Malware Analysis Report

2024-11-13 18:55

Sample ID 241110-arprasvke1
Target c847880583691ca76c6ceb4cb64bc7cde2ee0074
SHA256 c6516c7a85b6edc568ca129e647ea741f0a2d7bd0eadfeb7b4b4a6f0b2bfc792
Tags
nullmixer socelars aspackv2 discovery dropper execution stealer vmprotect fabookie gcleaner onlylogger redline smokeloader pub3 same backdoor infostealer loader spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c6516c7a85b6edc568ca129e647ea741f0a2d7bd0eadfeb7b4b4a6f0b2bfc792

Threat Level: Known bad

The file c847880583691ca76c6ceb4cb64bc7cde2ee0074 was found to be: Known bad.

Malicious Activity Summary

nullmixer socelars aspackv2 discovery dropper execution stealer vmprotect fabookie gcleaner onlylogger redline smokeloader pub3 same backdoor infostealer loader spyware trojan

Nullmixer family

SmokeLoader

Socelars payload

Socelars family

NullMixer

Onlylogger family

RedLine

Smokeloader family

OnlyLogger

Redline family

Socelars

Fabookie

Detect Fabookie payload

Gcleaner family

Fabookie family

RedLine payload

GCleaner

OnlyLogger payload

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

ASPack v2.12-2.42

Executes dropped EXE

Checks computer location settings

VMProtect packed file

Reads user/profile data of web browsers

Drops Chrome extension

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

Browser Information Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Kills process with taskkill

Enumerates system info in registry

Modifies registry class

Checks SCSI registry key(s)

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 00:26

Reported

2024-11-10 00:29

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\96e965e92237102b9f51aa2f7318bd46c0598232dbeca547dc1e78dcffd6ef35.exe"

Signatures

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\96e965e92237102b9f51aa2f7318bd46c0598232dbeca547dc1e78dcffd6ef35.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\96e965e92237102b9f51aa2f7318bd46c0598232dbeca547dc1e78dcffd6ef35.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 748 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\96e965e92237102b9f51aa2f7318bd46c0598232dbeca547dc1e78dcffd6ef35.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 748 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\96e965e92237102b9f51aa2f7318bd46c0598232dbeca547dc1e78dcffd6ef35.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 748 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\96e965e92237102b9f51aa2f7318bd46c0598232dbeca547dc1e78dcffd6ef35.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3016 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe
PID 3016 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe
PID 3016 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe
PID 4020 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4636 wrote to memory of 2164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4636 wrote to memory of 2164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4636 wrote to memory of 2164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\96e965e92237102b9f51aa2f7318bd46c0598232dbeca547dc1e78dcffd6ef35.exe

"C:\Users\Admin\AppData\Local\Temp\96e965e92237102b9f51aa2f7318bd46c0598232dbeca547dc1e78dcffd6ef35.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f7528c7e5_Fri13be9f3c6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f75363f77_Fri1366dac3a944.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f75453fd2_Fri1347852ec.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f76c1f60f_Fri1395d364.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f76e6acbe_Fri134d8724752.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f7710e6e4_Fri133f08d0114d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f7a522790_Fri130206254.exe /mixtwo

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f7a7a151d_Fri137e98926fc.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f7a94bb5c_Fri136aafed62.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f7aa4b416_Fri133529ec01f5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f7ab338f8_Fri13f726be9ff.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f7ae19ce0_Fri13a868de1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f7af345ac_Fri13b7f06884.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 e5debd90b07e67f9b1ae38e4412c86c4
SHA1 4b7e7161161709a25e5e655ee60f6eae3fa39c32
SHA256 c5c7eade46a64e20a9eae3757ec58a0c62f3d7e33971bacd7064a97588af39d8
SHA512 fb3bf8a363bac644f5ded4bd30ab779aa54d3e118b73893466ca93b738ad42f93ce0f3aafb7d1a1e0863f4a1506ac5faf588c344f4e812611e9c734157fe3113

C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\setup_install.exe

MD5 955a80af149655652530e472782aaf79
SHA1 a581b2d53f8d2ca46458af201694789c0f501475
SHA256 c50bf0b1a0313c72b557df6a60fa9937873772d105084f68c83e4f74fff8ca47
SHA512 d610e8b64a445bf4306bcc980e6c3ead5ea898bbb8c03fa5f55202bf045042a28fdf15b9a8fd767131729f7b83c81c5b59a7a949a967d59370450b29e1268149

C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/4020-72-0x0000000064940000-0x0000000064959000-memory.dmp

memory/4020-80-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\6246f7710e6e4_Fri133f08d0114d.exe

MD5 d51275ff35e617742f06569fe0dc9cde
SHA1 ec6f2e1ff8463c1f8d3cc4421af5815798e053f6
SHA256 3d8077e64cf958be5a75783bba6c01719debd50a55b02d23d12e758ee7af5a8b
SHA512 e2f37ccf8bf221ac779f53d20029f7caa85cdef56ade371b82a8ac366420bc6abdcf47b2d1f7f83ed70420752822a60b7026cba7e2372d49438c5e9949b8a71a

C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\6246f7af345ac_Fri13b7f06884.exe

MD5 84e9047be9d225a784b8855640a6d034
SHA1 deadecb0340b58236fd4e6127b0a545c47e7393e
SHA256 40fd6365f236050b75bd96ad7cab07c6b6875ce2c76016499bed58e5a27ef0de
SHA512 8a721f423f61504bf0de5acedf37a5e48d8f8e7d74a547f1865904e168622a075d64f1bb7b2aa8f150a0eb0d1e035d342d5268b4ab460c18713ce6425330da50

memory/4020-104-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2164-105-0x0000000002BD0000-0x0000000002C06000-memory.dmp

memory/2164-106-0x00000000053E0000-0x0000000005A08000-memory.dmp

memory/2164-107-0x00000000052F0000-0x0000000005312000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_14d5rpia.dea.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2164-109-0x0000000005B30000-0x0000000005B96000-memory.dmp

memory/2164-119-0x0000000005CB0000-0x0000000006004000-memory.dmp

memory/2164-108-0x0000000005AC0000-0x0000000005B26000-memory.dmp

memory/2164-121-0x0000000006200000-0x000000000624C000-memory.dmp

memory/2164-120-0x00000000061B0000-0x00000000061CE000-memory.dmp

memory/4020-103-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4020-102-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4020-101-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4020-99-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/4020-95-0x0000000000400000-0x000000000051C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\6246f7ae19ce0_Fri13a868de1.exe

MD5 9f2ba6cffd2e51c63f1f0bf153b87823
SHA1 a00e56425d201225c41b13f22a09fb4562bc1cf4
SHA256 30b2aac192d6bb77baf163dd16ee9c2b1e928d9ff62cbeee1ace6aa2d84d59e9
SHA512 b97b73f356319e59d95010ce06b578db0f5a1f84c7863c066b1982a8106f6c86769b003e2ffde00941ce74b9f15bca8990fbffe6b350ff4a40166bc0bf416c7d

C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\6246f7ab338f8_Fri13f726be9ff.exe

MD5 79c79760259bd18332ca17a05dab283d
SHA1 b9afed2134363447d014b85c37820c5a44f33722
SHA256 e6eb127214bbef16c7372fbe85e1ba453f7aceee241398d2a8e0ec115c3625d3
SHA512 a4270de42d09caa42280b1a7538dc4e0897f17421987927ac8b37fde7e44f77feb9ce1386ffd594fe6262ebb817c2df5a2c20a4adb4b0261eae5d0b6a007aa06

C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\6246f7aa4b416_Fri133529ec01f5.exe

MD5 0a8d60731fe6e1dd5ab0e42ec68dd655
SHA1 5e0adf2c89c6dbf83f19e79d83b40402880884f9
SHA256 e0c54390047af2d8491d9fd8032f3b2dec88cd34eb854aff8fb118ee7bd03ef3
SHA512 58e96d65bf876d65372dd7c748933e2212676111e344ab749e4150dd3616eba140d2e128ef616aa8e0345c7db78e28c2157843c355e66cdc74c77f9c9e48a490

C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\6246f7a94bb5c_Fri136aafed62.exe

MD5 8daa50a23acd7af738f176b2590e94c6
SHA1 2d58cb919ea524591bc6a08ff3fe77ae0db6221f
SHA256 4d24517c0f7a7e07c07d3f4b819cd5f5165c7044bcc932e51ba39f082847d19a
SHA512 3aca67a8d507d4029fb24b8f0b9a7aef57f70a16c833a9cfb2b51022fad4e54507edea21c2a4888843c6a9e4f6513ff49c0296dc09b45328d1c8300b9f90de87

C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\6246f7a7a151d_Fri137e98926fc.exe

MD5 a128f3490a3d62ec1f7c969771c9cb52
SHA1 73f71a45f68e317222ac704d30319fcbecdb8476
SHA256 4040769cb6796be3af8bd8b2c9d4be701155760766fddbd015b0bcb2b4fca52a
SHA512 ccf34b78a577bc12542e774574d21f3673710868705bf2c0ecdf6ce3414406ec63d5f65e3ff125f65e749a54d64e642492ee53d91a04d309228e2a73d7ab0a19

C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\6246f7a522790_Fri130206254.exe

MD5 6eced1a017445828224259a62a663478
SHA1 e478e5e94d4fdb6d3f7c9bc1eb3a3faef7a27a8b
SHA256 9caee013dc3b0158f883dd8926181e10993612769504be3884f0c5eb49c0a524
SHA512 878892ba72658b67a78c1add2a5c0af900ed0d40a44664c89c993aa3a6b0733957d7f11317b8942e51c0139afea967f7ef3e9dc23ed0cc75f8553fd23d92fe64

C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\6246f76e6acbe_Fri134d8724752.exe

MD5 c4753d4efda428971afd33ec13a00e9b
SHA1 8801c82e95d5d5ab2c87e81b6b7768142df957f3
SHA256 8704c0b6842fd04928290c56a7cacb70e920c1af0ebad2bc981d5005345377b8
SHA512 b651210962348faa03ec31874e37958c9294e58aa709199ffaa7f4e53d39e4100e2c2457f65bb0e72e5b8293ff07be0c421f8073f0d2b67a8923b5292f5300b0

C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\6246f76c1f60f_Fri1395d364.exe

MD5 aa1a33a40570d4fd2f17c569f4ab1170
SHA1 fc9b9b6ef3235ea76c3b5fd5ded6b4554eaa01c2
SHA256 e97a44529a5f1e223d471f68a1fe6bddb0754b4a4880067b6872154a781fd6a5
SHA512 a1335b6b2c07ff9543634ffc3162facd8bac8d1bf24ed0a2a36246981994785838b5b1343c44bcf55ce771dfe5bcda44a18fc0bdd9cdee5f7f652065642bf115

C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\6246f75453fd2_Fri1347852ec.exe

MD5 479ba7ea1f2fa2cd51a3ca59a9638010
SHA1 8992de6c918131fbe8821dd16cc0277951cd362c
SHA256 d66c7fb807beccc1fa5a7d4162d3e8e2d553ba560653a404e1ce6de68ba8c801
SHA512 70be353017f77f5b4fd82738700843bdc5848f175a39d07626dd9f4cb59b4d685dadf69de156f00c62dcc76f8fba233656df258ea103e1000ff038305580179f

C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\6246f75363f77_Fri1366dac3a944.exe

MD5 e0f600d0f15da0780b95105788201417
SHA1 9cc5b5d64157444815b101f8500c8535b36a4e62
SHA256 938cbc262bfa2cdf449c75a47d92ef6a719f298ce96598057d42476b3098f5a4
SHA512 a95aa09cd549ea32a1ddd1c78c6a1b90a2720f962f095377a321cf61af0fd5e22fafd40bf13c9d1135c5a71a1b82201c47680e8eedae20c1321d60186bb097cb

C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\6246f7528c7e5_Fri13be9f3c6.exe

MD5 98c3385d313ae6d4cf1f192830f6b555
SHA1 31c572430094e9adbf5b7647c3621b2e8dfa7fe8
SHA256 4b2e2adafc390f535254a650a90e6a559fb3613a9f13ce648a024c078fcf40be
SHA512 fdd0406ef1abee43877c2ab2be9879e7232e773f7dac48f38a883b14306907c82110c712065a290bafac3cc8b0f4c0a13694847ad60a50a2b87e6aed2fd73aff

memory/4020-81-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4020-79-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4020-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4020-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4020-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4020-75-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4020-74-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4020-73-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4020-71-0x0000000064941000-0x000000006494F000-memory.dmp

memory/4020-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4020-68-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8CBCA887\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/4020-64-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2164-122-0x00000000066C0000-0x00000000066F2000-memory.dmp

memory/2164-123-0x0000000070770000-0x00000000707BC000-memory.dmp

memory/2164-133-0x0000000006700000-0x000000000671E000-memory.dmp

memory/2164-134-0x0000000007250000-0x00000000072F3000-memory.dmp

memory/2164-135-0x0000000007B80000-0x00000000081FA000-memory.dmp

memory/2164-136-0x0000000007500000-0x000000000751A000-memory.dmp

memory/2164-137-0x0000000007560000-0x000000000756A000-memory.dmp

memory/2164-138-0x0000000007750000-0x00000000077E6000-memory.dmp

memory/2164-139-0x00000000076E0000-0x00000000076F1000-memory.dmp

memory/2164-140-0x0000000007710000-0x000000000771E000-memory.dmp

memory/2164-141-0x0000000007720000-0x0000000007734000-memory.dmp

memory/2164-142-0x0000000007810000-0x000000000782A000-memory.dmp

memory/2164-143-0x0000000007800000-0x0000000007808000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-10 00:26

Reported

2024-11-10 00:29

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2528 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe
PID 2528 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe
PID 2528 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe
PID 2528 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe
PID 2528 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe
PID 2528 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe
PID 2528 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe
PID 2884 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f7528c7e5_Fri13be9f3c6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f75363f77_Fri1366dac3a944.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f75453fd2_Fri1347852ec.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f76c1f60f_Fri1395d364.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f76e6acbe_Fri134d8724752.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f7710e6e4_Fri133f08d0114d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f7a522790_Fri130206254.exe /mixtwo

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f7a7a151d_Fri137e98926fc.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f7a94bb5c_Fri136aafed62.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f7aa4b416_Fri133529ec01f5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f7ab338f8_Fri13f726be9ff.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f7ae19ce0_Fri13a868de1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f7af345ac_Fri13b7f06884.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\setup_install.exe

MD5 955a80af149655652530e472782aaf79
SHA1 a581b2d53f8d2ca46458af201694789c0f501475
SHA256 c50bf0b1a0313c72b557df6a60fa9937873772d105084f68c83e4f74fff8ca47
SHA512 d610e8b64a445bf4306bcc980e6c3ead5ea898bbb8c03fa5f55202bf045042a28fdf15b9a8fd767131729f7b83c81c5b59a7a949a967d59370450b29e1268149

C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2884-57-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/2884-54-0x000000006B280000-0x000000006B2A6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/2884-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2884-76-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2884-75-0x0000000064941000-0x000000006494F000-memory.dmp

memory/2884-74-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2884-73-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2884-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2884-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2884-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2884-68-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2884-67-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2884-66-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2884-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\6246f76c1f60f_Fri1395d364.exe

MD5 aa1a33a40570d4fd2f17c569f4ab1170
SHA1 fc9b9b6ef3235ea76c3b5fd5ded6b4554eaa01c2
SHA256 e97a44529a5f1e223d471f68a1fe6bddb0754b4a4880067b6872154a781fd6a5
SHA512 a1335b6b2c07ff9543634ffc3162facd8bac8d1bf24ed0a2a36246981994785838b5b1343c44bcf55ce771dfe5bcda44a18fc0bdd9cdee5f7f652065642bf115

C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\6246f7ab338f8_Fri13f726be9ff.exe

MD5 79c79760259bd18332ca17a05dab283d
SHA1 b9afed2134363447d014b85c37820c5a44f33722
SHA256 e6eb127214bbef16c7372fbe85e1ba453f7aceee241398d2a8e0ec115c3625d3
SHA512 a4270de42d09caa42280b1a7538dc4e0897f17421987927ac8b37fde7e44f77feb9ce1386ffd594fe6262ebb817c2df5a2c20a4adb4b0261eae5d0b6a007aa06

C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\6246f7a94bb5c_Fri136aafed62.exe

MD5 8daa50a23acd7af738f176b2590e94c6
SHA1 2d58cb919ea524591bc6a08ff3fe77ae0db6221f
SHA256 4d24517c0f7a7e07c07d3f4b819cd5f5165c7044bcc932e51ba39f082847d19a
SHA512 3aca67a8d507d4029fb24b8f0b9a7aef57f70a16c833a9cfb2b51022fad4e54507edea21c2a4888843c6a9e4f6513ff49c0296dc09b45328d1c8300b9f90de87

C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\6246f7a522790_Fri130206254.exe

MD5 6eced1a017445828224259a62a663478
SHA1 e478e5e94d4fdb6d3f7c9bc1eb3a3faef7a27a8b
SHA256 9caee013dc3b0158f883dd8926181e10993612769504be3884f0c5eb49c0a524
SHA512 878892ba72658b67a78c1add2a5c0af900ed0d40a44664c89c993aa3a6b0733957d7f11317b8942e51c0139afea967f7ef3e9dc23ed0cc75f8553fd23d92fe64

C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\6246f76e6acbe_Fri134d8724752.exe

MD5 c4753d4efda428971afd33ec13a00e9b
SHA1 8801c82e95d5d5ab2c87e81b6b7768142df957f3
SHA256 8704c0b6842fd04928290c56a7cacb70e920c1af0ebad2bc981d5005345377b8
SHA512 b651210962348faa03ec31874e37958c9294e58aa709199ffaa7f4e53d39e4100e2c2457f65bb0e72e5b8293ff07be0c421f8073f0d2b67a8923b5292f5300b0

memory/2884-99-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2884-98-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2884-97-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2884-96-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2884-94-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2884-90-0x0000000000400000-0x000000000051C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\6246f7af345ac_Fri13b7f06884.exe

MD5 84e9047be9d225a784b8855640a6d034
SHA1 deadecb0340b58236fd4e6127b0a545c47e7393e
SHA256 40fd6365f236050b75bd96ad7cab07c6b6875ce2c76016499bed58e5a27ef0de
SHA512 8a721f423f61504bf0de5acedf37a5e48d8f8e7d74a547f1865904e168622a075d64f1bb7b2aa8f150a0eb0d1e035d342d5268b4ab460c18713ce6425330da50

C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\6246f75453fd2_Fri1347852ec.exe

MD5 479ba7ea1f2fa2cd51a3ca59a9638010
SHA1 8992de6c918131fbe8821dd16cc0277951cd362c
SHA256 d66c7fb807beccc1fa5a7d4162d3e8e2d553ba560653a404e1ce6de68ba8c801
SHA512 70be353017f77f5b4fd82738700843bdc5848f175a39d07626dd9f4cb59b4d685dadf69de156f00c62dcc76f8fba233656df258ea103e1000ff038305580179f

C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\6246f7ae19ce0_Fri13a868de1.exe

MD5 9f2ba6cffd2e51c63f1f0bf153b87823
SHA1 a00e56425d201225c41b13f22a09fb4562bc1cf4
SHA256 30b2aac192d6bb77baf163dd16ee9c2b1e928d9ff62cbeee1ace6aa2d84d59e9
SHA512 b97b73f356319e59d95010ce06b578db0f5a1f84c7863c066b1982a8106f6c86769b003e2ffde00941ce74b9f15bca8990fbffe6b350ff4a40166bc0bf416c7d

C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\6246f7aa4b416_Fri133529ec01f5.exe

MD5 0a8d60731fe6e1dd5ab0e42ec68dd655
SHA1 5e0adf2c89c6dbf83f19e79d83b40402880884f9
SHA256 e0c54390047af2d8491d9fd8032f3b2dec88cd34eb854aff8fb118ee7bd03ef3
SHA512 58e96d65bf876d65372dd7c748933e2212676111e344ab749e4150dd3616eba140d2e128ef616aa8e0345c7db78e28c2157843c355e66cdc74c77f9c9e48a490

C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\6246f7a7a151d_Fri137e98926fc.exe

MD5 a128f3490a3d62ec1f7c969771c9cb52
SHA1 73f71a45f68e317222ac704d30319fcbecdb8476
SHA256 4040769cb6796be3af8bd8b2c9d4be701155760766fddbd015b0bcb2b4fca52a
SHA512 ccf34b78a577bc12542e774574d21f3673710868705bf2c0ecdf6ce3414406ec63d5f65e3ff125f65e749a54d64e642492ee53d91a04d309228e2a73d7ab0a19

C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\6246f7710e6e4_Fri133f08d0114d.exe

MD5 d51275ff35e617742f06569fe0dc9cde
SHA1 ec6f2e1ff8463c1f8d3cc4421af5815798e053f6
SHA256 3d8077e64cf958be5a75783bba6c01719debd50a55b02d23d12e758ee7af5a8b
SHA512 e2f37ccf8bf221ac779f53d20029f7caa85cdef56ade371b82a8ac366420bc6abdcf47b2d1f7f83ed70420752822a60b7026cba7e2372d49438c5e9949b8a71a

C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\6246f75363f77_Fri1366dac3a944.exe

MD5 e0f600d0f15da0780b95105788201417
SHA1 9cc5b5d64157444815b101f8500c8535b36a4e62
SHA256 938cbc262bfa2cdf449c75a47d92ef6a719f298ce96598057d42476b3098f5a4
SHA512 a95aa09cd549ea32a1ddd1c78c6a1b90a2720f962f095377a321cf61af0fd5e22fafd40bf13c9d1135c5a71a1b82201c47680e8eedae20c1321d60186bb097cb

C:\Users\Admin\AppData\Local\Temp\7zS0E9EEAE6\6246f7528c7e5_Fri13be9f3c6.exe

MD5 98c3385d313ae6d4cf1f192830f6b555
SHA1 31c572430094e9adbf5b7647c3621b2e8dfa7fe8
SHA256 4b2e2adafc390f535254a650a90e6a559fb3613a9f13ce648a024c078fcf40be
SHA512 fdd0406ef1abee43877c2ab2be9879e7232e773f7dac48f38a883b14306907c82110c712065a290bafac3cc8b0f4c0a13694847ad60a50a2b87e6aed2fd73aff

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-10 00:26

Reported

2024-11-10 00:29

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aieoplapobidheellikiicjfpamacpfd\11.23.45_0\manifest.json C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ab338f8_Fri13f726be9ff.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-U27E9.tmp\6246f7aa4b416_Fri133529ec01f5.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ab338f8_Fri13f726be9ff.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7aa4b416_Fri133529ec01f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7a522790_Fri130206254.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7af345ac_Fri13b7f06884.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7a94bb5c_Fri136aafed62.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7af345ac_Fri13b7f06884.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7a94bb5c_Fri136aafed62.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7a94bb5c_Fri136aafed62.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7a94bb5c_Fri136aafed62.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133756720402327312" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GH447H0961D6979.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GH447H0961D6979.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 388 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe
PID 388 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe
PID 388 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe
PID 4688 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5056 wrote to memory of 800 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7aa4b416_Fri133529ec01f5.exe
PID 5056 wrote to memory of 800 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7aa4b416_Fri133529ec01f5.exe
PID 5056 wrote to memory of 800 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7aa4b416_Fri133529ec01f5.exe
PID 3868 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7a522790_Fri130206254.exe
PID 3868 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7a522790_Fri130206254.exe
PID 3868 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7a522790_Fri130206254.exe
PID 800 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7aa4b416_Fri133529ec01f5.exe C:\Users\Admin\AppData\Local\Temp\is-U27E9.tmp\6246f7aa4b416_Fri133529ec01f5.tmp
PID 800 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7aa4b416_Fri133529ec01f5.exe C:\Users\Admin\AppData\Local\Temp\is-U27E9.tmp\6246f7aa4b416_Fri133529ec01f5.tmp
PID 800 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7aa4b416_Fri133529ec01f5.exe C:\Users\Admin\AppData\Local\Temp\is-U27E9.tmp\6246f7aa4b416_Fri133529ec01f5.tmp
PID 3048 wrote to memory of 3576 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7a94bb5c_Fri136aafed62.exe
PID 3048 wrote to memory of 3576 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7a94bb5c_Fri136aafed62.exe
PID 3048 wrote to memory of 3576 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7a94bb5c_Fri136aafed62.exe
PID 2884 wrote to memory of 4736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe
PID 2884 wrote to memory of 4736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe
PID 2884 wrote to memory of 4736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe
PID 2484 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1148 wrote to memory of 1248 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ab338f8_Fri13f726be9ff.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f7528c7e5_Fri13be9f3c6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f75363f77_Fri1366dac3a944.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f75453fd2_Fri1347852ec.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f76c1f60f_Fri1395d364.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f76e6acbe_Fri134d8724752.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f7710e6e4_Fri133f08d0114d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f7a522790_Fri130206254.exe /mixtwo

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f7a7a151d_Fri137e98926fc.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f7a94bb5c_Fri136aafed62.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f7aa4b416_Fri133529ec01f5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f7ab338f8_Fri13f726be9ff.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f7ae19ce0_Fri13a868de1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f7af345ac_Fri13b7f06884.exe

C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7aa4b416_Fri133529ec01f5.exe

6246f7aa4b416_Fri133529ec01f5.exe

C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7a522790_Fri130206254.exe

6246f7a522790_Fri130206254.exe /mixtwo

C:\Users\Admin\AppData\Local\Temp\is-U27E9.tmp\6246f7aa4b416_Fri133529ec01f5.tmp

"C:\Users\Admin\AppData\Local\Temp\is-U27E9.tmp\6246f7aa4b416_Fri133529ec01f5.tmp" /SL5="$F0054,140006,56320,C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7aa4b416_Fri133529ec01f5.exe"

C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7a94bb5c_Fri136aafed62.exe

6246f7a94bb5c_Fri136aafed62.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe

6246f7ae19ce0_Fri13a868de1.exe

C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ab338f8_Fri13f726be9ff.exe

6246f7ab338f8_Fri13f726be9ff.exe

C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7a7a151d_Fri137e98926fc.exe

6246f7a7a151d_Fri137e98926fc.exe

C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7af345ac_Fri13b7f06884.exe

6246f7af345ac_Fri13b7f06884.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1996 -ip 1996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 624

C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7a94bb5c_Fri136aafed62.exe

6246f7a94bb5c_Fri136aafed62.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1996 -ip 1996

C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7af345ac_Fri13b7f06884.exe

C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7af345ac_Fri13b7f06884.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1996 -ip 1996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1996 -ip 1996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1996 -ip 1996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 536

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7af345ac_Fri13b7f06884.exe

C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7af345ac_Fri13b7f06884.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8d0f4cc40,0x7ff8d0f4cc4c,0x7ff8d0f4cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,11163519786492569753,8666670669089002215,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1900 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2172,i,11163519786492569753,8666670669089002215,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2220 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2192,i,11163519786492569753,8666670669089002215,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2288 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,11163519786492569753,8666670669089002215,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3140 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,11163519786492569753,8666670669089002215,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1996 -ip 1996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1996 -ip 1996

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4600,i,11163519786492569753,8666670669089002215,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4620 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 836

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4748,i,11163519786492569753,8666670669089002215,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4592 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4568,i,11163519786492569753,8666670669089002215,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4820 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3692,i,11163519786492569753,8666670669089002215,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4776 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4508,i,11163519786492569753,8666670669089002215,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4888 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5084,i,11163519786492569753,8666670669089002215,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4628 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5156,i,11163519786492569753,8666670669089002215,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5268 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5164,i,11163519786492569753,8666670669089002215,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5368 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5052,i,11163519786492569753,8666670669089002215,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5168 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5516,i,11163519786492569753,8666670669089002215,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5564 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\GH447H0961D6979.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5368,i,11163519786492569753,8666670669089002215,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5504 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4560,i,11163519786492569753,8666670669089002215,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5008 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 psychokitties.s3.pl-waw.scw.cloud udp
PL 151.115.10.4:80 psychokitties.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 algorithmically.s3.pl-waw.scw.cloud udp
PL 151.115.10.4:80 algorithmically.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 4.10.115.151.in-addr.arpa udp
US 8.8.8.8:53 www.icodeps.com udp
US 8.8.8.8:53 blackhk1.beget.tech udp
US 172.232.25.148:443 www.icodeps.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 148.25.232.172.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 www.hhiuew33.com udp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.23.210.82:80 r11.o.lencr.org tcp
US 8.8.8.8:53 ww99.icodeps.com udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 82.210.23.2.in-addr.arpa udp
US 67.225.218.41:80 ww99.icodeps.com tcp
US 8.8.8.8:53 ww7.icodeps.com udp
US 199.59.243.227:80 ww7.icodeps.com tcp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 appwebstat.biz udp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 41.218.225.67.in-addr.arpa udp
US 8.8.8.8:53 227.243.59.199.in-addr.arpa udp
US 8.8.8.8:53 161.74.67.172.in-addr.arpa udp
GB 142.250.187.227:80 c.pki.goog tcp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
DE 116.202.106.111:9582 tcp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 appwebstat.biz udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 228.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 216.58.201.110:443 apis.google.com tcp
GB 172.217.169.10:443 ogads-pa.googleapis.com tcp
GB 172.217.169.10:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 10.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.16.238:443 play.google.com tcp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.178.14:443 clients2.google.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 216.58.204.65:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 65.204.58.216.in-addr.arpa udp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 116.202.106.111:9582 tcp
DE 116.202.106.111:9582 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 116.202.106.111:9582 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
DE 116.202.106.111:9582 tcp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
GB 216.58.213.3:443 beacons.gcp.gvt2.com tcp
DE 116.202.106.111:9582 tcp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\setup_install.exe

MD5 955a80af149655652530e472782aaf79
SHA1 a581b2d53f8d2ca46458af201694789c0f501475
SHA256 c50bf0b1a0313c72b557df6a60fa9937873772d105084f68c83e4f74fff8ca47
SHA512 d610e8b64a445bf4306bcc980e6c3ead5ea898bbb8c03fa5f55202bf045042a28fdf15b9a8fd767131729f7b83c81c5b59a7a949a967d59370450b29e1268149

C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/4688-61-0x0000000064940000-0x0000000064959000-memory.dmp

memory/4688-60-0x000000006494A000-0x000000006494F000-memory.dmp

memory/4688-59-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4688-58-0x0000000000EC0000-0x0000000000F4F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/4688-56-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4688-53-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/4688-64-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4688-63-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4688-62-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4688-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7a94bb5c_Fri136aafed62.exe

MD5 8daa50a23acd7af738f176b2590e94c6
SHA1 2d58cb919ea524591bc6a08ff3fe77ae0db6221f
SHA256 4d24517c0f7a7e07c07d3f4b819cd5f5165c7044bcc932e51ba39f082847d19a
SHA512 3aca67a8d507d4029fb24b8f0b9a7aef57f70a16c833a9cfb2b51022fad4e54507edea21c2a4888843c6a9e4f6513ff49c0296dc09b45328d1c8300b9f90de87

C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7af345ac_Fri13b7f06884.exe

MD5 84e9047be9d225a784b8855640a6d034
SHA1 deadecb0340b58236fd4e6127b0a545c47e7393e
SHA256 40fd6365f236050b75bd96ad7cab07c6b6875ce2c76016499bed58e5a27ef0de
SHA512 8a721f423f61504bf0de5acedf37a5e48d8f8e7d74a547f1865904e168622a075d64f1bb7b2aa8f150a0eb0d1e035d342d5268b4ab460c18713ce6425330da50

C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7a522790_Fri130206254.exe

MD5 6eced1a017445828224259a62a663478
SHA1 e478e5e94d4fdb6d3f7c9bc1eb3a3faef7a27a8b
SHA256 9caee013dc3b0158f883dd8926181e10993612769504be3884f0c5eb49c0a524
SHA512 878892ba72658b67a78c1add2a5c0af900ed0d40a44664c89c993aa3a6b0733957d7f11317b8942e51c0139afea967f7ef3e9dc23ed0cc75f8553fd23d92fe64

memory/800-96-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7aa4b416_Fri133529ec01f5.exe

MD5 0a8d60731fe6e1dd5ab0e42ec68dd655
SHA1 5e0adf2c89c6dbf83f19e79d83b40402880884f9
SHA256 e0c54390047af2d8491d9fd8032f3b2dec88cd34eb854aff8fb118ee7bd03ef3
SHA512 58e96d65bf876d65372dd7c748933e2212676111e344ab749e4150dd3616eba140d2e128ef616aa8e0345c7db78e28c2157843c355e66cdc74c77f9c9e48a490

memory/4688-93-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4688-88-0x000000006EB40000-0x000000006EB63000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-U27E9.tmp\6246f7aa4b416_Fri133529ec01f5.tmp

MD5 25ffc23f92cf2ee9d036ec921423d867
SHA1 4be58697c7253bfea1672386eaeeb6848740d7d6
SHA256 1bbabc7a7f29c1512b368d2b620fc05441b622f72aa76cf9ee6be0aecd22a703
SHA512 4e8c7f5b42783825b3b146788ca2ee237186d5a6de4f1c413d9ef42874c4e7dd72b4686c545dde886e0923ade0f5d121a4eddfe7bfc58c3e0bd45a6493fe6710

C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ae19ce0_Fri13a868de1.exe

MD5 9f2ba6cffd2e51c63f1f0bf153b87823
SHA1 a00e56425d201225c41b13f22a09fb4562bc1cf4
SHA256 30b2aac192d6bb77baf163dd16ee9c2b1e928d9ff62cbeee1ace6aa2d84d59e9
SHA512 b97b73f356319e59d95010ce06b578db0f5a1f84c7863c066b1982a8106f6c86769b003e2ffde00941ce74b9f15bca8990fbffe6b350ff4a40166bc0bf416c7d

C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7ab338f8_Fri13f726be9ff.exe

MD5 79c79760259bd18332ca17a05dab283d
SHA1 b9afed2134363447d014b85c37820c5a44f33722
SHA256 e6eb127214bbef16c7372fbe85e1ba453f7aceee241398d2a8e0ec115c3625d3
SHA512 a4270de42d09caa42280b1a7538dc4e0897f17421987927ac8b37fde7e44f77feb9ce1386ffd594fe6262ebb817c2df5a2c20a4adb4b0261eae5d0b6a007aa06

memory/4688-92-0x0000000064940000-0x0000000064959000-memory.dmp

memory/4688-91-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4688-90-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4688-84-0x0000000000400000-0x000000000051C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7a7a151d_Fri137e98926fc.exe

MD5 a128f3490a3d62ec1f7c969771c9cb52
SHA1 73f71a45f68e317222ac704d30319fcbecdb8476
SHA256 4040769cb6796be3af8bd8b2c9d4be701155760766fddbd015b0bcb2b4fca52a
SHA512 ccf34b78a577bc12542e774574d21f3673710868705bf2c0ecdf6ce3414406ec63d5f65e3ff125f65e749a54d64e642492ee53d91a04d309228e2a73d7ab0a19

C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7710e6e4_Fri133f08d0114d.exe

MD5 d51275ff35e617742f06569fe0dc9cde
SHA1 ec6f2e1ff8463c1f8d3cc4421af5815798e053f6
SHA256 3d8077e64cf958be5a75783bba6c01719debd50a55b02d23d12e758ee7af5a8b
SHA512 e2f37ccf8bf221ac779f53d20029f7caa85cdef56ade371b82a8ac366420bc6abdcf47b2d1f7f83ed70420752822a60b7026cba7e2372d49438c5e9949b8a71a

C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f76e6acbe_Fri134d8724752.exe

MD5 c4753d4efda428971afd33ec13a00e9b
SHA1 8801c82e95d5d5ab2c87e81b6b7768142df957f3
SHA256 8704c0b6842fd04928290c56a7cacb70e920c1af0ebad2bc981d5005345377b8
SHA512 b651210962348faa03ec31874e37958c9294e58aa709199ffaa7f4e53d39e4100e2c2457f65bb0e72e5b8293ff07be0c421f8073f0d2b67a8923b5292f5300b0

C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f76c1f60f_Fri1395d364.exe

MD5 aa1a33a40570d4fd2f17c569f4ab1170
SHA1 fc9b9b6ef3235ea76c3b5fd5ded6b4554eaa01c2
SHA256 e97a44529a5f1e223d471f68a1fe6bddb0754b4a4880067b6872154a781fd6a5
SHA512 a1335b6b2c07ff9543634ffc3162facd8bac8d1bf24ed0a2a36246981994785838b5b1343c44bcf55ce771dfe5bcda44a18fc0bdd9cdee5f7f652065642bf115

C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f75453fd2_Fri1347852ec.exe

MD5 479ba7ea1f2fa2cd51a3ca59a9638010
SHA1 8992de6c918131fbe8821dd16cc0277951cd362c
SHA256 d66c7fb807beccc1fa5a7d4162d3e8e2d553ba560653a404e1ce6de68ba8c801
SHA512 70be353017f77f5b4fd82738700843bdc5848f175a39d07626dd9f4cb59b4d685dadf69de156f00c62dcc76f8fba233656df258ea103e1000ff038305580179f

C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f75363f77_Fri1366dac3a944.exe

MD5 e0f600d0f15da0780b95105788201417
SHA1 9cc5b5d64157444815b101f8500c8535b36a4e62
SHA256 938cbc262bfa2cdf449c75a47d92ef6a719f298ce96598057d42476b3098f5a4
SHA512 a95aa09cd549ea32a1ddd1c78c6a1b90a2720f962f095377a321cf61af0fd5e22fafd40bf13c9d1135c5a71a1b82201c47680e8eedae20c1321d60186bb097cb

C:\Users\Admin\AppData\Local\Temp\7zS481A9E47\6246f7528c7e5_Fri13be9f3c6.exe

MD5 98c3385d313ae6d4cf1f192830f6b555
SHA1 31c572430094e9adbf5b7647c3621b2e8dfa7fe8
SHA256 4b2e2adafc390f535254a650a90e6a559fb3613a9f13ce648a024c078fcf40be
SHA512 fdd0406ef1abee43877c2ab2be9879e7232e773f7dac48f38a883b14306907c82110c712065a290bafac3cc8b0f4c0a13694847ad60a50a2b87e6aed2fd73aff

memory/4688-70-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4688-69-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4688-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4688-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4688-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1248-115-0x00000000004E0000-0x0000000000659000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-K4OBS.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/2684-116-0x0000000000A90000-0x0000000000AE6000-memory.dmp

memory/2248-118-0x00000000032A0000-0x00000000032D6000-memory.dmp

memory/2684-127-0x00000000052D0000-0x00000000052EE000-memory.dmp

memory/4940-129-0x0000000140000000-0x00000001406C5000-memory.dmp

memory/1248-131-0x00000000004E0000-0x0000000000659000-memory.dmp

memory/800-136-0x0000000000400000-0x0000000000414000-memory.dmp

memory/824-128-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2248-126-0x0000000005B10000-0x0000000006138000-memory.dmp

memory/2248-138-0x00000000061B0000-0x0000000006216000-memory.dmp

memory/3688-142-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3688-140-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2248-145-0x0000000006290000-0x00000000065E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qr3ddizf.jly.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2248-139-0x0000000006220000-0x0000000006286000-memory.dmp

memory/2248-137-0x00000000058B0000-0x00000000058D2000-memory.dmp

memory/2684-153-0x00000000059D0000-0x0000000005F74000-memory.dmp

memory/1248-132-0x00000000025E0000-0x0000000002627000-memory.dmp

memory/1248-125-0x0000000000BC0000-0x0000000000BC2000-memory.dmp

memory/1248-124-0x00000000004E0000-0x0000000000659000-memory.dmp

memory/1248-123-0x00000000004E0000-0x0000000000659000-memory.dmp

memory/2684-117-0x00000000052F0000-0x0000000005366000-memory.dmp

memory/2248-155-0x00000000068B0000-0x00000000068FC000-memory.dmp

memory/2248-154-0x0000000006880000-0x000000000689E000-memory.dmp

memory/2248-173-0x0000000006E00000-0x0000000006E1E000-memory.dmp

memory/2248-163-0x0000000073540000-0x000000007358C000-memory.dmp

memory/2248-162-0x0000000007870000-0x00000000078A2000-memory.dmp

memory/2248-174-0x0000000007910000-0x00000000079B3000-memory.dmp

memory/2248-175-0x0000000008240000-0x00000000088BA000-memory.dmp

memory/2248-176-0x00000000078E0000-0x00000000078FA000-memory.dmp

memory/2248-177-0x0000000007C20000-0x0000000007C2A000-memory.dmp

memory/2248-184-0x0000000007E10000-0x0000000007EA6000-memory.dmp

memory/2248-185-0x0000000007DA0000-0x0000000007DB1000-memory.dmp

memory/2248-186-0x0000000007DD0000-0x0000000007DDE000-memory.dmp

memory/2248-187-0x0000000007DE0000-0x0000000007DF4000-memory.dmp

memory/2248-188-0x0000000007ED0000-0x0000000007EEA000-memory.dmp

memory/2248-189-0x0000000007EC0000-0x0000000007EC8000-memory.dmp

memory/4896-202-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6246f7af345ac_Fri13b7f06884.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

memory/4896-206-0x00000000056C0000-0x0000000005CD8000-memory.dmp

memory/4896-207-0x0000000005120000-0x0000000005132000-memory.dmp

memory/4896-208-0x0000000005250000-0x000000000535A000-memory.dmp

memory/4896-209-0x0000000005180000-0x00000000051BC000-memory.dmp

memory/4896-212-0x00000000051C0000-0x000000000520C000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 f4f6da0ffbd1fe5ced2dd74397b58bbf
SHA1 4da73745d395316a4c96ac269c7c7e5469dec66a
SHA256 7872424f97ee2d66c64e552d99f803c8c6afed4f1c91989c505e43693d16c7dd
SHA512 73b4f702e5ed6f7c929a48f4d4c10401c7e5e09a4978508a290ab11cb1f22359fa21004f39d9b4ffcc3fe5de2f65c9ea65c5ebcb1bba424db54fe269930f7ad8

\??\pipe\crashpad_1756_YYQRGXOPLQFZPGPB

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1996-226-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1248-228-0x00000000004E0000-0x0000000000659000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/1996-236-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1248-247-0x00000000004E0000-0x0000000000659000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\scoped_dir1756_282358853\5b687ab3-e588-41ba-8cf3-2dbf77687f7e.tmp

MD5 da75bb05d10acc967eecaac040d3d733
SHA1 95c08e067df713af8992db113f7e9aec84f17181
SHA256 33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
SHA512 56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

C:\Users\Admin\AppData\Local\Temp\scoped_dir1756_282358853\CRX_INSTALL\_locales\en_CA\messages.json

MD5 558659936250e03cc14b60ebf648aa09
SHA1 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA256 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA512 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

MD5 07ffbe5f24ca348723ff8c6c488abfb8
SHA1 6dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA256 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA512 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

MD5 4ec1df2da46182103d2ffc3b92d20ca5
SHA1 fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA256 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 30f52ac0160a7ac7afdd6f7faf5f1b60
SHA1 bd1cf6e7e75badf7daa991328697d874fa431bd8
SHA256 f7d8ad04e95092c4d4824953f4eeb0edb098ed77739586c15ae63f03d72fbabc
SHA512 623f67260339e9d6655bd72b3dd195b18c8d47fb55aec82981cb5f8ce96bed1e85e6fbcd51fd045de328761f8ad9621d508f7bb28e28ea55b1e30ff849256cf2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 05a4dee60a58167467d174e83d09f67c
SHA1 0593b601120fb5782008f741ff85017fc3efe1da
SHA256 7c6276795562767dbb183fcfa82b242a9370bf134df58eb66e4b4ad506b39d43
SHA512 42ba37eb24a2a22e7c7f89cb2c98511c42c6b146b7e87f7a7e9bbe52a6c2c7477a2127d4282c7fca119d10e400e2287a4e216f44357f68069f21b1bc645d986a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 08e4bdb1715251c4171ac4b730aff06a
SHA1 b36260b1b33eed6d54b541a805734242187e83dd
SHA256 625fb4bca0a43150d44f04f19812387d2fd62ab02bc0aa457354a84894a143a3
SHA512 97da72726f0acac96f884590e8fe9815814e7963b1700782c46e3d35471bc5e6d93540c393e735b68e262d790d7584bad56d0340f8506c90f89e1ea13647f2fc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 09b29e81c85e3b2e477f48987e4ac161
SHA1 30ab8a83508d62e3e72d0211b0e01bc9e4e5e4c8
SHA256 a163f9e01ac84d277e4266fbe0a29085966617cb9c89d365a79f7d27d293a373
SHA512 513281c2a7560c1aa5e7997f534dfae1c08978f2c63d1e1002e3c3129ff86ee0f0cec1811c2bdca5afe8d602311fe850c02acc7eb733cc4953e974bdb8255be5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 05d63adb4a4ad7b049ab911f44fa28b2
SHA1 8acc63be5cf3d78b549ff2312b42292f654457cf
SHA256 bf7d81bdb46d354e6271ca630a174405c6f03402acc7cf1f247d9706ab94f65d
SHA512 15d0538f9ed53e61eee7b3a9bee8aed7fd5d0e37f063954f1d668e03c6a8b6cdcedc75a62ca8f10e252db62530ba01b4c70d54f984e03dca5ff40d00f7a6dcd8

C:\Users\Admin\AppData\Local\Temp\GH447H0961D6979.exe

MD5 8719ce641e7c777ac1b0eaec7b5fa7c7
SHA1 c04de52cb511480cc7d00d67f1d9e17b02d6406b
SHA256 6283ac6ecbf4c4038cf44896dd221c7c11152bac77273709330409032c3e72ea
SHA512 7be5bd6d2342dd02818f1979e7e74a6376658711ac82a59b2af1a67207cfd3c7416b657af01216473b15132e4aa5c6675f0eb8ee6343192c7dfc4a5249ccaa97

memory/1248-673-0x00000000025E0000-0x0000000002627000-memory.dmp

memory/1248-675-0x00000000004E0000-0x0000000000659000-memory.dmp

memory/3512-676-0x000002301F5A0000-0x000002301F5A6000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 b8a4a2209e51b573f20456486cc33a16
SHA1 d0608b7c6aad0fe39c5cb8d6c06c91aba9f60276
SHA256 9f3dc99f858853ff26f3cdbc92914824cce94d5514192e4f605460e69c06b3df
SHA512 c4f671b15d0d6a84ac90c77ef475ce562014e094209f0ad1a85f6d239a8323e41c1af22e983ae9c1ae8d4b93449fcce5487f8444905f8887d172cb017ef09ee0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 63f43a79fa7c943cb329c595580466f5
SHA1 70005685a95aa1bb6ce4f3c0cd3c7af36a0d1c7e
SHA256 0e41f4c7b8ade80d0204614cfaa5f8f4a4464210c3134d4703c6968144eb541d
SHA512 727e36dafe1a7a934aa8aae1957bde06513bbe09159b5af0d9fd15063d01b891464ad8a81da49ed23ed359488ca003762c080a707d219ed7cff3e6f9d01b1425

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\0bd005cc-cb0e-4468-9ba8-505851ce2aa5.tmp

MD5 c7e2b2e1b6dd77627e1aa87cf8166460
SHA1 595f32414eadc1a4006b88633ba9f810a148bccd
SHA256 212372a28cf4a6be9ec7de536fffa7000f659f257590544d17b1003f2cade895
SHA512 116748aa7c220ae08de113808ab857133572e68f82fc1bbc256abbf91561d31295930996919096a3c28cd4fe3c6d7a1cf42fe69201773cd064eca3d7ff47c880

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 375a3601e5a3dc1ef321f64dca6a9969
SHA1 f779ddbd1a853d9742d5dc8004af58822f9e8689
SHA256 8c67d32934858978ffbc8c2b482a893789368b0be453ddc81d1fe5301b697a3b
SHA512 70b2a7241652a823d3ddba696e7846071fde9f03ad730eb317d679bb64e68562c120b7fec977f874171617f193b9acd87c1f7129b5347fd90cd0c3b905eb5455

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 02cc090ec39906de8cb3a07adbf646af
SHA1 97d3ff2d966b58109faa1d2faba19567b97b8400
SHA256 4cb3681344ce39a28d7564d28d426ccd42d95d87ee468fbe44f3772bcf3add91
SHA512 4f502df0ebd40e4de9f0454180c18c4cdd88b647833fee278775f54d439669075bb82b838131a0e079be71a1c159f5745dac390c0fa13f84f5c3098adc4f56b9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 b047f754fb217c71e1cf5f3f2aae96b5
SHA1 e3d69f85e4cead32c31d2f836d0ebd6f47eeffcb
SHA256 5e81639a8cc57f9e5d0b056f04e4faf8a8e75c7b52342fbeded388309c032da5
SHA512 7c084df8878359aa404fb7f224d0f6090a4e8eeb70cd47629fe5fc154f17c7c40063ad0427b55cceee2042cfa0b7313f21603c3b4e64197998bee84c50375f29

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 dd6c848eb6c030c37908ab15cee7f97e
SHA1 78330338b28d58bc93be94f0b84876a4f1b41ce4
SHA256 958f2df63a7520ce0ef4a779ca6a0e99370afd8e1d42e6220fd649886009cdac
SHA512 26b70b0fc5bc4225df6953b6a7bd01312fc28bda930e23800191c8fd3faca36c4e1664c8d4d1f1d00f70c6574ae774f8f37b84c149464caa95c1238cc479aed8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 673b4a29664585030b41af534f6e84dc
SHA1 1d6b4f6d05c54f9099dee91b92f13e0baa179212
SHA256 34ab6975056b240d17ac756193b2e2afea629c5ae4a6538311f74c4c287bebc0
SHA512 bb8c7ae9cb98cca9ed0387d387b2bdf5b34a5a0c0d77e384f4fdfe7645f4a368f39788db31b501c703ada196443e94040587d65407f10ba79311955b88004da5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 3aa99e0840cf5038fc38d5d89dd83a38
SHA1 3e27cb03ce046e0c1db1677196007760300fd786
SHA256 83519a8f3d1db203d2a7c3e95c868f3fd0b70e8dd785d55e6be2fd3c1b0f40e6
SHA512 023bb21db532e6913a29dfc06ea385b63862803670af2c71c190a696951f00139287f67d915735577b78675b7503f35f91ce2251ce401e875c7adede5d175ae4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 7577bf083cb785158ed1eced6adc0f0f
SHA1 63f0b08e349f91eadf39628666461ae3ea007a3c
SHA256 a83bbad516338686bdda1c8e4be4ee67de948eac83e340e3d2954d7042eb2391
SHA512 8fcf5a186890482ee2299683e362372fbd5ab524aa8f93cce2ca97f50e6af862e9942d532a4e0f0cb137310fe2dde34c4964abc82c7c613e21048a36092cef3b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 5cb15ebcf7d5dc9ef05aeb71fb8c53c2
SHA1 54efef1d5b579ce7286a149a494442ac16ea59a5
SHA256 44ef323f74e96001d8366f4b805511c40c99e75a5004147507a8e396aac9a94a
SHA512 c094d2085b15269f68294cdff4716fd4a8621cdbef70bd60f9aa017994e53e08dd8deede3ddced2f9f629c4612b0678af2185d71c7d6369d34d4140b0a3fa661

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:26

Reported

2024-11-10 00:29

Platform

win7-20240903-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\96e965e92237102b9f51aa2f7318bd46c0598232dbeca547dc1e78dcffd6ef35.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7528c7e5_Fri13be9f3c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7a94bb5c_Fri136aafed62.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f75363f77_Fri1366dac3a944.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7a522790_Fri130206254.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ab338f8_Fri13f726be9ff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7af345ac_Fri13b7f06884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f76c1f60f_Fri1395d364.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f75453fd2_Fri1347852ec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7a94bb5c_Fri136aafed62.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7aa4b416_Fri133529ec01f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7710e6e4_Fri133f08d0114d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f76e6acbe_Fri134d8724752.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7a7a151d_Fri137e98926fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MQKSV.tmp\6246f7aa4b416_Fri133529ec01f5.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RJBDE.tmp\6246f76c1f60f_Fri1395d364.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f75453fd2_Fri1347852ec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f76c1f60f_Fri1395d364.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-T0RTO.tmp\6246f76c1f60f_Fri1395d364.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7af345ac_Fri13b7f06884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JAHGL807HHKJKCG.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\96e965e92237102b9f51aa2f7318bd46c0598232dbeca547dc1e78dcffd6ef35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7528c7e5_Fri13be9f3c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7528c7e5_Fri13be9f3c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7528c7e5_Fri13be9f3c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7528c7e5_Fri13be9f3c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7528c7e5_Fri13be9f3c6.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7a94bb5c_Fri136aafed62.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7a94bb5c_Fri136aafed62.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7a522790_Fri130206254.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7a522790_Fri130206254.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ab338f8_Fri13f726be9ff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ab338f8_Fri13f726be9ff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7af345ac_Fri13b7f06884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7af345ac_Fri13b7f06884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7a94bb5c_Fri136aafed62.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7a94bb5c_Fri136aafed62.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7a94bb5c_Fri136aafed62.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f75453fd2_Fri1347852ec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f75453fd2_Fri1347852ec.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7aa4b416_Fri133529ec01f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7aa4b416_Fri133529ec01f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7710e6e4_Fri133f08d0114d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f76c1f60f_Fri1395d364.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7710e6e4_Fri133f08d0114d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f76c1f60f_Fri1395d364.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7aa4b416_Fri133529ec01f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f76e6acbe_Fri134d8724752.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f76e6acbe_Fri134d8724752.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f76c1f60f_Fri1395d364.exe N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ab338f8_Fri13f726be9ff.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7af345ac_Fri13b7f06884.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7710e6e4_Fri133f08d0114d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-T0RTO.tmp\6246f76c1f60f_Fri1395d364.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7528c7e5_Fri13be9f3c6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7a522790_Fri130206254.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f76e6acbe_Fri134d8724752.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-MQKSV.tmp\6246f7aa4b416_Fri133529ec01f5.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-RJBDE.tmp\6246f76c1f60f_Fri1395d364.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7a94bb5c_Fri136aafed62.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f75453fd2_Fri1347852ec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7aa4b416_Fri133529ec01f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7af345ac_Fri13b7f06884.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\96e965e92237102b9f51aa2f7318bd46c0598232dbeca547dc1e78dcffd6ef35.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ab338f8_Fri13f726be9ff.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7a94bb5c_Fri136aafed62.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f76c1f60f_Fri1395d364.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f75453fd2_Fri1347852ec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f76c1f60f_Fri1395d364.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-T0RTO.tmp\6246f76c1f60f_Fri1395d364.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f75363f77_Fri1366dac3a944.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2496 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\96e965e92237102b9f51aa2f7318bd46c0598232dbeca547dc1e78dcffd6ef35.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2496 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\96e965e92237102b9f51aa2f7318bd46c0598232dbeca547dc1e78dcffd6ef35.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2496 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\96e965e92237102b9f51aa2f7318bd46c0598232dbeca547dc1e78dcffd6ef35.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2496 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\96e965e92237102b9f51aa2f7318bd46c0598232dbeca547dc1e78dcffd6ef35.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2496 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\96e965e92237102b9f51aa2f7318bd46c0598232dbeca547dc1e78dcffd6ef35.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2496 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\96e965e92237102b9f51aa2f7318bd46c0598232dbeca547dc1e78dcffd6ef35.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2496 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\96e965e92237102b9f51aa2f7318bd46c0598232dbeca547dc1e78dcffd6ef35.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2288 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe
PID 2288 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe
PID 2288 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe
PID 2288 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe
PID 2288 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe
PID 2288 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe
PID 2288 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe
PID 2892 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7528c7e5_Fri13be9f3c6.exe
PID 2292 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7528c7e5_Fri13be9f3c6.exe
PID 2292 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7528c7e5_Fri13be9f3c6.exe
PID 2292 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7528c7e5_Fri13be9f3c6.exe
PID 2292 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7528c7e5_Fri13be9f3c6.exe
PID 2292 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7528c7e5_Fri13be9f3c6.exe
PID 2292 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7528c7e5_Fri13be9f3c6.exe
PID 2892 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1764 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7528c7e5_Fri13be9f3c6.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\96e965e92237102b9f51aa2f7318bd46c0598232dbeca547dc1e78dcffd6ef35.exe

"C:\Users\Admin\AppData\Local\Temp\96e965e92237102b9f51aa2f7318bd46c0598232dbeca547dc1e78dcffd6ef35.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f7528c7e5_Fri13be9f3c6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f75363f77_Fri1366dac3a944.exe

C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7528c7e5_Fri13be9f3c6.exe

6246f7528c7e5_Fri13be9f3c6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f75453fd2_Fri1347852ec.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f76c1f60f_Fri1395d364.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f76e6acbe_Fri134d8724752.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f7710e6e4_Fri133f08d0114d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f7a522790_Fri130206254.exe /mixtwo

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f7a7a151d_Fri137e98926fc.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f7a94bb5c_Fri136aafed62.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f7aa4b416_Fri133529ec01f5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f7ab338f8_Fri13f726be9ff.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f7ae19ce0_Fri13a868de1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6246f7af345ac_Fri13b7f06884.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7a94bb5c_Fri136aafed62.exe

6246f7a94bb5c_Fri136aafed62.exe

C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7af345ac_Fri13b7f06884.exe

6246f7af345ac_Fri13b7f06884.exe

C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f75363f77_Fri1366dac3a944.exe

6246f75363f77_Fri1366dac3a944.exe

C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f76c1f60f_Fri1395d364.exe

6246f76c1f60f_Fri1395d364.exe

C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7a522790_Fri130206254.exe

6246f7a522790_Fri130206254.exe /mixtwo

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ab338f8_Fri13f726be9ff.exe

6246f7ab338f8_Fri13f726be9ff.exe

C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7a94bb5c_Fri136aafed62.exe

6246f7a94bb5c_Fri136aafed62.exe

C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f75453fd2_Fri1347852ec.exe

6246f75453fd2_Fri1347852ec.exe

C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7710e6e4_Fri133f08d0114d.exe

6246f7710e6e4_Fri133f08d0114d.exe

C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7aa4b416_Fri133529ec01f5.exe

6246f7aa4b416_Fri133529ec01f5.exe

C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f76e6acbe_Fri134d8724752.exe

6246f76e6acbe_Fri134d8724752.exe

C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe

6246f7ae19ce0_Fri13a868de1.exe

C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7a7a151d_Fri137e98926fc.exe

6246f7a7a151d_Fri137e98926fc.exe

C:\Users\Admin\AppData\Local\Temp\is-MQKSV.tmp\6246f7aa4b416_Fri133529ec01f5.tmp

"C:\Users\Admin\AppData\Local\Temp\is-MQKSV.tmp\6246f7aa4b416_Fri133529ec01f5.tmp" /SL5="$70212,140006,56320,C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7aa4b416_Fri133529ec01f5.exe"

C:\Users\Admin\AppData\Local\Temp\is-RJBDE.tmp\6246f76c1f60f_Fri1395d364.tmp

"C:\Users\Admin\AppData\Local\Temp\is-RJBDE.tmp\6246f76c1f60f_Fri1395d364.tmp" /SL5="$3020E,870458,780800,C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f76c1f60f_Fri1395d364.exe"

C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f75453fd2_Fri1347852ec.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f75453fd2_Fri1347852ec.exe" -h

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 272

C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f76c1f60f_Fri1395d364.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f76c1f60f_Fri1395d364.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-T0RTO.tmp\6246f76c1f60f_Fri1395d364.tmp

"C:\Users\Admin\AppData\Local\Temp\is-T0RTO.tmp\6246f76c1f60f_Fri1395d364.tmp" /SL5="$4020E,870458,780800,C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f76c1f60f_Fri1395d364.exe" /SILENT

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" -u xWuw.k /s

C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7af345ac_Fri13b7f06884.exe

C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7af345ac_Fri13b7f06884.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2804 -s 488

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 484

C:\Users\Admin\AppData\Local\Temp\JAHGL807HHKJKCG.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 appwebstat.biz udp
US 8.8.8.8:53 blackhk1.beget.tech udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 www.icodeps.com udp
US 172.232.31.180:443 www.icodeps.com tcp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 psychokitties.s3.pl-waw.scw.cloud udp
US 208.95.112.1:80 ip-api.com tcp
PL 151.115.10.4:80 psychokitties.s3.pl-waw.scw.cloud tcp
US 172.232.31.180:443 www.icodeps.com tcp
US 8.8.8.8:53 www.hhiuew33.com udp
US 8.8.8.8:53 algorithmically.s3.pl-waw.scw.cloud udp
PL 151.115.10.3:80 algorithmically.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 fashion-academy.net udp
US 172.232.31.180:443 www.icodeps.com tcp
US 8.8.8.8:53 gardnersoftwera.com udp
US 8.8.8.8:53 all-smart-green.com udp
US 172.232.31.180:443 www.icodeps.com tcp
US 199.59.243.227:80 all-smart-green.com tcp
US 8.8.8.8:53 getnek.com udp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
N/A 127.0.0.1:80 tcp
DE 116.202.106.111:9582 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.22:80 crl.microsoft.com tcp
DE 116.202.106.111:9582 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
DE 116.202.106.111:9582 tcp
US 78.14.113.227:8080 tcp
US 78.14.113.227:8080 tcp
DE 116.202.106.111:9582 tcp
US 8.8.8.8:53 sifddfks.mediagemslive.com udp
US 172.67.206.4:443 sifddfks.mediagemslive.com tcp
US 8.8.8.8:53 www.microsoft.com udp
DE 116.202.106.111:9582 tcp

Files

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 e5debd90b07e67f9b1ae38e4412c86c4
SHA1 4b7e7161161709a25e5e655ee60f6eae3fa39c32
SHA256 c5c7eade46a64e20a9eae3757ec58a0c62f3d7e33971bacd7064a97588af39d8
SHA512 fb3bf8a363bac644f5ded4bd30ab779aa54d3e118b73893466ca93b738ad42f93ce0f3aafb7d1a1e0863f4a1506ac5faf588c344f4e812611e9c734157fe3113

\Users\Admin\AppData\Local\Temp\7zS0F81E596\setup_install.exe

MD5 955a80af149655652530e472782aaf79
SHA1 a581b2d53f8d2ca46458af201694789c0f501475
SHA256 c50bf0b1a0313c72b557df6a60fa9937873772d105084f68c83e4f74fff8ca47
SHA512 d610e8b64a445bf4306bcc980e6c3ead5ea898bbb8c03fa5f55202bf045042a28fdf15b9a8fd767131729f7b83c81c5b59a7a949a967d59370450b29e1268149

C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/2892-65-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2892-68-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2892-79-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2892-77-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2892-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2892-76-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2892-85-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7528c7e5_Fri13be9f3c6.exe

MD5 98c3385d313ae6d4cf1f192830f6b555
SHA1 31c572430094e9adbf5b7647c3621b2e8dfa7fe8
SHA256 4b2e2adafc390f535254a650a90e6a559fb3613a9f13ce648a024c078fcf40be
SHA512 fdd0406ef1abee43877c2ab2be9879e7232e773f7dac48f38a883b14306907c82110c712065a290bafac3cc8b0f4c0a13694847ad60a50a2b87e6aed2fd73aff

memory/2892-84-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2892-81-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2892-83-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2892-82-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2892-80-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2292-88-0x0000000000100000-0x0000000000114000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f76c1f60f_Fri1395d364.exe

MD5 aa1a33a40570d4fd2f17c569f4ab1170
SHA1 fc9b9b6ef3235ea76c3b5fd5ded6b4554eaa01c2
SHA256 e97a44529a5f1e223d471f68a1fe6bddb0754b4a4880067b6872154a781fd6a5
SHA512 a1335b6b2c07ff9543634ffc3162facd8bac8d1bf24ed0a2a36246981994785838b5b1343c44bcf55ce771dfe5bcda44a18fc0bdd9cdee5f7f652065642bf115

C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f75363f77_Fri1366dac3a944.exe

MD5 e0f600d0f15da0780b95105788201417
SHA1 9cc5b5d64157444815b101f8500c8535b36a4e62
SHA256 938cbc262bfa2cdf449c75a47d92ef6a719f298ce96598057d42476b3098f5a4
SHA512 a95aa09cd549ea32a1ddd1c78c6a1b90a2720f962f095377a321cf61af0fd5e22fafd40bf13c9d1135c5a71a1b82201c47680e8eedae20c1321d60186bb097cb

C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7af345ac_Fri13b7f06884.exe

MD5 84e9047be9d225a784b8855640a6d034
SHA1 deadecb0340b58236fd4e6127b0a545c47e7393e
SHA256 40fd6365f236050b75bd96ad7cab07c6b6875ce2c76016499bed58e5a27ef0de
SHA512 8a721f423f61504bf0de5acedf37a5e48d8f8e7d74a547f1865904e168622a075d64f1bb7b2aa8f150a0eb0d1e035d342d5268b4ab460c18713ce6425330da50

memory/2892-127-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2892-126-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f75453fd2_Fri1347852ec.exe

MD5 479ba7ea1f2fa2cd51a3ca59a9638010
SHA1 8992de6c918131fbe8821dd16cc0277951cd362c
SHA256 d66c7fb807beccc1fa5a7d4162d3e8e2d553ba560653a404e1ce6de68ba8c801
SHA512 70be353017f77f5b4fd82738700843bdc5848f175a39d07626dd9f4cb59b4d685dadf69de156f00c62dcc76f8fba233656df258ea103e1000ff038305580179f

\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7a522790_Fri130206254.exe

MD5 6eced1a017445828224259a62a663478
SHA1 e478e5e94d4fdb6d3f7c9bc1eb3a3faef7a27a8b
SHA256 9caee013dc3b0158f883dd8926181e10993612769504be3884f0c5eb49c0a524
SHA512 878892ba72658b67a78c1add2a5c0af900ed0d40a44664c89c993aa3a6b0733957d7f11317b8942e51c0139afea967f7ef3e9dc23ed0cc75f8553fd23d92fe64

memory/1764-110-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7a7a151d_Fri137e98926fc.exe

MD5 a128f3490a3d62ec1f7c969771c9cb52
SHA1 73f71a45f68e317222ac704d30319fcbecdb8476
SHA256 4040769cb6796be3af8bd8b2c9d4be701155760766fddbd015b0bcb2b4fca52a
SHA512 ccf34b78a577bc12542e774574d21f3673710868705bf2c0ecdf6ce3414406ec63d5f65e3ff125f65e749a54d64e642492ee53d91a04d309228e2a73d7ab0a19

memory/1764-109-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ab338f8_Fri13f726be9ff.exe

MD5 79c79760259bd18332ca17a05dab283d
SHA1 b9afed2134363447d014b85c37820c5a44f33722
SHA256 e6eb127214bbef16c7372fbe85e1ba453f7aceee241398d2a8e0ec115c3625d3
SHA512 a4270de42d09caa42280b1a7538dc4e0897f17421987927ac8b37fde7e44f77feb9ce1386ffd594fe6262ebb817c2df5a2c20a4adb4b0261eae5d0b6a007aa06

memory/1580-147-0x0000000000ED0000-0x0000000000EFE000-memory.dmp

memory/2676-151-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2676-153-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7710e6e4_Fri133f08d0114d.exe

MD5 d51275ff35e617742f06569fe0dc9cde
SHA1 ec6f2e1ff8463c1f8d3cc4421af5815798e053f6
SHA256 3d8077e64cf958be5a75783bba6c01719debd50a55b02d23d12e758ee7af5a8b
SHA512 e2f37ccf8bf221ac779f53d20029f7caa85cdef56ade371b82a8ac366420bc6abdcf47b2d1f7f83ed70420752822a60b7026cba7e2372d49438c5e9949b8a71a

memory/2676-155-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1696-158-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1000-157-0x0000000000D80000-0x0000000000EF9000-memory.dmp

memory/1564-160-0x0000000000400000-0x00000000004CC000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7a94bb5c_Fri136aafed62.exe

MD5 8daa50a23acd7af738f176b2590e94c6
SHA1 2d58cb919ea524591bc6a08ff3fe77ae0db6221f
SHA256 4d24517c0f7a7e07c07d3f4b819cd5f5165c7044bcc932e51ba39f082847d19a
SHA512 3aca67a8d507d4029fb24b8f0b9a7aef57f70a16c833a9cfb2b51022fad4e54507edea21c2a4888843c6a9e4f6513ff49c0296dc09b45328d1c8300b9f90de87

memory/1000-166-0x0000000000510000-0x0000000000557000-memory.dmp

memory/1000-165-0x0000000000D80000-0x0000000000EF9000-memory.dmp

memory/1000-156-0x0000000000D80000-0x0000000000EF9000-memory.dmp

memory/1000-164-0x00000000002C0000-0x00000000002C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f76e6acbe_Fri134d8724752.exe

MD5 c4753d4efda428971afd33ec13a00e9b
SHA1 8801c82e95d5d5ab2c87e81b6b7768142df957f3
SHA256 8704c0b6842fd04928290c56a7cacb70e920c1af0ebad2bc981d5005345377b8
SHA512 b651210962348faa03ec31874e37958c9294e58aa709199ffaa7f4e53d39e4100e2c2457f65bb0e72e5b8293ff07be0c421f8073f0d2b67a8923b5292f5300b0

memory/1188-174-0x0000000000C50000-0x0000000000CA6000-memory.dmp

memory/1580-167-0x0000000000240000-0x0000000000246000-memory.dmp

memory/2804-183-0x0000000140000000-0x00000001406C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TPHP0KC1ACMPUE8ILD62.temp

MD5 fe05092a72f2c2314fbbefa2950dd66c
SHA1 43d2d0ee8c2bbd66fdb97e18567ca65d1e74aded
SHA256 1433f9cc0786f485ec0bb2c8cb3d6038a76a5f8df0a90db1e2c2c57381a34945
SHA512 b8cc555047f742d1136a2214458c9b2537b23011e5dff78154b0f003307c91561f5032141330c54d8ed5ddfc141065006a21986095576c26b486d134d18acf6f

memory/1216-145-0x0000000002180000-0x00000000022F9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7ae19ce0_Fri13a868de1.exe

MD5 9f2ba6cffd2e51c63f1f0bf153b87823
SHA1 a00e56425d201225c41b13f22a09fb4562bc1cf4
SHA256 30b2aac192d6bb77baf163dd16ee9c2b1e928d9ff62cbeee1ace6aa2d84d59e9
SHA512 b97b73f356319e59d95010ce06b578db0f5a1f84c7863c066b1982a8106f6c86769b003e2ffde00941ce74b9f15bca8990fbffe6b350ff4a40166bc0bf416c7d

C:\Users\Admin\AppData\Local\Temp\7zS0F81E596\6246f7aa4b416_Fri133529ec01f5.exe

MD5 0a8d60731fe6e1dd5ab0e42ec68dd655
SHA1 5e0adf2c89c6dbf83f19e79d83b40402880884f9
SHA256 e0c54390047af2d8491d9fd8032f3b2dec88cd34eb854aff8fb118ee7bd03ef3
SHA512 58e96d65bf876d65372dd7c748933e2212676111e344ab749e4150dd3616eba140d2e128ef616aa8e0345c7db78e28c2157843c355e66cdc74c77f9c9e48a490

memory/1764-107-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1764-106-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/1764-103-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1764-102-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1764-101-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1764-100-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/952-197-0x0000000000400000-0x0000000000682000-memory.dmp

memory/1564-200-0x0000000000400000-0x00000000004CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-T0RTO.tmp\6246f76c1f60f_Fri1395d364.tmp

MD5 a0d156617392c5ad8c0673afc03919f9
SHA1 75a242000e4508f5174fded8117581236ed6612d
SHA256 72da1d7ee300dfaf11bc8ee74e776067bfabaf52881fe39c2463bb495665abcd
SHA512 ca10443a1f6f304cc4805cd988156f187ce974cce8e9ac6715b2ca10dddabfbd80736a1222ee43618968c849d719f9577c73be124fc7d0669f390aefb424a539

memory/2144-198-0x0000000000400000-0x00000000004CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-AEF6R.tmp\idp.dll

MD5 55c310c0319260d798757557ab3bf636
SHA1 0892eb7ed31d8bb20a56c6835990749011a2d8de
SHA256 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512 e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

memory/2892-125-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2892-123-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2892-120-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2892-119-0x0000000000400000-0x000000000051C000-memory.dmp

memory/1764-95-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1172-208-0x0000000000400000-0x000000000046A000-memory.dmp

memory/3028-211-0x00000000023B0000-0x00000000033B0000-memory.dmp

memory/1304-215-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1696-216-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3028-230-0x000000002D160000-0x000000002D210000-memory.dmp

memory/3028-231-0x000000002D210000-0x000000002D2AC000-memory.dmp

memory/3028-234-0x000000002D210000-0x000000002D2AC000-memory.dmp

memory/3028-232-0x000000002D210000-0x000000002D2AC000-memory.dmp

memory/1488-247-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1488-245-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1488-244-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1488-243-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1488-241-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1488-239-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1488-237-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1488-235-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1000-248-0x0000000000D80000-0x0000000000EF9000-memory.dmp

memory/1000-262-0x0000000000D80000-0x0000000000EF9000-memory.dmp

memory/1948-263-0x000000013F290000-0x000000013F296000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab61A0.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b