Malware Analysis Report

2024-11-13 18:55

Sample ID 241107-tc2l4avgkd
Target 561cf900de177b402c608af14fdcae6bd23c728f
SHA256 6d42b89a86c2e85f79f6652889209d14c641cde35d7a8c43fc7ea6a657f80957
Tags
nullmixer socelars aspackv2 discovery dropper execution stealer vmprotect fabookie gcleaner onlylogger smokeloader pub3 backdoor loader spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6d42b89a86c2e85f79f6652889209d14c641cde35d7a8c43fc7ea6a657f80957

Threat Level: Known bad

The file 561cf900de177b402c608af14fdcae6bd23c728f was found to be: Known bad.

Malicious Activity Summary

nullmixer socelars aspackv2 discovery dropper execution stealer vmprotect fabookie gcleaner onlylogger smokeloader pub3 backdoor loader spyware trojan

Socelars payload

SmokeLoader

Socelars

GCleaner

Onlylogger family

Socelars family

Gcleaner family

Detect Fabookie payload

NullMixer

OnlyLogger

Fabookie

Fabookie family

Smokeloader family

Nullmixer family

OnlyLogger payload

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

VMProtect packed file

Loads dropped DLL

ASPack v2.12-2.42

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Drops Chrome extension

Blocklisted process makes network request

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Program crash

Browser Information Discovery

Unsigned PE

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Modifies data under HKEY_USERS

Enumerates system info in registry

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 15:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 15:55

Reported

2024-11-07 15:58

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe"

Signatures

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2644 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2644 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2644 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2644 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2644 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2644 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2644 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2660 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe
PID 2660 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe
PID 2660 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe
PID 2660 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe
PID 2660 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe
PID 2660 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe
PID 2660 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe
PID 2616 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe

"C:\Users\Admin\AppData\Local\Temp\96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6242487ebee69_Mon2360fbbe475.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6242487fd82aa_Mon2391599e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 62424880dba59_Mon2373ae22.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 62424882a2d43_Mon2366e91c07.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248845c537_Mon23d60fef.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248871e3ed_Mon2348d8b4e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248bae0b4f_Mon2315c1392c.exe /mixtwo

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248bc6d13c_Mon235f07b88ae.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248bd917de_Mon2341a56212.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248bf51749_Mon23fd163f29.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248c03c802_Mon23cf6fc42c67.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248c2870d6_Mon23e0b3b0.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248c3cb9af_Mon237bf16061.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 e71bedc46122099d570715a1a7114d29
SHA1 b54aaf5dc06da686481e1801e1d7c84b731034c9
SHA256 bd2d33ab5f78ad9f2d7bb562dd217022694b7b737e131ee4e8ed6abc3610e3f8
SHA512 4435f7735acb93666960790f8dfebc0a1374121f6295cd638eeb4c1d80199d0422d982c539fb1ebaec22b22baab8d514725a81427c7bf2ec618c911e42cefb2f

\Users\Admin\AppData\Local\Temp\7zS46ACBED6\setup_install.exe

MD5 83c766fb0a8d71f559d79d600ea05297
SHA1 8f4e1868bef695539f2b7cb83b3e336e959f3087
SHA256 3572b5d2013141cee24aa859fdd60398ef7d1c4ac40d2c080ecdb12129cb70ee
SHA512 1a49b39dc87ef672308b4a8bab0d1f9f9c0c51296b46f5cc46fa39312f94edf7f2bf1936367e0f7dc75c3ecb052558a75ced42189b4a4b218e8fe715ab163d88

C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

\Users\Admin\AppData\Local\Temp\7zS46ACBED6\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

\Users\Admin\AppData\Local\Temp\7zS46ACBED6\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2616-68-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2616-65-0x000000006B280000-0x000000006B2A6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS46ACBED6\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

\Users\Admin\AppData\Local\Temp\7zS46ACBED6\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2616-78-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2616-84-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2616-85-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2616-83-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2616-82-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2616-81-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2616-80-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\6242487ebee69_Mon2360fbbe475.exe

MD5 98c3385d313ae6d4cf1f192830f6b555
SHA1 31c572430094e9adbf5b7647c3621b2e8dfa7fe8
SHA256 4b2e2adafc390f535254a650a90e6a559fb3613a9f13ce648a024c078fcf40be
SHA512 fdd0406ef1abee43877c2ab2be9879e7232e773f7dac48f38a883b14306907c82110c712065a290bafac3cc8b0f4c0a13694847ad60a50a2b87e6aed2fd73aff

C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\624248bd917de_Mon2341a56212.exe

MD5 0913c141934828228be4bee6b08cadfe
SHA1 caf2f7ea94afc62792d91c1f2c1b99c05b1a2a1f
SHA256 3fa1c49f7dd6657c195dc68c13b50a0d7e2f3ec641f7108ffb3e041ea3713c95
SHA512 29bece87e4080db7098115f568dc9f5c25206147020d94438bff7ef5f17a918fae8a7546932e310648bf31be27bc4a29edf3e49051dd6e72aa9cf82e0ecd254b

memory/2616-107-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2616-106-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2616-105-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2616-103-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2616-100-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2616-99-0x0000000000400000-0x000000000051C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\624248c3cb9af_Mon237bf16061.exe

MD5 815d3b5cdc4aea7e8c8fe78434061694
SHA1 40aa8a3583d659aa86edf78db14f03917db6dda8
SHA256 226d6fc908bee0a523a09d1912f0b6b6958173ccd77997d45121d9091a7199b4
SHA512 b8cc6f302f86cbf3eea3c95ceda9302f543ebb6ed3cbbe5c038a1417a1536345cd44f8e89ec48579bc699d71c994eccd1dcbd43dca669931377f738072c2f95a

C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\624248c03c802_Mon23cf6fc42c67.exe

MD5 79c79760259bd18332ca17a05dab283d
SHA1 b9afed2134363447d014b85c37820c5a44f33722
SHA256 e6eb127214bbef16c7372fbe85e1ba453f7aceee241398d2a8e0ec115c3625d3
SHA512 a4270de42d09caa42280b1a7538dc4e0897f17421987927ac8b37fde7e44f77feb9ce1386ffd594fe6262ebb817c2df5a2c20a4adb4b0261eae5d0b6a007aa06

C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\624248bae0b4f_Mon2315c1392c.exe

MD5 dc3a42af98906ce86ad0e67ce7153b45
SHA1 83141ef3b732302806b27e1bd4332d2964418f07
SHA256 399d9c5dc78b7696e0984cc265c6b142d70949694e86a8e38474aedcda4ff6f1
SHA512 f3df4c782941bd130d302d63323edaccddf59a1cbad10ca3262118c948c78df6dc520bff67ec26918c31b575dce6580d72da0d6c170cabe34c98f52acadb9cb6

C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\624248845c537_Mon23d60fef.exe

MD5 5bc6b4fcbdb2edbd8ca492b9ba9059f9
SHA1 6ad0140809c7f71769bf7bdd652442ffc4c2bc35
SHA256 f0d2a8fa7d23f6546e377a0c6dc9019cf513d6474afc462bba517c82e5c1d4b8
SHA512 953cb941a5fc7ea44b36bf70b984990a5d0b6c2b4cb614dcedbf254dbb1b6940d345dd8531ef1f489b0d467ac98208533c8b94e44a53c931d4e9bc91f5af2718

C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\62424880dba59_Mon2373ae22.exe

MD5 81cf5e614873508b9ecba216112c276b
SHA1 cb3115f68ffe4f428fc141f113dff477530f17fb
SHA256 fae5984ff3106551dddee32196332ab4b9cabfe40476b80dd5aa8e1c9fcba413
SHA512 48fba232d56c6acd0a3e97a64d096a6782000cc4d6d34f7d2379a54e6339bf373c14e95ba966a1fd8ecc05582cfad4e9dea6d61bb5492a570fdc1f637db7d29f

C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\624248c2870d6_Mon23e0b3b0.exe

MD5 9e7d2e1b5aac4613d906efa021b571a1
SHA1 b9665c6248bc56e1cbb8797d27aa6b0db5ba70f1
SHA256 52c5dea41a299961b4776d3794864ce84e9d51ac1858dd6afb395e0a638bc666
SHA512 5dfd847513b94feb7df2569518c5abf56723cf165a424e2ebfea9fb4b5d2d70a9d0a962d5f7c7f68b3fd9a005c7aeb1bf20d9c7bfb1ee7ed0a23455d78516549

C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\624248bf51749_Mon23fd163f29.exe

MD5 98362f1952eb1349f17f77bb70a9fbcc
SHA1 e8a2273215c3cea3100fa40536b0791fea27af8f
SHA256 9aa8aeb0262bc901878bda3a41b6ac7f727f1c3fe4e7bb9afa0000c371750321
SHA512 6faceb7a7d6c0b3d7ebd8afbd2e4dcfb95a6407bb4acf1012d50f462713b8f34adf51c2dc7f82281a6b84dfcb8bc0cbea68318f12ad9ad95558b9361500e0679

C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\624248bc6d13c_Mon235f07b88ae.exe

MD5 a128f3490a3d62ec1f7c969771c9cb52
SHA1 73f71a45f68e317222ac704d30319fcbecdb8476
SHA256 4040769cb6796be3af8bd8b2c9d4be701155760766fddbd015b0bcb2b4fca52a
SHA512 ccf34b78a577bc12542e774574d21f3673710868705bf2c0ecdf6ce3414406ec63d5f65e3ff125f65e749a54d64e642492ee53d91a04d309228e2a73d7ab0a19

C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\624248871e3ed_Mon2348d8b4e.exe

MD5 327366acede3d33a1d9b93396aee3eb9
SHA1 3df53825a46673b9fb97e68b2372f9dc27437b7f
SHA256 12183f88314a86429c1685dacb2cd7f87d1eac7094d52a19a92b45432800e051
SHA512 a7ce948ede1b8d02972322bb88498d6607dce39fd215df37ca58f016f5658436a556ec2425207f2434db7728b1ad1c19c7ec05110d82c094525c4bae7bf4894f

C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\62424882a2d43_Mon2366e91c07.exe

MD5 52142a360efa5a88aa469593f3961bb4
SHA1 bb06f4b274789d3998ea3cbdc7d2056d4a99950f
SHA256 3a53d2f99cf9562803815dc1df898557919db19d54956b53840cbcf89c696dad
SHA512 de1e51dfb2a06bd0ad3142f7b2f33d78f5c2b07d0effc23074011d76a12a0d0591ea8a1b4fe753cf1482f8a438d2927fb92c4fb7a184029f35721e8b3f7fb5cc

C:\Users\Admin\AppData\Local\Temp\7zS46ACBED6\6242487fd82aa_Mon2391599e.exe

MD5 7bdeeadd41822f3c024fba58b16e2cdc
SHA1 13a3319b0545e7ff1d17f678093db9f8785bba5a
SHA256 d46ceb96d549e329a60607d9d4acca2d62560f8daaaa5fc60b50823567b9c24f
SHA512 1942f19d694616c56f874fc8df73da26beed8f290cf619d9f8443a03289c5d36ae830d1f6bf0e8adf79eddf062c9e48373677e0a2d593ee1666fae5148a3e4ad

memory/2616-79-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2616-77-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2616-76-0x000000006B440000-0x000000006B4CF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-07 15:55

Reported

2024-11-07 15:58

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe"

Signatures

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2936 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2936 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2936 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 4332 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe
PID 4332 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe
PID 4332 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe
PID 3084 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 4964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4876 wrote to memory of 4964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4876 wrote to memory of 4964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe

"C:\Users\Admin\AppData\Local\Temp\96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6242487ebee69_Mon2360fbbe475.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6242487fd82aa_Mon2391599e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 62424880dba59_Mon2373ae22.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 62424882a2d43_Mon2366e91c07.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248845c537_Mon23d60fef.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248871e3ed_Mon2348d8b4e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248bae0b4f_Mon2315c1392c.exe /mixtwo

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248bc6d13c_Mon235f07b88ae.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248bd917de_Mon2341a56212.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248bf51749_Mon23fd163f29.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248c03c802_Mon23cf6fc42c67.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248c2870d6_Mon23e0b3b0.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248c3cb9af_Mon237bf16061.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 e71bedc46122099d570715a1a7114d29
SHA1 b54aaf5dc06da686481e1801e1d7c84b731034c9
SHA256 bd2d33ab5f78ad9f2d7bb562dd217022694b7b737e131ee4e8ed6abc3610e3f8
SHA512 4435f7735acb93666960790f8dfebc0a1374121f6295cd638eeb4c1d80199d0422d982c539fb1ebaec22b22baab8d514725a81427c7bf2ec618c911e42cefb2f

C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\setup_install.exe

MD5 83c766fb0a8d71f559d79d600ea05297
SHA1 8f4e1868bef695539f2b7cb83b3e336e959f3087
SHA256 3572b5d2013141cee24aa859fdd60398ef7d1c4ac40d2c080ecdb12129cb70ee
SHA512 1a49b39dc87ef672308b4a8bab0d1f9f9c0c51296b46f5cc46fa39312f94edf7f2bf1936367e0f7dc75c3ecb052558a75ced42189b4a4b218e8fe715ab163d88

C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/3084-66-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3084-75-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3084-81-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\624248c3cb9af_Mon237bf16061.exe

MD5 815d3b5cdc4aea7e8c8fe78434061694
SHA1 40aa8a3583d659aa86edf78db14f03917db6dda8
SHA256 226d6fc908bee0a523a09d1912f0b6b6958173ccd77997d45121d9091a7199b4
SHA512 b8cc6f302f86cbf3eea3c95ceda9302f543ebb6ed3cbbe5c038a1417a1536345cd44f8e89ec48579bc699d71c994eccd1dcbd43dca669931377f738072c2f95a

memory/4964-107-0x00000000045A0000-0x00000000045D6000-memory.dmp

memory/4964-108-0x0000000004CC0000-0x00000000052E8000-memory.dmp

memory/4964-109-0x0000000004BA0000-0x0000000004BC2000-memory.dmp

memory/4964-111-0x0000000005510000-0x0000000005576000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e2isnp20.4b2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4964-121-0x0000000005680000-0x00000000059D4000-memory.dmp

memory/4964-110-0x00000000054A0000-0x0000000005506000-memory.dmp

memory/4964-122-0x0000000005B50000-0x0000000005B6E000-memory.dmp

memory/4964-123-0x0000000005BA0000-0x0000000005BEC000-memory.dmp

memory/3084-106-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3084-105-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3084-104-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3084-103-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3084-101-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/3084-97-0x0000000000400000-0x000000000051C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\624248c2870d6_Mon23e0b3b0.exe

MD5 9e7d2e1b5aac4613d906efa021b571a1
SHA1 b9665c6248bc56e1cbb8797d27aa6b0db5ba70f1
SHA256 52c5dea41a299961b4776d3794864ce84e9d51ac1858dd6afb395e0a638bc666
SHA512 5dfd847513b94feb7df2569518c5abf56723cf165a424e2ebfea9fb4b5d2d70a9d0a962d5f7c7f68b3fd9a005c7aeb1bf20d9c7bfb1ee7ed0a23455d78516549

C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\624248c03c802_Mon23cf6fc42c67.exe

MD5 79c79760259bd18332ca17a05dab283d
SHA1 b9afed2134363447d014b85c37820c5a44f33722
SHA256 e6eb127214bbef16c7372fbe85e1ba453f7aceee241398d2a8e0ec115c3625d3
SHA512 a4270de42d09caa42280b1a7538dc4e0897f17421987927ac8b37fde7e44f77feb9ce1386ffd594fe6262ebb817c2df5a2c20a4adb4b0261eae5d0b6a007aa06

C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\624248bf51749_Mon23fd163f29.exe

MD5 98362f1952eb1349f17f77bb70a9fbcc
SHA1 e8a2273215c3cea3100fa40536b0791fea27af8f
SHA256 9aa8aeb0262bc901878bda3a41b6ac7f727f1c3fe4e7bb9afa0000c371750321
SHA512 6faceb7a7d6c0b3d7ebd8afbd2e4dcfb95a6407bb4acf1012d50f462713b8f34adf51c2dc7f82281a6b84dfcb8bc0cbea68318f12ad9ad95558b9361500e0679

C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\624248bd917de_Mon2341a56212.exe

MD5 0913c141934828228be4bee6b08cadfe
SHA1 caf2f7ea94afc62792d91c1f2c1b99c05b1a2a1f
SHA256 3fa1c49f7dd6657c195dc68c13b50a0d7e2f3ec641f7108ffb3e041ea3713c95
SHA512 29bece87e4080db7098115f568dc9f5c25206147020d94438bff7ef5f17a918fae8a7546932e310648bf31be27bc4a29edf3e49051dd6e72aa9cf82e0ecd254b

C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\624248bc6d13c_Mon235f07b88ae.exe

MD5 a128f3490a3d62ec1f7c969771c9cb52
SHA1 73f71a45f68e317222ac704d30319fcbecdb8476
SHA256 4040769cb6796be3af8bd8b2c9d4be701155760766fddbd015b0bcb2b4fca52a
SHA512 ccf34b78a577bc12542e774574d21f3673710868705bf2c0ecdf6ce3414406ec63d5f65e3ff125f65e749a54d64e642492ee53d91a04d309228e2a73d7ab0a19

C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\624248bae0b4f_Mon2315c1392c.exe

MD5 dc3a42af98906ce86ad0e67ce7153b45
SHA1 83141ef3b732302806b27e1bd4332d2964418f07
SHA256 399d9c5dc78b7696e0984cc265c6b142d70949694e86a8e38474aedcda4ff6f1
SHA512 f3df4c782941bd130d302d63323edaccddf59a1cbad10ca3262118c948c78df6dc520bff67ec26918c31b575dce6580d72da0d6c170cabe34c98f52acadb9cb6

C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\624248871e3ed_Mon2348d8b4e.exe

MD5 327366acede3d33a1d9b93396aee3eb9
SHA1 3df53825a46673b9fb97e68b2372f9dc27437b7f
SHA256 12183f88314a86429c1685dacb2cd7f87d1eac7094d52a19a92b45432800e051
SHA512 a7ce948ede1b8d02972322bb88498d6607dce39fd215df37ca58f016f5658436a556ec2425207f2434db7728b1ad1c19c7ec05110d82c094525c4bae7bf4894f

C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\624248845c537_Mon23d60fef.exe

MD5 5bc6b4fcbdb2edbd8ca492b9ba9059f9
SHA1 6ad0140809c7f71769bf7bdd652442ffc4c2bc35
SHA256 f0d2a8fa7d23f6546e377a0c6dc9019cf513d6474afc462bba517c82e5c1d4b8
SHA512 953cb941a5fc7ea44b36bf70b984990a5d0b6c2b4cb614dcedbf254dbb1b6940d345dd8531ef1f489b0d467ac98208533c8b94e44a53c931d4e9bc91f5af2718

C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\62424882a2d43_Mon2366e91c07.exe

MD5 52142a360efa5a88aa469593f3961bb4
SHA1 bb06f4b274789d3998ea3cbdc7d2056d4a99950f
SHA256 3a53d2f99cf9562803815dc1df898557919db19d54956b53840cbcf89c696dad
SHA512 de1e51dfb2a06bd0ad3142f7b2f33d78f5c2b07d0effc23074011d76a12a0d0591ea8a1b4fe753cf1482f8a438d2927fb92c4fb7a184029f35721e8b3f7fb5cc

C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\62424880dba59_Mon2373ae22.exe

MD5 81cf5e614873508b9ecba216112c276b
SHA1 cb3115f68ffe4f428fc141f113dff477530f17fb
SHA256 fae5984ff3106551dddee32196332ab4b9cabfe40476b80dd5aa8e1c9fcba413
SHA512 48fba232d56c6acd0a3e97a64d096a6782000cc4d6d34f7d2379a54e6339bf373c14e95ba966a1fd8ecc05582cfad4e9dea6d61bb5492a570fdc1f637db7d29f

C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\6242487fd82aa_Mon2391599e.exe

MD5 7bdeeadd41822f3c024fba58b16e2cdc
SHA1 13a3319b0545e7ff1d17f678093db9f8785bba5a
SHA256 d46ceb96d549e329a60607d9d4acca2d62560f8daaaa5fc60b50823567b9c24f
SHA512 1942f19d694616c56f874fc8df73da26beed8f290cf619d9f8443a03289c5d36ae830d1f6bf0e8adf79eddf062c9e48373677e0a2d593ee1666fae5148a3e4ad

C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\6242487ebee69_Mon2360fbbe475.exe

MD5 98c3385d313ae6d4cf1f192830f6b555
SHA1 31c572430094e9adbf5b7647c3621b2e8dfa7fe8
SHA256 4b2e2adafc390f535254a650a90e6a559fb3613a9f13ce648a024c078fcf40be
SHA512 fdd0406ef1abee43877c2ab2be9879e7232e773f7dac48f38a883b14306907c82110c712065a290bafac3cc8b0f4c0a13694847ad60a50a2b87e6aed2fd73aff

memory/3084-83-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3084-82-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3084-80-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3084-79-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3084-76-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3084-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3084-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3084-73-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3084-72-0x0000000064941000-0x000000006494F000-memory.dmp

memory/3084-71-0x0000000000760000-0x00000000007EF000-memory.dmp

memory/3084-70-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zSCE0D1867\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/3084-74-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4964-124-0x0000000006110000-0x0000000006142000-memory.dmp

memory/4964-125-0x0000000070BE0000-0x0000000070C2C000-memory.dmp

memory/4964-135-0x0000000006B10000-0x0000000006B2E000-memory.dmp

memory/4964-136-0x0000000006B30000-0x0000000006BD3000-memory.dmp

memory/4964-137-0x00000000074C0000-0x0000000007B3A000-memory.dmp

memory/4964-138-0x0000000006E80000-0x0000000006E9A000-memory.dmp

memory/4964-139-0x0000000006F00000-0x0000000006F0A000-memory.dmp

memory/4964-140-0x00000000070F0000-0x0000000007186000-memory.dmp

memory/4964-141-0x0000000007080000-0x0000000007091000-memory.dmp

memory/4964-142-0x00000000070B0000-0x00000000070BE000-memory.dmp

memory/4964-143-0x00000000070C0000-0x00000000070D4000-memory.dmp

memory/4964-144-0x00000000071B0000-0x00000000071CA000-memory.dmp

memory/4964-145-0x00000000071A0000-0x00000000071A8000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-07 15:55

Reported

2024-11-07 15:58

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3008 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe
PID 3008 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe
PID 3008 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe
PID 3008 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe
PID 3008 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe
PID 3008 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe
PID 3008 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe
PID 2784 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6242487ebee69_Mon2360fbbe475.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6242487fd82aa_Mon2391599e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 62424880dba59_Mon2373ae22.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 62424882a2d43_Mon2366e91c07.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248845c537_Mon23d60fef.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248871e3ed_Mon2348d8b4e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248bae0b4f_Mon2315c1392c.exe /mixtwo

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248bc6d13c_Mon235f07b88ae.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248bd917de_Mon2341a56212.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248bf51749_Mon23fd163f29.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248c03c802_Mon23cf6fc42c67.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248c2870d6_Mon23e0b3b0.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248c3cb9af_Mon237bf16061.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\7zS0CB56996\setup_install.exe

MD5 83c766fb0a8d71f559d79d600ea05297
SHA1 8f4e1868bef695539f2b7cb83b3e336e959f3087
SHA256 3572b5d2013141cee24aa859fdd60398ef7d1c4ac40d2c080ecdb12129cb70ee
SHA512 1a49b39dc87ef672308b4a8bab0d1f9f9c0c51296b46f5cc46fa39312f94edf7f2bf1936367e0f7dc75c3ecb052558a75ced42189b4a4b218e8fe715ab163d88

C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/2784-54-0x000000006B280000-0x000000006B2A6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS0CB56996\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2784-58-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2784-67-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2784-66-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2784-65-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2784-76-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\62424882a2d43_Mon2366e91c07.exe

MD5 52142a360efa5a88aa469593f3961bb4
SHA1 bb06f4b274789d3998ea3cbdc7d2056d4a99950f
SHA256 3a53d2f99cf9562803815dc1df898557919db19d54956b53840cbcf89c696dad
SHA512 de1e51dfb2a06bd0ad3142f7b2f33d78f5c2b07d0effc23074011d76a12a0d0591ea8a1b4fe753cf1482f8a438d2927fb92c4fb7a184029f35721e8b3f7fb5cc

C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\624248c2870d6_Mon23e0b3b0.exe

MD5 9e7d2e1b5aac4613d906efa021b571a1
SHA1 b9665c6248bc56e1cbb8797d27aa6b0db5ba70f1
SHA256 52c5dea41a299961b4776d3794864ce84e9d51ac1858dd6afb395e0a638bc666
SHA512 5dfd847513b94feb7df2569518c5abf56723cf165a424e2ebfea9fb4b5d2d70a9d0a962d5f7c7f68b3fd9a005c7aeb1bf20d9c7bfb1ee7ed0a23455d78516549

C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\624248bf51749_Mon23fd163f29.exe

MD5 98362f1952eb1349f17f77bb70a9fbcc
SHA1 e8a2273215c3cea3100fa40536b0791fea27af8f
SHA256 9aa8aeb0262bc901878bda3a41b6ac7f727f1c3fe4e7bb9afa0000c371750321
SHA512 6faceb7a7d6c0b3d7ebd8afbd2e4dcfb95a6407bb4acf1012d50f462713b8f34adf51c2dc7f82281a6b84dfcb8bc0cbea68318f12ad9ad95558b9361500e0679

memory/2784-99-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2784-98-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2784-97-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2784-96-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2784-94-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2784-90-0x0000000000400000-0x000000000051C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\624248c3cb9af_Mon237bf16061.exe

MD5 815d3b5cdc4aea7e8c8fe78434061694
SHA1 40aa8a3583d659aa86edf78db14f03917db6dda8
SHA256 226d6fc908bee0a523a09d1912f0b6b6958173ccd77997d45121d9091a7199b4
SHA512 b8cc6f302f86cbf3eea3c95ceda9302f543ebb6ed3cbbe5c038a1417a1536345cd44f8e89ec48579bc699d71c994eccd1dcbd43dca669931377f738072c2f95a

C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\624248c03c802_Mon23cf6fc42c67.exe

MD5 79c79760259bd18332ca17a05dab283d
SHA1 b9afed2134363447d014b85c37820c5a44f33722
SHA256 e6eb127214bbef16c7372fbe85e1ba453f7aceee241398d2a8e0ec115c3625d3
SHA512 a4270de42d09caa42280b1a7538dc4e0897f17421987927ac8b37fde7e44f77feb9ce1386ffd594fe6262ebb817c2df5a2c20a4adb4b0261eae5d0b6a007aa06

C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\624248bd917de_Mon2341a56212.exe

MD5 0913c141934828228be4bee6b08cadfe
SHA1 caf2f7ea94afc62792d91c1f2c1b99c05b1a2a1f
SHA256 3fa1c49f7dd6657c195dc68c13b50a0d7e2f3ec641f7108ffb3e041ea3713c95
SHA512 29bece87e4080db7098115f568dc9f5c25206147020d94438bff7ef5f17a918fae8a7546932e310648bf31be27bc4a29edf3e49051dd6e72aa9cf82e0ecd254b

C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\624248bae0b4f_Mon2315c1392c.exe

MD5 dc3a42af98906ce86ad0e67ce7153b45
SHA1 83141ef3b732302806b27e1bd4332d2964418f07
SHA256 399d9c5dc78b7696e0984cc265c6b142d70949694e86a8e38474aedcda4ff6f1
SHA512 f3df4c782941bd130d302d63323edaccddf59a1cbad10ca3262118c948c78df6dc520bff67ec26918c31b575dce6580d72da0d6c170cabe34c98f52acadb9cb6

C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\624248845c537_Mon23d60fef.exe

MD5 5bc6b4fcbdb2edbd8ca492b9ba9059f9
SHA1 6ad0140809c7f71769bf7bdd652442ffc4c2bc35
SHA256 f0d2a8fa7d23f6546e377a0c6dc9019cf513d6474afc462bba517c82e5c1d4b8
SHA512 953cb941a5fc7ea44b36bf70b984990a5d0b6c2b4cb614dcedbf254dbb1b6940d345dd8531ef1f489b0d467ac98208533c8b94e44a53c931d4e9bc91f5af2718

C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\624248bc6d13c_Mon235f07b88ae.exe

MD5 a128f3490a3d62ec1f7c969771c9cb52
SHA1 73f71a45f68e317222ac704d30319fcbecdb8476
SHA256 4040769cb6796be3af8bd8b2c9d4be701155760766fddbd015b0bcb2b4fca52a
SHA512 ccf34b78a577bc12542e774574d21f3673710868705bf2c0ecdf6ce3414406ec63d5f65e3ff125f65e749a54d64e642492ee53d91a04d309228e2a73d7ab0a19

C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\62424880dba59_Mon2373ae22.exe

MD5 81cf5e614873508b9ecba216112c276b
SHA1 cb3115f68ffe4f428fc141f113dff477530f17fb
SHA256 fae5984ff3106551dddee32196332ab4b9cabfe40476b80dd5aa8e1c9fcba413
SHA512 48fba232d56c6acd0a3e97a64d096a6782000cc4d6d34f7d2379a54e6339bf373c14e95ba966a1fd8ecc05582cfad4e9dea6d61bb5492a570fdc1f637db7d29f

C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\6242487ebee69_Mon2360fbbe475.exe

MD5 98c3385d313ae6d4cf1f192830f6b555
SHA1 31c572430094e9adbf5b7647c3621b2e8dfa7fe8
SHA256 4b2e2adafc390f535254a650a90e6a559fb3613a9f13ce648a024c078fcf40be
SHA512 fdd0406ef1abee43877c2ab2be9879e7232e773f7dac48f38a883b14306907c82110c712065a290bafac3cc8b0f4c0a13694847ad60a50a2b87e6aed2fd73aff

C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\624248871e3ed_Mon2348d8b4e.exe

MD5 327366acede3d33a1d9b93396aee3eb9
SHA1 3df53825a46673b9fb97e68b2372f9dc27437b7f
SHA256 12183f88314a86429c1685dacb2cd7f87d1eac7094d52a19a92b45432800e051
SHA512 a7ce948ede1b8d02972322bb88498d6607dce39fd215df37ca58f016f5658436a556ec2425207f2434db7728b1ad1c19c7ec05110d82c094525c4bae7bf4894f

C:\Users\Admin\AppData\Local\Temp\7zS0CB56996\6242487fd82aa_Mon2391599e.exe

MD5 7bdeeadd41822f3c024fba58b16e2cdc
SHA1 13a3319b0545e7ff1d17f678093db9f8785bba5a
SHA256 d46ceb96d549e329a60607d9d4acca2d62560f8daaaa5fc60b50823567b9c24f
SHA512 1942f19d694616c56f874fc8df73da26beed8f290cf619d9f8443a03289c5d36ae830d1f6bf0e8adf79eddf062c9e48373677e0a2d593ee1666fae5148a3e4ad

memory/2784-75-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2784-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2784-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2784-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2784-72-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2784-71-0x000000006494A000-0x000000006494F000-memory.dmp

memory/2784-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2784-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-07 15:55

Reported

2024-11-07 15:58

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\62424880dba59_Mon2373ae22.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-GIJ9N.tmp\62424882a2d43_Mon2366e91c07.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248871e3ed_Mon2348d8b4e.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\6242487ebee69_Mon2360fbbe475.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\6242487fd82aa_Mon2391599e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\62424880dba59_Mon2373ae22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248845c537_Mon23d60fef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248871e3ed_Mon2348d8b4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248bae0b4f_Mon2315c1392c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\62424882a2d43_Mon2366e91c07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248bc6d13c_Mon235f07b88ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248bd917de_Mon2341a56212.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248bf51749_Mon23fd163f29.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c03c802_Mon23cf6fc42c67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-E6816.tmp\624248bf51749_Mon23fd163f29.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GIJ9N.tmp\62424882a2d43_Mon2366e91c07.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c3cb9af_Mon237bf16061.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248bd917de_Mon2341a56212.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\62424880dba59_Mon2373ae22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\62424882a2d43_Mon2366e91c07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-32RRU.tmp\62424882a2d43_Mon2366e91c07.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LAIM98KE88CM36M.exe N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aieoplapobidheellikiicjfpamacpfd\11.23.45_0\manifest.json C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c03c802_Mon23cf6fc42c67.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4496 set thread context of 3516 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248bd917de_Mon2341a56212.exe C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248bd917de_Mon2341a56212.exe

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-E6816.tmp\624248bf51749_Mon23fd163f29.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-GIJ9N.tmp\62424882a2d43_Mon2366e91c07.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248bd917de_Mon2341a56212.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\6242487ebee69_Mon2360fbbe475.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\62424882a2d43_Mon2366e91c07.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\62424882a2d43_Mon2366e91c07.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\62424880dba59_Mon2373ae22.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248871e3ed_Mon2348d8b4e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c03c802_Mon23cf6fc42c67.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\62424880dba59_Mon2373ae22.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-32RRU.tmp\62424882a2d43_Mon2366e91c07.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248845c537_Mon23d60fef.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248bae0b4f_Mon2315c1392c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c3cb9af_Mon237bf16061.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248bf51749_Mon23fd163f29.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248bd917de_Mon2341a56212.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248bd917de_Mon2341a56212.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248bd917de_Mon2341a56212.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133754685730693620" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\6242487fd82aa_Mon2391599e.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c3cb9af_Mon237bf16061.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c3cb9af_Mon237bf16061.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c3cb9af_Mon237bf16061.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c3cb9af_Mon237bf16061.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c3cb9af_Mon237bf16061.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c3cb9af_Mon237bf16061.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c3cb9af_Mon237bf16061.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c3cb9af_Mon237bf16061.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2576 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe
PID 2576 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe
PID 2576 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe
PID 4724 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2492 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2492 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\6242487ebee69_Mon2360fbbe475.exe
PID 2504 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\6242487ebee69_Mon2360fbbe475.exe
PID 2504 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\6242487ebee69_Mon2360fbbe475.exe
PID 1544 wrote to memory of 4944 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\6242487fd82aa_Mon2391599e.exe
PID 1544 wrote to memory of 4944 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\6242487fd82aa_Mon2391599e.exe
PID 3336 wrote to memory of 4524 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\62424880dba59_Mon2373ae22.exe
PID 3336 wrote to memory of 4524 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\62424880dba59_Mon2373ae22.exe
PID 3336 wrote to memory of 4524 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\62424880dba59_Mon2373ae22.exe
PID 4728 wrote to memory of 3872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248845c537_Mon23d60fef.exe
PID 4728 wrote to memory of 3872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248845c537_Mon23d60fef.exe
PID 4728 wrote to memory of 3872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248845c537_Mon23d60fef.exe
PID 4592 wrote to memory of 5008 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248871e3ed_Mon2348d8b4e.exe
PID 4592 wrote to memory of 5008 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248871e3ed_Mon2348d8b4e.exe
PID 4592 wrote to memory of 5008 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248871e3ed_Mon2348d8b4e.exe
PID 1884 wrote to memory of 4760 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248bae0b4f_Mon2315c1392c.exe
PID 1884 wrote to memory of 4760 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248bae0b4f_Mon2315c1392c.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6242487ebee69_Mon2360fbbe475.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6242487fd82aa_Mon2391599e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 62424880dba59_Mon2373ae22.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 62424882a2d43_Mon2366e91c07.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248845c537_Mon23d60fef.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248871e3ed_Mon2348d8b4e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248bae0b4f_Mon2315c1392c.exe /mixtwo

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248bc6d13c_Mon235f07b88ae.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248bd917de_Mon2341a56212.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248bf51749_Mon23fd163f29.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248c03c802_Mon23cf6fc42c67.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248c2870d6_Mon23e0b3b0.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248c3cb9af_Mon237bf16061.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\6242487ebee69_Mon2360fbbe475.exe

6242487ebee69_Mon2360fbbe475.exe

C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\6242487fd82aa_Mon2391599e.exe

6242487fd82aa_Mon2391599e.exe

C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\62424880dba59_Mon2373ae22.exe

62424880dba59_Mon2373ae22.exe

C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\62424882a2d43_Mon2366e91c07.exe

62424882a2d43_Mon2366e91c07.exe

C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248845c537_Mon23d60fef.exe

624248845c537_Mon23d60fef.exe

C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248871e3ed_Mon2348d8b4e.exe

624248871e3ed_Mon2348d8b4e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248bae0b4f_Mon2315c1392c.exe

624248bae0b4f_Mon2315c1392c.exe /mixtwo

C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248bc6d13c_Mon235f07b88ae.exe

624248bc6d13c_Mon235f07b88ae.exe

C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248bd917de_Mon2341a56212.exe

624248bd917de_Mon2341a56212.exe

C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248bf51749_Mon23fd163f29.exe

624248bf51749_Mon23fd163f29.exe

C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c03c802_Mon23cf6fc42c67.exe

624248c03c802_Mon23cf6fc42c67.exe

C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c3cb9af_Mon237bf16061.exe

624248c3cb9af_Mon237bf16061.exe

C:\Users\Admin\AppData\Local\Temp\is-E6816.tmp\624248bf51749_Mon23fd163f29.tmp

"C:\Users\Admin\AppData\Local\Temp\is-E6816.tmp\624248bf51749_Mon23fd163f29.tmp" /SL5="$4023C,140006,56320,C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248bf51749_Mon23fd163f29.exe"

C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe

624248c2870d6_Mon23e0b3b0.exe

C:\Users\Admin\AppData\Local\Temp\is-GIJ9N.tmp\62424882a2d43_Mon2366e91c07.tmp

"C:\Users\Admin\AppData\Local\Temp\is-GIJ9N.tmp\62424882a2d43_Mon2366e91c07.tmp" /SL5="$F0066,870458,780800,C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\62424882a2d43_Mon2366e91c07.exe"

C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248bd917de_Mon2341a56212.exe

624248bd917de_Mon2341a56212.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\62424880dba59_Mon2373ae22.exe

"C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\62424880dba59_Mon2373ae22.exe" -h

C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\62424882a2d43_Mon2366e91c07.exe

"C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\62424882a2d43_Mon2366e91c07.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-32RRU.tmp\62424882a2d43_Mon2366e91c07.tmp

"C:\Users\Admin\AppData\Local\Temp\is-32RRU.tmp\62424882a2d43_Mon2366e91c07.tmp" /SL5="$3022A,870458,780800,C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\62424882a2d43_Mon2366e91c07.exe" /SILENT

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /Y .\WJZ~MF~9.0S

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3872 -ip 3872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4760 -ip 4760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4760 -ip 4760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4760 -ip 4760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4760 -ip 4760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4760 -ip 4760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 756

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4760 -ip 4760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4760 -ip 4760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 644

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffac96ecc40,0x7ffac96ecc4c,0x7ffac96ecc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,17669377736849143038,2541088370148373714,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1900 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2120,i,17669377736849143038,2541088370148373714,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2184 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,17669377736849143038,2541088370148373714,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2596 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,17669377736849143038,2541088370148373714,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3096 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,17669377736849143038,2541088370148373714,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3392 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4496,i,17669377736849143038,2541088370148373714,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4488 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4704,i,17669377736849143038,2541088370148373714,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4708 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4520,i,17669377736849143038,2541088370148373714,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4824 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5016,i,17669377736849143038,2541088370148373714,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3660 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4920,i,17669377736849143038,2541088370148373714,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4892 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Users\Admin\AppData\Local\Temp\LAIM98KE88CM36M.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5092,i,17669377736849143038,2541088370148373714,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5184 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4936,i,17669377736849143038,2541088370148373714,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5188 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4856,i,17669377736849143038,2541088370148373714,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5240 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4876,i,17669377736849143038,2541088370148373714,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5108 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5316,i,17669377736849143038,2541088370148373714,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5292 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4732,i,17669377736849143038,2541088370148373714,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=208 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 blackhk1.beget.tech udp
US 8.8.8.8:53 www.icodeps.com udp
US 8.8.8.8:53 fashion-academy.net udp
US 8.8.8.8:53 ce25059.tmweb.ru udp
US 8.8.8.8:53 ookla-insights.s3.pl-waw.scw.cloud udp
US 172.232.25.148:443 www.icodeps.com tcp
PL 151.115.10.4:80 ookla-insights.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 ip-api.com udp
RU 5.23.50.132:80 ce25059.tmweb.ru tcp
US 8.8.8.8:53 gardnersoftwera.com udp
US 8.8.8.8:53 all-smart-green.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 speedtestqs7etrh4mbk323pz.s3.pl-waw.scw.cloud udp
PL 151.115.10.4:80 speedtestqs7etrh4mbk323pz.s3.pl-waw.scw.cloud tcp
US 199.59.243.227:80 all-smart-green.com tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 vh342.timeweb.ru udp
US 8.8.8.8:53 www.hhiuew33.com udp
RU 5.23.50.132:443 vh342.timeweb.ru tcp
US 8.8.8.8:53 148.25.232.172.in-addr.arpa udp
US 8.8.8.8:53 4.10.115.151.in-addr.arpa udp
US 8.8.8.8:53 132.50.23.5.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 227.243.59.199.in-addr.arpa udp
US 8.8.8.8:53 r11.o.lencr.org udp
US 8.8.8.8:53 getnek.com udp
GB 2.23.210.75:80 r11.o.lencr.org tcp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 75.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 ww99.icodeps.com udp
US 67.225.218.41:80 ww99.icodeps.com tcp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 41.218.225.67.in-addr.arpa udp
US 8.8.8.8:53 appwebstat.biz udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 ww1.icodeps.com udp
DE 64.190.63.136:80 ww1.icodeps.com tcp
US 8.8.8.8:53 fashion-academy.net udp
US 8.8.8.8:53 gardnersoftwera.com udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 136.63.190.64.in-addr.arpa udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 46.3.26.104.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 appwebstat.biz udp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 172.217.169.74:443 ogads-pa.googleapis.com tcp
GB 172.217.169.78:443 apis.google.com tcp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
GB 172.217.169.74:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.178.14:443 play.google.com tcp
US 8.8.8.8:53 78.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 74.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.178.14:443 clients2.google.com tcp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 216.58.213.1:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 1.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 v.xyzgamev.com udp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 78.14.113.227:8080 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 xoxctajs.aquamarineboilinghorse.online udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\setup_install.exe

MD5 83c766fb0a8d71f559d79d600ea05297
SHA1 8f4e1868bef695539f2b7cb83b3e336e959f3087
SHA256 3572b5d2013141cee24aa859fdd60398ef7d1c4ac40d2c080ecdb12129cb70ee
SHA512 1a49b39dc87ef672308b4a8bab0d1f9f9c0c51296b46f5cc46fa39312f94edf7f2bf1936367e0f7dc75c3ecb052558a75ced42189b4a4b218e8fe715ab163d88

C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/4724-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248845c537_Mon23d60fef.exe

MD5 5bc6b4fcbdb2edbd8ca492b9ba9059f9
SHA1 6ad0140809c7f71769bf7bdd652442ffc4c2bc35
SHA256 f0d2a8fa7d23f6546e377a0c6dc9019cf513d6474afc462bba517c82e5c1d4b8
SHA512 953cb941a5fc7ea44b36bf70b984990a5d0b6c2b4cb614dcedbf254dbb1b6940d345dd8531ef1f489b0d467ac98208533c8b94e44a53c931d4e9bc91f5af2718

C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c3cb9af_Mon237bf16061.exe

MD5 815d3b5cdc4aea7e8c8fe78434061694
SHA1 40aa8a3583d659aa86edf78db14f03917db6dda8
SHA256 226d6fc908bee0a523a09d1912f0b6b6958173ccd77997d45121d9091a7199b4
SHA512 b8cc6f302f86cbf3eea3c95ceda9302f543ebb6ed3cbbe5c038a1417a1536345cd44f8e89ec48579bc699d71c994eccd1dcbd43dca669931377f738072c2f95a

C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\6242487ebee69_Mon2360fbbe475.exe

MD5 98c3385d313ae6d4cf1f192830f6b555
SHA1 31c572430094e9adbf5b7647c3621b2e8dfa7fe8
SHA256 4b2e2adafc390f535254a650a90e6a559fb3613a9f13ce648a024c078fcf40be
SHA512 fdd0406ef1abee43877c2ab2be9879e7232e773f7dac48f38a883b14306907c82110c712065a290bafac3cc8b0f4c0a13694847ad60a50a2b87e6aed2fd73aff

memory/4352-96-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248bae0b4f_Mon2315c1392c.exe

MD5 dc3a42af98906ce86ad0e67ce7153b45
SHA1 83141ef3b732302806b27e1bd4332d2964418f07
SHA256 399d9c5dc78b7696e0984cc265c6b142d70949694e86a8e38474aedcda4ff6f1
SHA512 f3df4c782941bd130d302d63323edaccddf59a1cbad10ca3262118c948c78df6dc520bff67ec26918c31b575dce6580d72da0d6c170cabe34c98f52acadb9cb6

memory/4944-114-0x00000000008C0000-0x00000000008C6000-memory.dmp

memory/4352-121-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2208-123-0x00000000052B0000-0x00000000058D8000-memory.dmp

memory/5116-126-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c03c802_Mon23cf6fc42c67.exe

MD5 79c79760259bd18332ca17a05dab283d
SHA1 b9afed2134363447d014b85c37820c5a44f33722
SHA256 e6eb127214bbef16c7372fbe85e1ba453f7aceee241398d2a8e0ec115c3625d3
SHA512 a4270de42d09caa42280b1a7538dc4e0897f17421987927ac8b37fde7e44f77feb9ce1386ffd594fe6262ebb817c2df5a2c20a4adb4b0261eae5d0b6a007aa06

C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248bf51749_Mon23fd163f29.exe

MD5 98362f1952eb1349f17f77bb70a9fbcc
SHA1 e8a2273215c3cea3100fa40536b0791fea27af8f
SHA256 9aa8aeb0262bc901878bda3a41b6ac7f727f1c3fe4e7bb9afa0000c371750321
SHA512 6faceb7a7d6c0b3d7ebd8afbd2e4dcfb95a6407bb4acf1012d50f462713b8f34adf51c2dc7f82281a6b84dfcb8bc0cbea68318f12ad9ad95558b9361500e0679

C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248bd917de_Mon2341a56212.exe

MD5 0913c141934828228be4bee6b08cadfe
SHA1 caf2f7ea94afc62792d91c1f2c1b99c05b1a2a1f
SHA256 3fa1c49f7dd6657c195dc68c13b50a0d7e2f3ec641f7108ffb3e041ea3713c95
SHA512 29bece87e4080db7098115f568dc9f5c25206147020d94438bff7ef5f17a918fae8a7546932e310648bf31be27bc4a29edf3e49051dd6e72aa9cf82e0ecd254b

memory/4352-120-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4352-119-0x0000000064940000-0x0000000064959000-memory.dmp

memory/4352-117-0x000000006EB40000-0x000000006EB63000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248bc6d13c_Mon235f07b88ae.exe

MD5 a128f3490a3d62ec1f7c969771c9cb52
SHA1 73f71a45f68e317222ac704d30319fcbecdb8476
SHA256 4040769cb6796be3af8bd8b2c9d4be701155760766fddbd015b0bcb2b4fca52a
SHA512 ccf34b78a577bc12542e774574d21f3673710868705bf2c0ecdf6ce3414406ec63d5f65e3ff125f65e749a54d64e642492ee53d91a04d309228e2a73d7ab0a19

memory/2208-110-0x0000000004C40000-0x0000000004C76000-memory.dmp

memory/4352-108-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2608-112-0x0000000000400000-0x00000000004CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\62424882a2d43_Mon2366e91c07.exe

MD5 52142a360efa5a88aa469593f3961bb4
SHA1 bb06f4b274789d3998ea3cbdc7d2056d4a99950f
SHA256 3a53d2f99cf9562803815dc1df898557919db19d54956b53840cbcf89c696dad
SHA512 de1e51dfb2a06bd0ad3142f7b2f33d78f5c2b07d0effc23074011d76a12a0d0591ea8a1b4fe753cf1482f8a438d2927fb92c4fb7a184029f35721e8b3f7fb5cc

C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248871e3ed_Mon2348d8b4e.exe

MD5 327366acede3d33a1d9b93396aee3eb9
SHA1 3df53825a46673b9fb97e68b2372f9dc27437b7f
SHA256 12183f88314a86429c1685dacb2cd7f87d1eac7094d52a19a92b45432800e051
SHA512 a7ce948ede1b8d02972322bb88498d6607dce39fd215df37ca58f016f5658436a556ec2425207f2434db7728b1ad1c19c7ec05110d82c094525c4bae7bf4894f

memory/4352-104-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4352-103-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4352-102-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/956-129-0x0000000140000000-0x00000001406C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-E6816.tmp\624248bf51749_Mon23fd163f29.tmp

MD5 25ffc23f92cf2ee9d036ec921423d867
SHA1 4be58697c7253bfea1672386eaeeb6848740d7d6
SHA256 1bbabc7a7f29c1512b368d2b620fc05441b622f72aa76cf9ee6be0aecd22a703
SHA512 4e8c7f5b42783825b3b146788ca2ee237186d5a6de4f1c413d9ef42874c4e7dd72b4686c545dde886e0923ade0f5d121a4eddfe7bfc58c3e0bd45a6493fe6710

C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\624248c2870d6_Mon23e0b3b0.exe

MD5 9e7d2e1b5aac4613d906efa021b571a1
SHA1 b9665c6248bc56e1cbb8797d27aa6b0db5ba70f1
SHA256 52c5dea41a299961b4776d3794864ce84e9d51ac1858dd6afb395e0a638bc666
SHA512 5dfd847513b94feb7df2569518c5abf56723cf165a424e2ebfea9fb4b5d2d70a9d0a962d5f7c7f68b3fd9a005c7aeb1bf20d9c7bfb1ee7ed0a23455d78516549

C:\Users\Admin\AppData\Local\Temp\is-4IQF1.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

C:\Users\Admin\AppData\Local\Temp\is-QM3PQ.tmp\idp.dll

MD5 55c310c0319260d798757557ab3bf636
SHA1 0892eb7ed31d8bb20a56c6835990749011a2d8de
SHA256 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512 e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

memory/1912-157-0x00000000013F0000-0x00000000013F2000-memory.dmp

memory/1912-161-0x0000000002D90000-0x0000000002DD7000-memory.dmp

memory/3516-162-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1912-160-0x00000000000D0000-0x0000000000249000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\62424880dba59_Mon2373ae22.exe

MD5 81cf5e614873508b9ecba216112c276b
SHA1 cb3115f68ffe4f428fc141f113dff477530f17fb
SHA256 fae5984ff3106551dddee32196332ab4b9cabfe40476b80dd5aa8e1c9fcba413
SHA512 48fba232d56c6acd0a3e97a64d096a6782000cc4d6d34f7d2379a54e6339bf373c14e95ba966a1fd8ecc05582cfad4e9dea6d61bb5492a570fdc1f637db7d29f

memory/3516-158-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1912-156-0x00000000000D0000-0x0000000000249000-memory.dmp

memory/1912-155-0x00000000000D0000-0x0000000000249000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-GIJ9N.tmp\62424882a2d43_Mon2366e91c07.tmp

MD5 bf0e3b12f2997dc8963a7185da858ae1
SHA1 750dfeb4768878a2a70708f7852137b29f84afdc
SHA256 9e2310fd47d35e832659298351275ec7aa30034d41d3669d22344738ffc23256
SHA512 2c115c105766edcf1a9a221bb897294a7d71eea4245ec659e5f0294523333cd141714e7cde6ab6535b0c4615f9b0cad7889968262287f192bb7b4c1cc8593a17

memory/1912-134-0x00000000000D0000-0x0000000000249000-memory.dmp

memory/4352-101-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/4944-107-0x00000000000F0000-0x000000000011C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\6242487fd82aa_Mon2391599e.exe

MD5 7bdeeadd41822f3c024fba58b16e2cdc
SHA1 13a3319b0545e7ff1d17f678093db9f8785bba5a
SHA256 d46ceb96d549e329a60607d9d4acca2d62560f8daaaa5fc60b50823567b9c24f
SHA512 1942f19d694616c56f874fc8df73da26beed8f290cf619d9f8443a03289c5d36ae830d1f6bf0e8adf79eddf062c9e48373677e0a2d593ee1666fae5148a3e4ad

memory/4724-93-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4724-92-0x0000000064940000-0x0000000064959000-memory.dmp

memory/4724-91-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4724-88-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/4724-84-0x0000000000400000-0x000000000051C000-memory.dmp

memory/4724-90-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4724-70-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tuc5knci.zdo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2208-171-0x0000000005B60000-0x0000000005BC6000-memory.dmp

memory/2208-170-0x0000000005AF0000-0x0000000005B56000-memory.dmp

memory/2208-169-0x0000000005A50000-0x0000000005A72000-memory.dmp

memory/4724-69-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4724-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4724-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4724-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4724-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4724-63-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4724-62-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4724-61-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4724-60-0x0000000064940000-0x0000000064959000-memory.dmp

memory/4724-59-0x0000000064941000-0x000000006494F000-memory.dmp

memory/4724-58-0x00000000007A0000-0x000000000082F000-memory.dmp

memory/4724-57-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4724-53-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/2208-172-0x0000000005BD0000-0x0000000005F24000-memory.dmp

memory/4464-177-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/3512-185-0x0000000000400000-0x0000000000682000-memory.dmp

memory/2608-187-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/1136-194-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/5116-206-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4740-199-0x0000000003070000-0x0000000004070000-memory.dmp

memory/2208-222-0x0000000004F70000-0x0000000004F8E000-memory.dmp

memory/4832-226-0x0000000006420000-0x000000000646C000-memory.dmp

memory/3872-230-0x0000000000400000-0x0000000000486000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS01AF73A7\arxiv.zip

MD5 4298fa80523abf31d8d2dba0eecc47f4
SHA1 57849373d58c4afee2cfc8e64839b9f03929a67a
SHA256 5585cf0ec6321a62b8d7572e5eaaec6c092577d63713b503713e81288e8466ce
SHA512 548e1821d46e590c7782485be58a8b214819f7279dd537bff95101c165e6dc68783c67eb3cf41e6791029b1cb8221c76a04c32eb8b93ab12d38ada1376997bc5

memory/4832-249-0x0000000007570000-0x0000000007613000-memory.dmp

memory/4832-248-0x0000000007540000-0x000000000755E000-memory.dmp

memory/4832-238-0x000000006E3D0000-0x000000006E41C000-memory.dmp

memory/4832-237-0x0000000007500000-0x0000000007532000-memory.dmp

memory/4832-260-0x0000000007CF0000-0x000000000836A000-memory.dmp

memory/2208-250-0x000000006E3D0000-0x000000006E41C000-memory.dmp

memory/4832-261-0x00000000076A0000-0x00000000076BA000-memory.dmp

memory/4832-262-0x0000000007720000-0x000000000772A000-memory.dmp

memory/4832-263-0x0000000007910000-0x00000000079A6000-memory.dmp

memory/4832-264-0x00000000078A0000-0x00000000078B1000-memory.dmp

memory/2208-266-0x0000000007740000-0x000000000774E000-memory.dmp

memory/4832-265-0x00000000078D0000-0x00000000078DE000-memory.dmp

memory/4832-267-0x00000000078E0000-0x00000000078F4000-memory.dmp

memory/4832-268-0x00000000079D0000-0x00000000079EA000-memory.dmp

memory/4832-269-0x00000000079C0000-0x00000000079C8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 05691ff069bf4b69111cf365d11ff98d
SHA1 ff27a8c928352e9020782590e648a7e679101c23
SHA256 5e6e30cde6f118f808e8e572efb7b4c194b9af0700f853d9c0c91cb07bebc2f9
SHA512 0aec11d1a9fddedaa7a0a7c40feb92d5011e6129fd4b28b8c604399aff958cb800ee3b034117e85b40835f66b32bb5033ef8597a39425a510df5fa260b97c12c

memory/4760-275-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/1912-276-0x00000000000D0000-0x0000000000249000-memory.dmp

memory/1912-277-0x00000000000D0000-0x0000000000249000-memory.dmp

memory/4740-280-0x000000002DE10000-0x000000002DEC1000-memory.dmp

memory/4740-283-0x000000002DEE0000-0x000000002DF7D000-memory.dmp

memory/4740-285-0x000000002DEE0000-0x000000002DF7D000-memory.dmp

memory/4740-282-0x000000002DEE0000-0x000000002DF7D000-memory.dmp

memory/4464-290-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/4740-301-0x0000000003070000-0x0000000004070000-memory.dmp

memory/3936-300-0x0000000000400000-0x0000000000682000-memory.dmp

memory/4760-305-0x0000000000400000-0x00000000004AB000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 2681974425a68a5af9bd4bb938eed085
SHA1 781919f9c089210515da848ad77afa9ad3d130bb
SHA256 015fc7aed4b808185c0c897b222576c37b7c565efced5d1c5851eeb38a84efc2
SHA512 b8ee1561294f675773f3e853e18d95aec636781ae10d9f06269340a553c852bcb16e48ed24676824c495dbb3539d17dc0c2caf99db654109f9126b4b5998cc50

\??\pipe\crashpad_3948_COEBYTATCQLRZNWZ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1912-325-0x00000000000D0000-0x0000000000249000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 0136a7bf8a88f6ea30f6db56ccffe3ee
SHA1 a8c295faba6545cf0c7385cac43046803af5b983
SHA256 26cffb0349fac4454141a31956de0b92897ae4c9c81e4a60f9d531385318e7f3
SHA512 94818810aac9bc1efc48594bf80be8f2d7c41022c351dd91acd41f148771d020e9825969526878621909b0526a65dc1846fe0ea5c86e5de9a4e31bf21127611f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 464ad6f70f6b5d792af40101f4a63444
SHA1 d065a16510c64e74d7fec09654b9b9a7722b98c8
SHA256 e8681662d46672b0150ce9646682e41dd2a77f828dae363f460cf2eee640bc6b
SHA512 b222128943eec99a8bdc5e87a0879a9410c27adf5d616b98ace298402804a5d4f28f925092471b626de3e828b4c7814ad59255c2806183b1c39f62adf0b9c654

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 05c914f45659f15d95418483747fc5df
SHA1 cd72b3eba5a707848ec2dcce0cd2d3261f7ce033
SHA256 b2053543ede246e1a91b2971f3f2398c96c95fba46a1621d11dd3de21570b427
SHA512 d1a4789917c1940fba6d3690d2ce6d125fc9261a1b67708720d783cf364d66b78f02de4030e449a1bca2da223edae903c9dfcf01b58bb86d37ef5d741903b2cf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 e9c186ed39121aa9145d476e5e640c46
SHA1 2b60a69bc0cd0fd9a161e5bf6474e0af6732c4ac
SHA256 980d149b560d6f1c8a4fa7337a1a0f1e939bdb50c646d37af2fc132932e157ab
SHA512 590936e4d111fcc8cbf769fec57caabc04f9d90641234a7b390a40004df9d7e9bc00ebde177e6fc33941b84a2283dcc098120dfbbbf8b6aa0d918e64163681c3

memory/1912-368-0x00000000000D0000-0x0000000000249000-memory.dmp

memory/1912-383-0x00000000000D0000-0x0000000000249000-memory.dmp

memory/840-384-0x0000026260520000-0x0000026260526000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\570acece-11c1-4e68-b913-e161661a61ce.tmp

MD5 da75bb05d10acc967eecaac040d3d733
SHA1 95c08e067df713af8992db113f7e9aec84f17181
SHA256 33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
SHA512 56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 551559c762e4de9effb699293b509cf7
SHA1 d32074ab2dd9d4d1a63ae69e3421eea292a43f82
SHA256 1e1f7b2a886878c8f1da471a242567a75d740a2cb8916684b0a9439b964c4f2a
SHA512 ef281de70fd1a4a949058da8d9779370e7935c4c4696a52dad2be5d6613c1598ded57251296bbdd4c7b97c4668c7de078136f284940ea53adf7827034baa3b76

C:\Users\Admin\AppData\Local\Temp\scoped_dir3948_1170047814\CRX_INSTALL\_locales\en_CA\messages.json

MD5 558659936250e03cc14b60ebf648aa09
SHA1 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA256 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA512 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

MD5 4ec1df2da46182103d2ffc3b92d20ca5
SHA1 fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA256 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

MD5 07ffbe5f24ca348723ff8c6c488abfb8
SHA1 6dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA256 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA512 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 0390cc2a6d912eb9ecca47e3205c359f
SHA1 37640a932b2a50bcbf0fda2a8672cbf0652ea53f
SHA256 f49e032a3d5b0c2d83a7a04298f00ac1b9b44df87cb33b42d52edf1d5c5b890a
SHA512 10012f031d42109bb970c23af750250a91111e2d6f9ea47ccfc5329b6afb566842e98cea42d48654f902cfede73ab2bc88cf5ea5b58ffe33c080d228acbd2f52

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 7bfc3b614f8005029c9763d2b73ca2fd
SHA1 5975b071483b92261dfc10eca7152e09e00439db
SHA256 b04e462ac6c4f2d6a04d57fc62cd68528a31928969076326485afe2b2d105ec5
SHA512 e7134b7f3543d57d6731f559622e1aec2783c2a97b912a36210a8277d5f9a1265dba9f0c0466af7925e980818251956c0c538dd7812a9695ce60591d6f5b3707

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 cab2832b3ade8642c29d4a7e5b6ac818
SHA1 f6cc1b9e40943e9f54f8622e39ec9b1c18e76c43
SHA256 c8ebf0bebd791abd92bbac956bc12a6ac45926c845271e3e43c8b1aa8d4a6448
SHA512 1ffdf475e3683a431cdb80d55e4525277df90a918fc674e6d25319f302cba33a13535e2109b0547968374ce5e1e3ca1068dc8a3f95df12747dbcb32832a593fa

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 afe2a3950cbedb50a9119a084e4d41a7
SHA1 ca08b9e7e9684e12602be3a1f3c9a4da758696e9
SHA256 9b77a6874d193d5661c5e0b7ab36e2fce4935df2d843aad76fc01584b2495b32
SHA512 86d45d0251bbb88a992e7cd8101e08a85de041f181fdbde2f1b9eca8936b87bc4d203cfc1af9505b02ffaae50ce6afea3673a1cb87a2af5a72e84be07c40acc9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 5377528bbb03ef9aad3b10a8507ea35d
SHA1 dc60f6c55cbfc12bd0b90dc4683555406e75377a
SHA256 c1a408f3a068651469b2bf76da06244d45ce259e9a8edf33387421dede23a922
SHA512 17aaf34f46a7b6afb02ab7aefbe0276b726f0a1c0b727dfde2726c364379a0358ffa109194e303807baf6dba1ef7525db8142e39dad1aa91f2f11d72e2193d77

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\5ac1ac48-0a3d-4d41-b279-7f7e735d6534.tmp

MD5 43bedaabfcb52ad2bddf67465cecab2e
SHA1 8a5ade0794af66952db27739cb9f0ac7367276cc
SHA256 5241eba639c20bb9c40c693ce6422e0532bcd7837366f94e34707539b63141f7
SHA512 4b028bad618820be408ef54b31020aac93cd781608df5f3661eb597170ca298b623190697e6baaafec6508e014bd0b0b20936bcd00dde184c15e1e48da0026a4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 fcb754def41998af917f22bd8225cc31
SHA1 0557a1bc3efd57e95290c364cf20a286a9906c00
SHA256 83f079fdc330d69a3e0b014a5bf2779255764a2e1b5ee089ab7d3ef94993790f
SHA512 9a5daebc01b2570c229462100079feca4e6bc5e84a5c6500c492e8a1f30992112b3c849c432ca09c8b32da3faf65993397f4d3465ccf0aaae2a4db9585bceeb1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 5793df12a6a77ebdc8c02708fa81e7c6
SHA1 5480cc99e919ec37b828c52383fc4edf5a17d25c
SHA256 8c3178344cc3de1f24f8056fcea6eaa0633277cbc34ae1f9df013775b3096356
SHA512 77978fda339a9252e1f5459c904967f26897407d6c8858cfdc9ccf6a29d3de7bcadcb91730b678a1ee2aaf32a2dedc04ebbd51654b27b1fdb7e13e8e05f2c3e8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f94da9d7c83577cbcbc59db43c132648
SHA1 7aa7c487f2df790f616b637b1e29b1a4488d5d6f
SHA256 7509d53535bea550565db05a8c343a05662cd2ba2fc2c1ada82f81029104e742
SHA512 fcc702cab1edf27930c62562d3de2edee80a5b8c03b37f66e2bcde866f8feac9f5287130db0741dd65133c94fa296b29c67ef642c9eb637029436a4c6f22dd69

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 1702d8235fe3484f72a3eb17a1fbbfaf
SHA1 50c3031a0d715895678bd5256c085159c20ec3e3
SHA256 7d399aa5a47f088736db353f0c128894a9168b492b2780bf665af5754b7ba6ad
SHA512 dee090ee0e7039c5fae43c594940ce2900dd0b453966bca30fee568b74d3835b7f20a7fa5fff6586e708c3f041dc0232ac8acf72a14cf6a9d8963f1c006fa0ab

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 b9bee7626aad3ee2ae77ed07690d412a
SHA1 0b9f86206ed1f655f4a975a0d09d529ff4fe75bf
SHA256 ee71668515c3a7177b25f40139837ddb41d1e58b9121bd908e2baf8ac4645f6d
SHA512 bc58d5d2fed5a9f6ccbf646299fb35de9ab0c1479a830a82144bdea498edbce12ba287ce19e2241cc2b2c624a26be7a5a425761d038235dd5450e01cf48e3c2f