29.exe
1912	624248c03c802_Mon23cf6fc42c67.exe
1136	624248bf51749_Mon23fd163f29.tmp
1872	624248c2870d6_Mon23e0b3b0.exe
3512	62424882a2d43_Mon2366e91c07.tmp
3108	624248c3cb9af_Mon237bf16061.exe
3516	624248bd917de_Mon2341a56212.exe
3048	62424880dba59_Mon2373ae22.exe
4464	62424882a2d43_Mon2366e91c07.exe
3936	62424882a2d43_Mon2366e91c07.tmp
840	LAIM98KE88CM36M.exe

Loads dropped DLL 14 IoCs

pid	Process
4724	setup_install.exe
4724	setup_install.exe
4724	setup_install.exe
4724	setup_install.exe
4724	setup_install.exe
4724	setup_install.exe
4352	6242487ebee69_Mon2360fbbe475.exe
4352	6242487ebee69_Mon2360fbbe475.exe
4352	6242487ebee69_Mon2360fbbe475.exe
1136	624248bf51749_Mon23fd163f29.tmp
3512	62424882a2d43_Mon2366e91c07.tmp
4740	msiexec.exe
4740	msiexec.exe
3936	62424882a2d43_Mon2366e91c07.tmp

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral4/files/0x000a000000023b6b-115.dat	vmprotect
behavioral4/memory/956-129-0x0000000140000000-0x00000001406C5000-memory.dmp	vmprotect

Blocklisted process makes network request 1 IoCs

flow	pid	Process
134	4740	msiexec.exe

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aieoplapobidheellikiicjfpamacpfd\11.23.45_0\manifest.json	624248c2870d6_Mon23e0b3b0.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
53	iplogger.org
54	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral4/files/0x000a000000023b70-83.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1912	624248c03c802_Mon23cf6fc42c67.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4496 set thread context of 3516	4496	624248bd917de_Mon2341a56212.exe	120

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

pid	pid_target	Process	procid_target
4452	3872	WerFault.exe	108
3468	4760	WerFault.exe	111
2392	4760	WerFault.exe	111
3012	4760	WerFault.exe	111
5080	4760	WerFault.exe	111
1052	4760	WerFault.exe	111
3668	4760	WerFault.exe	111
3740	4760	WerFault.exe	111

System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	624248bf51749_Mon23fd163f29.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62424882a2d43_Mon2366e91c07.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	624248bd917de_Mon2341a56212.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6242487ebee69_Mon2360fbbe475.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62424882a2d43_Mon2366e91c07.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62424882a2d43_Mon2366e91c07.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62424880dba59_Mon2373ae22.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	624248871e3ed_Mon2348d8b4e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	624248c03c802_Mon23cf6fc42c67.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62424880dba59_Mon2373ae22.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62424882a2d43_Mon2366e91c07.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	624248845c537_Mon23d60fef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	624248bae0b4f_Mon2315c1392c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	624248c3cb9af_Mon237bf16061.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	624248bf51749_Mon23fd163f29.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	624248c2870d6_Mon23e0b3b0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_install.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	624248bd917de_Mon2341a56212.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	624248bd917de_Mon2341a56212.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	624248bd917de_Mon2341a56212.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4424	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133754685730693620"	chrome.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2208	powershell.exe
2208	powershell.exe
1912	624248c03c802_Mon23cf6fc42c67.exe
1912	624248c03c802_Mon23cf6fc42c67.exe
4832	powershell.exe
4832	powershell.exe
2208	powershell.exe
4832	powershell.exe
3948	chrome.exe
3948	chrome.exe
5532	chrome.exe
5532	chrome.exe
5532	chrome.exe
5532	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4944	6242487fd82aa_Mon2391599e.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeCreateTokenPrivilege	1872	624248c2870d6_Mon23e0b3b0.exe
Token: SeAssignPrimaryTokenPrivilege	1872	624248c2870d6_Mon23e0b3b0.exe
Token: SeLockMemoryPrivilege	1872	624248c2870d6_Mon23e0b3b0.exe
Token: SeIncreaseQuotaPrivilege	1872	624248c2870d6_Mon23e0b3b0.exe
Token: SeMachineAccountPrivilege	1872	624248c2870d6_Mon23e0b3b0.exe
Token: SeTcbPrivilege	1872	624248c2870d6_Mon23e0b3b0.exe
Token: SeSecurityPrivilege	1872	624248c2870d6_Mon23e0b3b0.exe
Token: SeTakeOwnershipPrivilege	1872	624248c2870d6_Mon23e0b3b0.exe
Token: SeLoadDriverPrivilege	1872	624248c2870d6_Mon23e0b3b0.exe
Token: SeSystemProfilePrivilege	1872	624248c2870d6_Mon23e0b3b0.exe
Token: SeSystemtimePrivilege	1872	624248c2870d6_Mon23e0b3b0.exe
Token: SeProfSingleProcessPrivilege	1872	624248c2870d6_Mon23e0b3b0.exe
Token: SeIncBasePriorityPrivilege	1872	624248c2870d6_Mon23e0b3b0.exe
Token: SeCreatePagefilePrivilege	1872	624248c2870d6_Mon23e0b3b0.exe
Token: SeCreatePermanentPrivilege	1872	624248c2870d6_Mon23e0b3b0.exe
Token: SeBackupPrivilege	1872	624248c2870d6_Mon23e0b3b0.exe
Token: SeRestorePrivilege	1872	624248c2870d6_Mon23e0b3b0.exe
Token: SeShutdownPrivilege	1872	624248c2870d6_Mon23e0b3b0.exe
Token: SeDebugPrivilege	1872	624248c2870d6_Mon23e0b3b0.exe
Token: SeAuditPrivilege	1872	624248c2870d6_Mon23e0b3b0.exe
Token: SeSystemEnvironmentPrivilege	1872	624248c2870d6_Mon23e0b3b0.exe
Token: SeChangeNotifyPrivilege	1872	624248c2870d6_Mon23e0b3b0.exe
Token: SeRemoteShutdownPrivilege	1872	624248c2870d6_Mon23e0b3b0.exe
Token: SeUndockPrivilege	1872	624248c2870d6_Mon23e0b3b0.exe
Token: SeSyncAgentPrivilege	1872	624248c2870d6_Mon23e0b3b0.exe
Token: SeEnableDelegationPrivilege	1872	624248c2870d6_Mon23e0b3b0.exe
Token: SeManageVolumePrivilege	1872	624248c2870d6_Mon23e0b3b0.exe
Token: SeImpersonatePrivilege	1872	624248c2870d6_Mon23e0b3b0.exe
Token: SeCreateGlobalPrivilege	1872	624248c2870d6_Mon23e0b3b0.exe
Token: 31	1872	624248c2870d6_Mon23e0b3b0.exe
Token: 32	1872	624248c2870d6_Mon23e0b3b0.exe
Token: 33	1872	624248c2870d6_Mon23e0b3b0.exe
Token: 34	1872	624248c2870d6_Mon23e0b3b0.exe
Token: 35	1872	624248c2870d6_Mon23e0b3b0.exe
Token: SeDebugPrivilege	4832	powershell.exe
Token: SeDebugPrivilege	4424	taskkill.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
3108	624248c3cb9af_Mon237bf16061.exe
3108	624248c3cb9af_Mon237bf16061.exe
3108	624248c3cb9af_Mon237bf16061.exe
3108	624248c3cb9af_Mon237bf16061.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
3108	624248c3cb9af_Mon237bf16061.exe
3108	624248c3cb9af_Mon237bf16061.exe
3108	624248c3cb9af_Mon237bf16061.exe
3108	624248c3cb9af_Mon237bf16061.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4524	62424880dba59_Mon2373ae22.exe
4524	62424880dba59_Mon2373ae22.exe
3048	62424880dba59_Mon2373ae22.exe
3048	62424880dba59_Mon2373ae22.exe
840	LAIM98KE88CM36M.exe
840	LAIM98KE88CM36M.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 4724	2576	setup_installer.exe	86
PID 2576 wrote to memory of 4724	2576	setup_installer.exe	86
PID 2576 wrote to memory of 4724	2576	setup_installer.exe	86
PID 4724 wrote to memory of 2492	4724	setup_install.exe	89
PID 4724 wrote to memory of 2492	4724	setup_install.exe	89
PID 4724 wrote to memory of 2492	4724	setup_install.exe	89
PID 4724 wrote to memory of 2504	4724	setup_install.exe	90
PID 4724 wrote to memory of 2504	4724	setup_install.exe	90
PID 4724 wrote to memory of 2504	4724	setup_install.exe	90
PID 4724 wrote to memory of 1544	4724	setup_install.exe	91
PID 4724 wrote to memory of 1544	4724	setup_install.exe	91
PID 4724 wrote to memory of 1544	4724	setup_install.exe	91
PID 4724 wrote to memory of 3336	4724	setup_install.exe	92
PID 4724 wrote to memory of 3336	4724	setup_install.exe	92
PID 4724 wrote to memory of 3336	4724	setup_install.exe	92
PID 4724 wrote to memory of 1504	4724	setup_install.exe	93
PID 4724 wrote to memory of 1504	4724	setup_install.exe	93
PID 4724 wrote to memory of 1504	4724	setup_install.exe	93
PID 4724 wrote to memory of 4728	4724	setup_install.exe	94
PID 4724 wrote to memory of 4728	4724	setup_install.exe	94
PID 4724 wrote to memory of 4728	4724	setup_install.exe	94
PID 4724 wrote to memory of 4592	4724	setup_install.exe	95
PID 4724 wrote to memory of 4592	4724	setup_install.exe	95
PID 4724 wrote to memory of 4592	4724	setup_install.exe	95
PID 4724 wrote to memory of 1884	4724	setup_install.exe	96
PID 4724 wrote to memory of 1884	4724	setup_install.exe	96
PID 4724 wrote to memory of 1884	4724	setup_install.exe	96
PID 4724 wrote to memory of 2832	4724	setup_install.exe	97
PID 4724 wrote to memory of 2832	4724	setup_install.exe	97
PID 4724 wrote to memory of 2832	4724	setup_install.exe	97
PID 4724 wrote to memory of 3920	4724	setup_install.exe	98
PID 4724 wrote to memory of 3920	4724	setup_install.exe	98
PID 4724 wrote to memory of 3920	4724	setup_install.exe	98
PID 4724 wrote to memory of 1008	4724	setup_install.exe	99
PID 4724 wrote to memory of 1008	4724	setup_install.exe	99
PID 4724 wrote to memory of 1008	4724	setup_install.exe	99
PID 4724 wrote to memory of 1188	4724	setup_install.exe	100
PID 4724 wrote to memory of 1188	4724	setup_install.exe	100
PID 4724 wrote to memory of 1188	4724	setup_install.exe	100
PID 4724 wrote to memory of 4608	4724	setup_install.exe	101
PID 4724 wrote to memory of 4608	4724	setup_install.exe	101
PID 4724 wrote to memory of 4608	4724	setup_install.exe	101
PID 4724 wrote to memory of 4116	4724	setup_install.exe	102
PID 4724 wrote to memory of 4116	4724	setup_install.exe	102
PID 4724 wrote to memory of 4116	4724	setup_install.exe	102
PID 2492 wrote to memory of 2208	2492	cmd.exe	103
PID 2492 wrote to memory of 2208	2492	cmd.exe	103
PID 2492 wrote to memory of 2208	2492	cmd.exe	103
PID 2504 wrote to memory of 4352	2504	cmd.exe	104
PID 2504 wrote to memory of 4352	2504	cmd.exe	104
PID 2504 wrote to memory of 4352	2504	cmd.exe	104
PID 1544 wrote to memory of 4944	1544	cmd.exe	105
PID 1544 wrote to memory of 4944	1544	cmd.exe	105
PID 3336 wrote to memory of 4524	3336	cmd.exe	106
PID 3336 wrote to memory of 4524	3336	cmd.exe	106
PID 3336 wrote to memory of 4524	3336	cmd.exe	106
PID 4728 wrote to memory of 3872	4728	cmd.exe	108
PID 4728 wrote to memory of 3872	4728	cmd.exe	108
PID 4728 wrote to memory of 3872	4728	cmd.exe	108
PID 4592 wrote to memory of 5008	4592	cmd.exe	109
PID 4592 wrote to memory of 5008	4592	cmd.exe	109
PID 4592 wrote to memory of 5008	4592	cmd.exe	109
PID 1884 wrote to memory of 4760	1884	cmd.exe	111
PID 1884 wrote to memory of 4760	1884	cmd.exe	111

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 6242487ebee69_Mon2360fbbe475.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\6242487ebee69_Mon2360fbbe475.exe
      6242487ebee69_Mon2360fbbe475.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:4352
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2156
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 6242487fd82aa_Mon2391599e.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\6242487fd82aa_Mon2391599e.exe
      6242487fd82aa_Mon2391599e.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62424880dba59_Mon2373ae22.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3336
  - - C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\62424880dba59_Mon2373ae22.exe
      62424880dba59_Mon2373ae22.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4524
    - - C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\62424880dba59_Mon2373ae22.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\62424880dba59_Mon2373ae22.exe" -h
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62424882a2d43_Mon2366e91c07.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1504
  - - C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\62424882a2d43_Mon2366e91c07.exe
      62424882a2d43_Mon2366e91c07.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2608
    - - C:\Users\Admin\AppData\Local\Temp\is-GIJ9N.tmp\62424882a2d43_Mon2366e91c07.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-GIJ9N.tmp\62424882a2d43_Mon2366e91c07.tmp" /SL5="$F0066,870458,780800,C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\62424882a2d43_Mon2366e91c07.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3512
      - C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\62424882a2d43_Mon2366e91c07.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\62424882a2d43_Mon2366e91c07.exe" /SILENT
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\is-32RRU.tmp\62424882a2d43_Mon2366e91c07.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-32RRU.tmp\62424882a2d43_Mon2366e91c07.tmp" /SL5="$3022A,870458,780800,C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\62424882a2d43_Mon2366e91c07.exe" /SILENT
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 624248845c537_Mon23d60fef.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4728
  - - C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248845c537_Mon23d60fef.exe
      624248845c537_Mon23d60fef.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3872
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 344
        5⤵
        Program crash
        
        PID:4452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 624248871e3ed_Mon2348d8b4e.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4592
  - - C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248871e3ed_Mon2348d8b4e.exe
      624248871e3ed_Mon2348d8b4e.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5008
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /Y .\WJZ~MF~9.0S
        5⤵
        Loads dropped DLL
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        
        PID:4740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 624248bae0b4f_Mon2315c1392c.exe /mixtwo
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1884
  - - C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248bae0b4f_Mon2315c1392c.exe
      624248bae0b4f_Mon2315c1392c.exe /mixtwo
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4760
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 624
        5⤵
        Program crash
        
        PID:3468
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 644
        5⤵
        Program crash
        
        PID:2392
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 772
        5⤵
        Program crash
        
        PID:3012
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 804
        5⤵
        Program crash
        
        PID:5080
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 756
        5⤵
        Program crash
        
        PID:1052
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 860
        5⤵
        Program crash
        
        PID:3668
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 644
        5⤵
        Program crash
        
        PID:3740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 624248bc6d13c_Mon235f07b88ae.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2832
  - - C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248bc6d13c_Mon235f07b88ae.exe
      624248bc6d13c_Mon235f07b88ae.exe
      4⤵
      Executes dropped EXE
      PID:956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 624248bd917de_Mon2341a56212.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3920
  - - C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248bd917de_Mon2341a56212.exe
      624248bd917de_Mon2341a56212.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:4496
    - - C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248bd917de_Mon2341a56212.exe
        
        624248bd917de_Mon2341a56212.exe
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        
        PID:3516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 624248bf51749_Mon23fd163f29.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1008
  - - C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248bf51749_Mon23fd163f29.exe
      624248bf51749_Mon23fd163f29.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5116
    - - C:\Users\Admin\AppData\Local\Temp\is-E6816.tmp\624248bf51749_Mon23fd163f29.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-E6816.tmp\624248bf51749_Mon23fd163f29.tmp" /SL5="$4023C,140006,56320,C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248bf51749_Mon23fd163f29.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 624248c03c802_Mon23cf6fc42c67.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1188
  - - C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c03c802_Mon23cf6fc42c67.exe
      624248c03c802_Mon23cf6fc42c67.exe
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1912
    - - C:\Users\Admin\AppData\Local\Temp\LAIM98KE88CM36M.exe
        
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 624248c2870d6_Mon23e0b3b0.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4608
  - - C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe
      624248c2870d6_Mon23e0b3b0.exe
      4⤵
      Executes dropped EXE
      Drops Chrome extension
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1872
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4960
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4424
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        5⤵
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3948
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffac96ecc40,0x7ffac96ecc4c,0x7ffac96ecc58
        6⤵
        
        PID:1952
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,17669377736849143038,2541088370148373714,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1900 /prefetch:2
        6⤵
        
        PID:1736
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2120,i,17669377736849143038,2541088370148373714,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2184 /prefetch:3
        6⤵
        
        PID:2936
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,17669377736849143038,2541088370148373714,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2596 /prefetch:8
        6⤵
        
        PID:3012
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,17669377736849143038,2541088370148373714,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3096 /prefetch:1
        6⤵
        
        PID:3844
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,17669377736849143038,2541088370148373714,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3392 /prefetch:1
        6⤵
        
        PID:944
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4496,i,17669377736849143038,2541088370148373714,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4488 /prefetch:1
        6⤵
        
        PID:1384
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4704,i,17669377736849143038,2541088370148373714,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4708 /prefetch:8
        6⤵
        
        PID:468
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4520,i,17669377736849143038,2541088370148373714,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4824 /prefetch:8
        6⤵
        
        PID:2380
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5016,i,17669377736849143038,2541088370148373714,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3660 /prefetch:8
        6⤵
        
        PID:2000
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4920,i,17669377736849143038,2541088370148373714,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4892 /prefetch:8
        6⤵
        
        PID:1504
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5092,i,17669377736849143038,2541088370148373714,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5184 /prefetch:8
        6⤵
        
        PID:4552
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4936,i,17669377736849143038,2541088370148373714,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5188 /prefetch:8
        6⤵
        
        PID:2380
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4856,i,17669377736849143038,2541088370148373714,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5240 /prefetch:8
        6⤵
        
        PID:2396
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4876,i,17669377736849143038,2541088370148373714,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5108 /prefetch:8
        6⤵
        
        PID:1172
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5316,i,17669377736849143038,2541088370148373714,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5292 /prefetch:2
        6⤵
        
        PID:776
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4732,i,17669377736849143038,2541088370148373714,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=208 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 624248c3cb9af_Mon237bf16061.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4116
  - - C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c3cb9af_Mon237bf16061.exe
      624248c3cb9af_Mon237bf16061.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3872 -ip 3872
1⤵
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4760 -ip 4760
1⤵
PID:468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4760 -ip 4760
1⤵
PID:2696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4760 -ip 4760
1⤵
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4760 -ip 4760
1⤵
PID:1132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4760 -ip 4760
1⤵
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4760 -ip 4760
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4760 -ip 4760
1⤵
PID:4892

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4732

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\5ac1ac48-0a3d-4d41-b279-7f7e735d6534.tmp

Filesize
9KB

MD5
43bedaabfcb52ad2bddf67465cecab2e

SHA1
8a5ade0794af66952db27739cb9f0ac7367276cc

SHA256
5241eba639c20bb9c40c693ce6422e0532bcd7837366f94e34707539b63141f7

SHA512
4b028bad618820be408ef54b31020aac93cd781608df5f3661eb597170ca298b623190697e6baaafec6508e014bd0b0b20936bcd00dde184c15e1e48da0026a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
551559c762e4de9effb699293b509cf7

SHA1
d32074ab2dd9d4d1a63ae69e3421eea292a43f82

SHA256
1e1f7b2a886878c8f1da471a242567a75d740a2cb8916684b0a9439b964c4f2a

SHA512
ef281de70fd1a4a949058da8d9779370e7935c4c4696a52dad2be5d6613c1598ded57251296bbdd4c7b97c4668c7de078136f284940ea53adf7827034baa3b76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
5793df12a6a77ebdc8c02708fa81e7c6

SHA1
5480cc99e919ec37b828c52383fc4edf5a17d25c

SHA256
8c3178344cc3de1f24f8056fcea6eaa0633277cbc34ae1f9df013775b3096356

SHA512
77978fda339a9252e1f5459c904967f26897407d6c8858cfdc9ccf6a29d3de7bcadcb91730b678a1ee2aaf32a2dedc04ebbd51654b27b1fdb7e13e8e05f2c3e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
e9c186ed39121aa9145d476e5e640c46

SHA1
2b60a69bc0cd0fd9a161e5bf6474e0af6732c4ac

SHA256
980d149b560d6f1c8a4fa7337a1a0f1e939bdb50c646d37af2fc132932e157ab

SHA512
590936e4d111fcc8cbf769fec57caabc04f9d90641234a7b390a40004df9d7e9bc00ebde177e6fc33941b84a2283dcc098120dfbbbf8b6aa0d918e64163681c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
afe2a3950cbedb50a9119a084e4d41a7

SHA1
ca08b9e7e9684e12602be3a1f3c9a4da758696e9

SHA256
9b77a6874d193d5661c5e0b7ab36e2fce4935df2d843aad76fc01584b2495b32

SHA512
86d45d0251bbb88a992e7cd8101e08a85de041f181fdbde2f1b9eca8936b87bc4d203cfc1af9505b02ffaae50ce6afea3673a1cb87a2af5a72e84be07c40acc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fcb754def41998af917f22bd8225cc31

SHA1
0557a1bc3efd57e95290c364cf20a286a9906c00

SHA256
83f079fdc330d69a3e0b014a5bf2779255764a2e1b5ee089ab7d3ef94993790f

SHA512
9a5daebc01b2570c229462100079feca4e6bc5e84a5c6500c492e8a1f30992112b3c849c432ca09c8b32da3faf65993397f4d3465ccf0aaae2a4db9585bceeb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1702d8235fe3484f72a3eb17a1fbbfaf

SHA1
50c3031a0d715895678bd5256c085159c20ec3e3

SHA256
7d399aa5a47f088736db353f0c128894a9168b492b2780bf665af5754b7ba6ad

SHA512
dee090ee0e7039c5fae43c594940ce2900dd0b453966bca30fee568b74d3835b7f20a7fa5fff6586e708c3f041dc0232ac8acf72a14cf6a9d8963f1c006fa0ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f94da9d7c83577cbcbc59db43c132648

SHA1
7aa7c487f2df790f616b637b1e29b1a4488d5d6f

SHA256
7509d53535bea550565db05a8c343a05662cd2ba2fc2c1ada82f81029104e742

SHA512
fcc702cab1edf27930c62562d3de2edee80a5b8c03b37f66e2bcde866f8feac9f5287130db0741dd65133c94fa296b29c67ef642c9eb637029436a4c6f22dd69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
464ad6f70f6b5d792af40101f4a63444

SHA1
d065a16510c64e74d7fec09654b9b9a7722b98c8

SHA256
e8681662d46672b0150ce9646682e41dd2a77f828dae363f460cf2eee640bc6b

SHA512
b222128943eec99a8bdc5e87a0879a9410c27adf5d616b98ace298402804a5d4f28f925092471b626de3e828b4c7814ad59255c2806183b1c39f62adf0b9c654

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b9bee7626aad3ee2ae77ed07690d412a

SHA1
0b9f86206ed1f655f4a975a0d09d529ff4fe75bf

SHA256
ee71668515c3a7177b25f40139837ddb41d1e58b9121bd908e2baf8ac4645f6d

SHA512
bc58d5d2fed5a9f6ccbf646299fb35de9ab0c1479a830a82144bdea498edbce12ba287ce19e2241cc2b2c624a26be7a5a425761d038235dd5450e01cf48e3c2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0390cc2a6d912eb9ecca47e3205c359f

SHA1
37640a932b2a50bcbf0fda2a8672cbf0652ea53f

SHA256
f49e032a3d5b0c2d83a7a04298f00ac1b9b44df87cb33b42d52edf1d5c5b890a

SHA512
10012f031d42109bb970c23af750250a91111e2d6f9ea47ccfc5329b6afb566842e98cea42d48654f902cfede73ab2bc88cf5ea5b58ffe33c080d228acbd2f52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
2681974425a68a5af9bd4bb938eed085

SHA1
781919f9c089210515da848ad77afa9ad3d130bb

SHA256
015fc7aed4b808185c0c897b222576c37b7c565efced5d1c5851eeb38a84efc2

SHA512
b8ee1561294f675773f3e853e18d95aec636781ae10d9f06269340a553c852bcb16e48ed24676824c495dbb3539d17dc0c2caf99db654109f9126b4b5998cc50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
05c914f45659f15d95418483747fc5df

SHA1
cd72b3eba5a707848ec2dcce0cd2d3261f7ce033

SHA256
b2053543ede246e1a91b2971f3f2398c96c95fba46a1621d11dd3de21570b427

SHA512
d1a4789917c1940fba6d3690d2ce6d125fc9261a1b67708720d783cf364d66b78f02de4030e449a1bca2da223edae903c9dfcf01b58bb86d37ef5d741903b2cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
cab2832b3ade8642c29d4a7e5b6ac818

SHA1
f6cc1b9e40943e9f54f8622e39ec9b1c18e76c43

SHA256
c8ebf0bebd791abd92bbac956bc12a6ac45926c845271e3e43c8b1aa8d4a6448

SHA512
1ffdf475e3683a431cdb80d55e4525277df90a918fc674e6d25319f302cba33a13535e2109b0547968374ce5e1e3ca1068dc8a3f95df12747dbcb32832a593fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
0136a7bf8a88f6ea30f6db56ccffe3ee

SHA1
a8c295faba6545cf0c7385cac43046803af5b983

SHA256
26cffb0349fac4454141a31956de0b92897ae4c9c81e4a60f9d531385318e7f3

SHA512
94818810aac9bc1efc48594bf80be8f2d7c41022c351dd91acd41f148771d020e9825969526878621909b0526a65dc1846fe0ea5c86e5de9a4e31bf21127611f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
5377528bbb03ef9aad3b10a8507ea35d

SHA1
dc60f6c55cbfc12bd0b90dc4683555406e75377a

SHA256
c1a408f3a068651469b2bf76da06244d45ce259e9a8edf33387421dede23a922

SHA512
17aaf34f46a7b6afb02ab7aefbe0276b726f0a1c0b727dfde2726c364379a0358ffa109194e303807baf6dba1ef7525db8142e39dad1aa91f2f11d72e2193d77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
7bfc3b614f8005029c9763d2b73ca2fd

SHA1
5975b071483b92261dfc10eca7152e09e00439db

SHA256
b04e462ac6c4f2d6a04d57fc62cd68528a31928969076326485afe2b2d105ec5

SHA512
e7134b7f3543d57d6731f559622e1aec2783c2a97b912a36210a8277d5f9a1265dba9f0c0466af7925e980818251956c0c538dd7812a9695ce60591d6f5b3707

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
05691ff069bf4b69111cf365d11ff98d

SHA1
ff27a8c928352e9020782590e648a7e679101c23

SHA256
5e6e30cde6f118f808e8e572efb7b4c194b9af0700f853d9c0c91cb07bebc2f9

SHA512
0aec11d1a9fddedaa7a0a7c40feb92d5011e6129fd4b28b8c604399aff958cb800ee3b034117e85b40835f66b32bb5033ef8597a39425a510df5fa260b97c12c

Download Submit
C:\Users\Admin\AppData\Local\Temp\570acece-11c1-4e68-b913-e161661a61ce.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\6242487ebee69_Mon2360fbbe475.exe

Filesize
20KB

MD5
98c3385d313ae6d4cf1f192830f6b555

SHA1
31c572430094e9adbf5b7647c3621b2e8dfa7fe8

SHA256
4b2e2adafc390f535254a650a90e6a559fb3613a9f13ce648a024c078fcf40be

SHA512
fdd0406ef1abee43877c2ab2be9879e7232e773f7dac48f38a883b14306907c82110c712065a290bafac3cc8b0f4c0a13694847ad60a50a2b87e6aed2fd73aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\6242487fd82aa_Mon2391599e.exe

Filesize
145KB

MD5
7bdeeadd41822f3c024fba58b16e2cdc

SHA1
13a3319b0545e7ff1d17f678093db9f8785bba5a

SHA256
d46ceb96d549e329a60607d9d4acca2d62560f8daaaa5fc60b50823567b9c24f

SHA512
1942f19d694616c56f874fc8df73da26beed8f290cf619d9f8443a03289c5d36ae830d1f6bf0e8adf79eddf062c9e48373677e0a2d593ee1666fae5148a3e4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\62424880dba59_Mon2373ae22.exe

Filesize
376KB

MD5
81cf5e614873508b9ecba216112c276b

SHA1
cb3115f68ffe4f428fc141f113dff477530f17fb

SHA256
fae5984ff3106551dddee32196332ab4b9cabfe40476b80dd5aa8e1c9fcba413

SHA512
48fba232d56c6acd0a3e97a64d096a6782000cc4d6d34f7d2379a54e6339bf373c14e95ba966a1fd8ecc05582cfad4e9dea6d61bb5492a570fdc1f637db7d29f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\62424882a2d43_Mon2366e91c07.exe

Filesize
1.5MB

MD5
52142a360efa5a88aa469593f3961bb4

SHA1
bb06f4b274789d3998ea3cbdc7d2056d4a99950f

SHA256
3a53d2f99cf9562803815dc1df898557919db19d54956b53840cbcf89c696dad

SHA512
de1e51dfb2a06bd0ad3142f7b2f33d78f5c2b07d0effc23074011d76a12a0d0591ea8a1b4fe753cf1482f8a438d2927fb92c4fb7a184029f35721e8b3f7fb5cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248845c537_Mon23d60fef.exe

Filesize
266KB

MD5
5bc6b4fcbdb2edbd8ca492b9ba9059f9

SHA1
6ad0140809c7f71769bf7bdd652442ffc4c2bc35

SHA256
f0d2a8fa7d23f6546e377a0c6dc9019cf513d6474afc462bba517c82e5c1d4b8

SHA512
953cb941a5fc7ea44b36bf70b984990a5d0b6c2b4cb614dcedbf254dbb1b6940d345dd8531ef1f489b0d467ac98208533c8b94e44a53c931d4e9bc91f5af2718

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248871e3ed_Mon2348d8b4e.exe

Filesize
2.0MB

MD5
327366acede3d33a1d9b93396aee3eb9

SHA1
3df53825a46673b9fb97e68b2372f9dc27437b7f

SHA256
12183f88314a86429c1685dacb2cd7f87d1eac7094d52a19a92b45432800e051

SHA512
a7ce948ede1b8d02972322bb88498d6607dce39fd215df37ca58f016f5658436a556ec2425207f2434db7728b1ad1c19c7ec05110d82c094525c4bae7bf4894f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248bae0b4f_Mon2315c1392c.exe

Filesize
414KB

MD5
dc3a42af98906ce86ad0e67ce7153b45

SHA1
83141ef3b732302806b27e1bd4332d2964418f07

SHA256
399d9c5dc78b7696e0984cc265c6b142d70949694e86a8e38474aedcda4ff6f1

SHA512
f3df4c782941bd130d302d63323edaccddf59a1cbad10ca3262118c948c78df6dc520bff67ec26918c31b575dce6580d72da0d6c170cabe34c98f52acadb9cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248bc6d13c_Mon235f07b88ae.exe

Filesize
3.8MB

MD5
a128f3490a3d62ec1f7c969771c9cb52

SHA1
73f71a45f68e317222ac704d30319fcbecdb8476

SHA256
4040769cb6796be3af8bd8b2c9d4be701155760766fddbd015b0bcb2b4fca52a

SHA512
ccf34b78a577bc12542e774574d21f3673710868705bf2c0ecdf6ce3414406ec63d5f65e3ff125f65e749a54d64e642492ee53d91a04d309228e2a73d7ab0a19

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248bd917de_Mon2341a56212.exe

Filesize
253KB

MD5
0913c141934828228be4bee6b08cadfe

SHA1
caf2f7ea94afc62792d91c1f2c1b99c05b1a2a1f

SHA256
3fa1c49f7dd6657c195dc68c13b50a0d7e2f3ec641f7108ffb3e041ea3713c95

SHA512
29bece87e4080db7098115f568dc9f5c25206147020d94438bff7ef5f17a918fae8a7546932e310648bf31be27bc4a29edf3e49051dd6e72aa9cf82e0ecd254b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248bf51749_Mon23fd163f29.exe

Filesize
383KB

MD5
98362f1952eb1349f17f77bb70a9fbcc

SHA1
e8a2273215c3cea3100fa40536b0791fea27af8f

SHA256
9aa8aeb0262bc901878bda3a41b6ac7f727f1c3fe4e7bb9afa0000c371750321

SHA512
6faceb7a7d6c0b3d7ebd8afbd2e4dcfb95a6407bb4acf1012d50f462713b8f34adf51c2dc7f82281a6b84dfcb8bc0cbea68318f12ad9ad95558b9361500e0679

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c03c802_Mon23cf6fc42c67.exe

Filesize
1.6MB

MD5
79c79760259bd18332ca17a05dab283d

SHA1
b9afed2134363447d014b85c37820c5a44f33722

SHA256
e6eb127214bbef16c7372fbe85e1ba453f7aceee241398d2a8e0ec115c3625d3

SHA512
a4270de42d09caa42280b1a7538dc4e0897f17421987927ac8b37fde7e44f77feb9ce1386ffd594fe6262ebb817c2df5a2c20a4adb4b0261eae5d0b6a007aa06

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe

Filesize
1.4MB

MD5
9e7d2e1b5aac4613d906efa021b571a1

SHA1
b9665c6248bc56e1cbb8797d27aa6b0db5ba70f1

SHA256
52c5dea41a299961b4776d3794864ce84e9d51ac1858dd6afb395e0a638bc666

SHA512
5dfd847513b94feb7df2569518c5abf56723cf165a424e2ebfea9fb4b5d2d70a9d0a962d5f7c7f68b3fd9a005c7aeb1bf20d9c7bfb1ee7ed0a23455d78516549

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c3cb9af_Mon237bf16061.exe

Filesize
895KB

MD5
815d3b5cdc4aea7e8c8fe78434061694

SHA1
40aa8a3583d659aa86edf78db14f03917db6dda8

SHA256
226d6fc908bee0a523a09d1912f0b6b6958173ccd77997d45121d9091a7199b4

SHA512
b8cc6f302f86cbf3eea3c95ceda9302f543ebb6ed3cbbe5c038a1417a1536345cd44f8e89ec48579bc699d71c994eccd1dcbd43dca669931377f738072c2f95a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\arxiv.zip

Filesize
75KB

MD5
4298fa80523abf31d8d2dba0eecc47f4

SHA1
57849373d58c4afee2cfc8e64839b9f03929a67a

SHA256
5585cf0ec6321a62b8d7572e5eaaec6c092577d63713b503713e81288e8466ce

SHA512
548e1821d46e590c7782485be58a8b214819f7279dd537bff95101c165e6dc68783c67eb3cf41e6791029b1cb8221c76a04c32eb8b93ab12d38ada1376997bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe

Filesize
2.1MB

MD5
83c766fb0a8d71f559d79d600ea05297

SHA1
8f4e1868bef695539f2b7cb83b3e336e959f3087

SHA256
3572b5d2013141cee24aa859fdd60398ef7d1c4ac40d2c080ecdb12129cb70ee

SHA512
1a49b39dc87ef672308b4a8bab0d1f9f9c0c51296b46f5cc46fa39312f94edf7f2bf1936367e0f7dc75c3ecb052558a75ced42189b4a4b218e8fe715ab163d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tuc5knci.zdo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4IQF1.tmp\idp.dll

Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-E6816.tmp\624248bf51749_Mon23fd163f29.tmp

Filesize
694KB

MD5
25ffc23f92cf2ee9d036ec921423d867

SHA1
4be58697c7253bfea1672386eaeeb6848740d7d6

SHA256
1bbabc7a7f29c1512b368d2b620fc05441b622f72aa76cf9ee6be0aecd22a703

SHA512
4e8c7f5b42783825b3b146788ca2ee237186d5a6de4f1c413d9ef42874c4e7dd72b4686c545dde886e0923ade0f5d121a4eddfe7bfc58c3e0bd45a6493fe6710

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GIJ9N.tmp\62424882a2d43_Mon2366e91c07.tmp

Filesize
2.5MB

MD5
bf0e3b12f2997dc8963a7185da858ae1

SHA1
750dfeb4768878a2a70708f7852137b29f84afdc

SHA256
9e2310fd47d35e832659298351275ec7aa30034d41d3669d22344738ffc23256

SHA512
2c115c105766edcf1a9a221bb897294a7d71eea4245ec659e5f0294523333cd141714e7cde6ab6535b0c4615f9b0cad7889968262287f192bb7b4c1cc8593a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QM3PQ.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3948_1170047814\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
memory/840-384-0x0000026260520000-0x0000026260526000-memory.dmp

Filesize
24KB

Download
memory/956-129-0x0000000140000000-0x00000001406C5000-memory.dmp

Filesize
6.8MB

Download
memory/1136-194-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1912-277-0x00000000000D0000-0x0000000000249000-memory.dmp

Filesize
1.5MB

Download
memory/1912-134-0x00000000000D0000-0x0000000000249000-memory.dmp

Filesize
1.5MB

Download
memory/1912-276-0x00000000000D0000-0x0000000000249000-memory.dmp

Filesize
1.5MB

Download
memory/1912-325-0x00000000000D0000-0x0000000000249000-memory.dmp

Filesize
1.5MB

Download
memory/1912-155-0x00000000000D0000-0x0000000000249000-memory.dmp

Filesize
1.5MB

Download
memory/1912-156-0x00000000000D0000-0x0000000000249000-memory.dmp

Filesize
1.5MB

Download
memory/1912-160-0x00000000000D0000-0x0000000000249000-memory.dmp

Filesize
1.5MB

Download
memory/1912-368-0x00000000000D0000-0x0000000000249000-memory.dmp

Filesize
1.5MB

Download
memory/1912-157-0x00000000013F0000-0x00000000013F2000-memory.dmp

Filesize
8KB

Download
memory/1912-161-0x0000000002D90000-0x0000000002DD7000-memory.dmp

Filesize
284KB

Download
memory/1912-383-0x00000000000D0000-0x0000000000249000-memory.dmp

Filesize
1.5MB

Download
memory/2208-110-0x0000000004C40000-0x0000000004C76000-memory.dmp

Filesize
216KB

Download
memory/2208-169-0x0000000005A50000-0x0000000005A72000-memory.dmp

Filesize
136KB

Download
memory/2208-170-0x0000000005AF0000-0x0000000005B56000-memory.dmp

Filesize
408KB

Download
memory/2208-171-0x0000000005B60000-0x0000000005BC6000-memory.dmp

Filesize
408KB

Download
memory/2208-123-0x00000000052B0000-0x00000000058D8000-memory.dmp

Filesize
6.2MB

Download
memory/2208-266-0x0000000007740000-0x000000000774E000-memory.dmp

Filesize
56KB

Download
memory/2208-250-0x000000006E3D0000-0x000000006E41C000-memory.dmp

Filesize
304KB

Download
memory/2208-172-0x0000000005BD0000-0x0000000005F24000-memory.dmp

Filesize
3.3MB

Download
memory/2208-222-0x0000000004F70000-0x0000000004F8E000-memory.dmp

Filesize
120KB

Download
memory/2608-112-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2608-187-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3512-185-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/3516-158-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3516-162-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3872-230-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3936-300-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/4352-120-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4352-104-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4352-101-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4352-96-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4352-119-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4352-117-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/4352-121-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4352-102-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4352-108-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4352-103-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4464-177-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4464-290-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4724-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4724-58-0x00000000007A0000-0x000000000082F000-memory.dmp

Filesize
572KB

Download
memory/4724-53-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4724-84-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4724-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4724-69-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4724-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4724-92-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4724-93-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4724-63-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4724-57-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4724-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4724-62-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4724-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4724-70-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4724-61-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4724-90-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4724-60-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4724-88-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/4724-59-0x0000000064941000-0x000000006494F000-memory.dmp

Filesize
56KB

Download
memory/4724-91-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4740-285-0x000000002DEE0000-0x000000002DF7D000-memory.dmp

Filesize
628KB

Download
memory/4740-301-0x0000000003070000-0x0000000004070000-memory.dmp

Filesize
16.0MB

Download
memory/4740-282-0x000000002DEE0000-0x000000002DF7D000-memory.dmp

Filesize
628KB

Download
memory/4740-283-0x000000002DEE0000-0x000000002DF7D000-memory.dmp

Filesize
628KB

Download
memory/4740-280-0x000000002DE10000-0x000000002DEC1000-memory.dmp

Filesize
708KB

Download
memory/4740-199-0x0000000003070000-0x0000000004070000-memory.dmp

Filesize
16.0MB

Download
memory/4760-305-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/4760-275-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/4832-263-0x0000000007910000-0x00000000079A6000-memory.dmp

Filesize
600KB

Download
memory/4832-237-0x0000000007500000-0x0000000007532000-memory.dmp

Filesize
200KB

Download
memory/4832-267-0x00000000078E0000-0x00000000078F4000-memory.dmp

Filesize
80KB

Download
memory/4832-265-0x00000000078D0000-0x00000000078DE000-memory.dmp

Filesize
56KB

Download
memory/4832-264-0x00000000078A0000-0x00000000078B1000-memory.dmp

Filesize
68KB

Download
memory/4832-269-0x00000000079C0000-0x00000000079C8000-memory.dmp

Filesize
32KB

Download
memory/4832-262-0x0000000007720000-0x000000000772A000-memory.dmp

Filesize
40KB

Download
memory/4832-261-0x00000000076A0000-0x00000000076BA000-memory.dmp

Filesize
104KB

Download
memory/4832-260-0x0000000007CF0000-0x000000000836A000-memory.dmp

Filesize
6.5MB

Download
memory/4832-268-0x00000000079D0000-0x00000000079EA000-memory.dmp

Filesize
104KB

Download
memory/4832-238-0x000000006E3D0000-0x000000006E41C000-memory.dmp

Filesize
304KB

Download
memory/4832-248-0x0000000007540000-0x000000000755E000-memory.dmp

Filesize
120KB

Download
memory/4832-226-0x0000000006420000-0x000000000646C000-memory.dmp

Filesize
304KB

Download
memory/4832-249-0x0000000007570000-0x0000000007613000-memory.dmp

Filesize
652KB

Download
memory/4944-114-0x00000000008C0000-0x00000000008C6000-memory.dmp

Filesize
24KB

Download
memory/4944-107-0x00000000000F0000-0x000000000011C000-memory.dmp

Filesize
176KB

Download
memory/5116-126-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5116-206-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download