Malware Analysis Report

2024-11-15 09:02

Sample ID 241110-zq9gravjc1
Target 08be2960808aa7cde50c5806d5d8aafb8363ca8d
SHA256 a6efc4fa4c7dcb4621a256f18feca2ddb4312cc73a08b0779b790a5da2799efb
Tags
fabookie nullmixer socelars aspackv2 discovery dropper execution spyware stealer gcleaner onlylogger redline smokeloader media60603 pub3 backdoor infostealer loader trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a6efc4fa4c7dcb4621a256f18feca2ddb4312cc73a08b0779b790a5da2799efb

Threat Level: Known bad

The file 08be2960808aa7cde50c5806d5d8aafb8363ca8d was found to be: Known bad.

Malicious Activity Summary

fabookie nullmixer socelars aspackv2 discovery dropper execution spyware stealer gcleaner onlylogger redline smokeloader media60603 pub3 backdoor infostealer loader trojan upx

OnlyLogger

GCleaner

Socelars

Socelars family

RedLine

Smokeloader family

Detect Fabookie payload

Nullmixer family

Fabookie

Gcleaner family

Redline family

Socelars payload

Fabookie family

Onlylogger family

SmokeLoader

RedLine payload

NullMixer

Detected Nirsoft tools

NirSoft WebBrowserPassView

OnlyLogger payload

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

ASPack v2.12-2.42

Checks computer location settings

Drops Chrome extension

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

UPX packed file

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Enumerates physical storage devices

Browser Information Discovery

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Kills process with taskkill

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 20:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 20:56

Reported

2024-11-10 20:59

Platform

win7-20241010-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2528 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe
PID 2528 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe
PID 2528 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe
PID 2528 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe
PID 2528 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe
PID 2528 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe
PID 2528 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe
PID 2832 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe

"C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe"

C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f9482b3cb5_Wed16d6773e4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f94837e687_Wed16b4f13b0b4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f948449020_Wed163088fdd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f9486b4516_Wed16eb16ea4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f948855a5b_Wed16c9c6da01a3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f948a0fc8a_Wed1650732795.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f948b816de_Wed16bd6eaa.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f948d05937_Wed16374c3beda.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f948e7f7ef_Wed16b426d6adc1.exe /mixtwo

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f948fe5007_Wed163feaf0.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f9490c9091_Wed16d3d6c5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f949237c58_Wed168fc449f.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f94aa19419_Wed16184b9bf0.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\setup_install.exe

MD5 dc72933d86bf031b858123f48c4fd14f
SHA1 ee6b17d8e965f2175dc7837c1b7cb0020c24a781
SHA256 a4fa4aa6dbd692660840d051ec283d262f32037ccadf9445d2ea86dd664b5831
SHA512 62be755bf2d61c747e94dc2f4a6efebc28cad43ded8d249188bc682f225ee8fad3bfc7ce1c85b1fc81c0c26c845dc7c19882bbd18008051bed0d6082fcf320c4

C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/2832-54-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2832-57-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\621f94837e687_Wed16b4f13b0b4.exe

MD5 5b667f4b728b93ed5951e7bfddf8fb21
SHA1 00258995bd0f0b43af92656d217903e62b4229bd
SHA256 ac6cbfa5a8097b446fc0b6d7fb464c55425cf8093f3147f65b0bde3a08e1f3c1
SHA512 4f3fc716db01afab932bb800e4b26a729f47f693b4490176548cc67cca9c9957e155a04fd10ecf098c8a1c02dbca3dc8695cc67af545376aff771c207a6eee77

memory/2832-73-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\621f948855a5b_Wed16c9c6da01a3.exe

MD5 894759b7ce3835029711d032205ec472
SHA1 e8824dffbc468e4dcdfd06094597776b3c4be593
SHA256 c12d359da11bc33309ac9d661aec047669aee7986bfd8326d122a26c055e0044
SHA512 ea25a7fd901eb9dedf93eb5e026de1406315599429ee31080828a59cd8cb6dd763ef307c329ef5f422b3cfaa136f2aa7b1412f013bbbd9aecf97a7c9195d127b

C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\621f948449020_Wed163088fdd.exe

MD5 c5ae00bc9521abc87b2143826b88731a
SHA1 ef44d7c5cc9fa1b61070a2aacd76a4718ccacf5e
SHA256 2d23db5f735a5b3111cdf867a611d73c757797bc28f099feef6d5d14154b31b1
SHA512 1f91288c9608cd83a3b7355b8523a3175b369d771cd5b3142ea8eb2c1ee0f3e69f13618e5ce5b7c6bc068cee61211bdc3a2a17c874a3802892125e97a0dd522a

C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\621f948d05937_Wed16374c3beda.exe

MD5 aa5254e8284e33aa8f60e9f4e9e8b1c5
SHA1 465f8b854048fc21a99b2f746c961bea598a4c38
SHA256 9780e353d9670c8ab8177d23af1ec3acdaa740a9f5f13f77e88f1f9de5ed8323
SHA512 024062930947a3d34d5fc01f1633aa8a09524a9537651269f090f800f9a248d551a7144e2726f9b3303c81237c00149b8bbe2f0de235d70ebe525534eac91fde

C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\621f949237c58_Wed168fc449f.exe

MD5 c427835b14238569c986d5543b36e0cb
SHA1 552d3752d6276cf8eebbf0ef976954e340930b14
SHA256 8804babd5cc914c36e67fb2a2b3086ce3b3a6b7d676749f5700f9eb41796c458
SHA512 dfe034d6f89a0068d9f1c33e4cc0df47ebfa0d38dc33884295a466f1126b24dbe78e56ef905f218636a2b3f780b28a62f5164ddf01502324854a81163c7539b8

C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\621f948fe5007_Wed163feaf0.exe

MD5 749b436db9150b62721e67aa8d5bdebb
SHA1 a5b77f7cede8c4c40d96e941a941862b6a9c1a23
SHA256 9d400635b2cb61d461ade25b36097fc8e66c8d963c1cd3ab0d6864b9c016bbfc
SHA512 ccfbffc9ca5dde45e1a834336e0f1df4a9c0e8658a7c4f07f5dec347005b2c4f9bdd5c6d5981680ba9a84d4169f9a26d4a53c930def39cd298947ec7cf8db0f3

memory/2832-99-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2832-98-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2832-97-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2832-96-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2832-94-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2832-90-0x0000000000400000-0x000000000051C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\621f94aa19419_Wed16184b9bf0.exe

MD5 9955dd419c83119488778affdab16717
SHA1 da24a018dc2411f9c646c8770b34ad659387e931
SHA256 91c178a3c15eb95b93cd8d61be8a80c2eac2b66149e744b9e23a53fb9c68927f
SHA512 e4dfb73ab1812e22f783d269d9cdc7814134237d35887bc55dc1e105e3d95f64ed6851200dbecd8819e71927ac542fefbdbdf7b7bc318e90806a0912a2212e90

C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\621f9490c9091_Wed16d3d6c5.exe

MD5 65a916a503ac8875b7a38d04f9ec53cd
SHA1 6fe3351cdd4e684ee2eccceabe7ec515f508a6a2
SHA256 bc84e7b06f99196ef82c0d5356644ed3fe1d897257e9e8149cf83e686e285618
SHA512 574071f47f85552cc8de4c26230528db1a7034a5ac454d704a29cfe2d919c9be36f23aa2be4c5ed59554613fe20382a95d5b7e31e43d32e0cd3fc7e4a2b1be71

C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\621f948e7f7ef_Wed16b426d6adc1.exe

MD5 afe6087457ae59ca0d071370f60a3e86
SHA1 b576cae50f011161d729a257ea3c3f3ff9b47dd6
SHA256 d77eb517c120ffc52cb3bc21e2c592625073b0ba287f9f5cf8e9822a6fe00a95
SHA512 3aecbb441a22f247e84288e94020759f567e1d086a5f59cdd119e14612bb71a1c1dc5cbc80b951456fecdc10737b69a47bc3dc07059dbb94a46aab85247ba570

C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\621f948b816de_Wed16bd6eaa.exe

MD5 f47ef25d6fbd8fb1709ac978104480d9
SHA1 861dee7ae35269baf7429147f1089004dbdbbc75
SHA256 b141a340d0703b0dbe579bf42a8eb865b6d8bdc6ec5323215e7de9eeb890c788
SHA512 cf0332bcb6a75be665aafae033b3e810c0120aac02c3c3a4b5534788420ee7013e03bbaffa830fc34be19750efba1ef5205b2c356825ba02f6664816e98442d8

C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\621f948a0fc8a_Wed1650732795.exe

MD5 8f12876ff6f721e9b9786733f923ed5a
SHA1 4898a00c846f82316cc632007966dfb5f626ad43
SHA256 9aa138a385805dc69f7c082a3994538fea2127d18f352a74ab8505ccd74fa533
SHA512 1069e733a45c7a2bec67cae1b465bdd4a76051673a7bb0a7dba21a240d9e4d3d18f5915ace58e5a666d824e57355907c7ac23fc23d4fcf38af5a6e54115f1b48

C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\621f9482b3cb5_Wed16d6773e4.exe

MD5 98c3385d313ae6d4cf1f192830f6b555
SHA1 31c572430094e9adbf5b7647c3621b2e8dfa7fe8
SHA256 4b2e2adafc390f535254a650a90e6a559fb3613a9f13ce648a024c078fcf40be
SHA512 fdd0406ef1abee43877c2ab2be9879e7232e773f7dac48f38a883b14306907c82110c712065a290bafac3cc8b0f4c0a13694847ad60a50a2b87e6aed2fd73aff

memory/2832-76-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2832-75-0x000000006494A000-0x000000006494F000-memory.dmp

memory/2832-74-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2832-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2832-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2832-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2832-68-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2832-67-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2832-66-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2832-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0E9A8FC6\621f9486b4516_Wed16eb16ea4.exe

MD5 e1a8bb1c0d082168f5433a1bdd03b66b
SHA1 71e43669b4a74b4f830d3e74f5750dc7be78e085
SHA256 1286c91bd81aaccf5df1da0c78298a91d1d77bcddfe65871568b0661fb227929
SHA512 11fd29f912d52bb0984f39b4c12d7f2ead645abf0866b8e6f725a3c1bae154bb120859ce9e6f1010edf01f6dc7f3a2b6ca5071fff2e8a88c4e8a134808bfee49

memory/2832-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 20:56

Reported

2024-11-10 20:59

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948d05937_Wed16374c3beda.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948855a5b_Wed16c9c6da01a3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-47LA7.tmp\621f948a0fc8a_Wed1650732795.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9482b3cb5_Wed16d6773e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f94837e687_Wed16b4f13b0b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948449020_Wed163088fdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948855a5b_Wed16c9c6da01a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948b816de_Wed16bd6eaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948a0fc8a_Wed1650732795.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948e7f7ef_Wed16b426d6adc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9490c9091_Wed16d3d6c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f949237c58_Wed168fc449f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948fe5007_Wed163feaf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948d05937_Wed16374c3beda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f94aa19419_Wed16184b9bf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PODRL.tmp\621f949237c58_Wed168fc449f.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9490c9091_Wed16d3d6c5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-47LA7.tmp\621f948a0fc8a_Wed1650732795.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948855a5b_Wed16c9c6da01a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8MAA6FE30KF5425.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948a0fc8a_Wed1650732795.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CGAT4.tmp\621f948a0fc8a_Wed1650732795.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948449020_Wed163088fdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948449020_Wed163088fdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58b040.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aieoplapobidheellikiicjfpamacpfd\11.23.45_0\manifest.json C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f94aa19419_Wed16184b9bf0.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948855a5b_Wed16c9c6da01a3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948b816de_Wed16bd6eaa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948a0fc8a_Wed1650732795.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f949237c58_Wed168fc449f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948449020_Wed163088fdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948d05937_Wed16374c3beda.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-47LA7.tmp\621f948a0fc8a_Wed1650732795.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-PODRL.tmp\621f949237c58_Wed168fc449f.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9490c9091_Wed16d3d6c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948855a5b_Wed16c9c6da01a3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e58b040.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948449020_Wed163088fdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9482b3cb5_Wed16d6773e4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f94aa19419_Wed16184b9bf0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9490c9091_Wed16d3d6c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948e7f7ef_Wed16b426d6adc1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948a0fc8a_Wed1650732795.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-CGAT4.tmp\621f948a0fc8a_Wed1650732795.tmp N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948b816de_Wed16bd6eaa.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948b816de_Wed16bd6eaa.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948b816de_Wed16bd6eaa.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133757458286558300" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f94837e687_Wed16b4f13b0b4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3648 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe
PID 3648 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe
PID 3648 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe
PID 4064 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 432 wrote to memory of 4576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 432 wrote to memory of 4576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 432 wrote to memory of 4576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3948 wrote to memory of 3240 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9482b3cb5_Wed16d6773e4.exe
PID 3948 wrote to memory of 3240 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9482b3cb5_Wed16d6773e4.exe
PID 3948 wrote to memory of 3240 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9482b3cb5_Wed16d6773e4.exe
PID 2116 wrote to memory of 5040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f94837e687_Wed16b4f13b0b4.exe
PID 2116 wrote to memory of 5040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f94837e687_Wed16b4f13b0b4.exe
PID 3164 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948449020_Wed163088fdd.exe
PID 3164 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948449020_Wed163088fdd.exe
PID 3164 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948449020_Wed163088fdd.exe
PID 1196 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948855a5b_Wed16c9c6da01a3.exe
PID 1196 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948855a5b_Wed16c9c6da01a3.exe
PID 1196 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948855a5b_Wed16c9c6da01a3.exe
PID 4064 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3844 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe
PID 3844 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe
PID 3844 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe
PID 1944 wrote to memory of 216 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948b816de_Wed16bd6eaa.exe
PID 1944 wrote to memory of 216 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948b816de_Wed16bd6eaa.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe

"C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe"

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f9482b3cb5_Wed16d6773e4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f94837e687_Wed16b4f13b0b4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f948449020_Wed163088fdd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f9486b4516_Wed16eb16ea4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f948855a5b_Wed16c9c6da01a3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f948a0fc8a_Wed1650732795.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f948b816de_Wed16bd6eaa.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f948d05937_Wed16374c3beda.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f948e7f7ef_Wed16b426d6adc1.exe /mixtwo

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f948fe5007_Wed163feaf0.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f9490c9091_Wed16d3d6c5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f949237c58_Wed168fc449f.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621f94aa19419_Wed16184b9bf0.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9482b3cb5_Wed16d6773e4.exe

621f9482b3cb5_Wed16d6773e4.exe

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f94837e687_Wed16b4f13b0b4.exe

621f94837e687_Wed16b4f13b0b4.exe

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948449020_Wed163088fdd.exe

621f948449020_Wed163088fdd.exe

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948855a5b_Wed16c9c6da01a3.exe

621f948855a5b_Wed16c9c6da01a3.exe

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe

621f9486b4516_Wed16eb16ea4.exe

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948a0fc8a_Wed1650732795.exe

621f948a0fc8a_Wed1650732795.exe

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948b816de_Wed16bd6eaa.exe

621f948b816de_Wed16bd6eaa.exe

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948e7f7ef_Wed16b426d6adc1.exe

621f948e7f7ef_Wed16b426d6adc1.exe /mixtwo

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f949237c58_Wed168fc449f.exe

621f949237c58_Wed168fc449f.exe

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9490c9091_Wed16d3d6c5.exe

621f9490c9091_Wed16d3d6c5.exe

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948fe5007_Wed163feaf0.exe

621f948fe5007_Wed163feaf0.exe

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948d05937_Wed16374c3beda.exe

621f948d05937_Wed16374c3beda.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f94aa19419_Wed16184b9bf0.exe

621f94aa19419_Wed16184b9bf0.exe

C:\Users\Admin\AppData\Local\Temp\is-PODRL.tmp\621f949237c58_Wed168fc449f.tmp

"C:\Users\Admin\AppData\Local\Temp\is-PODRL.tmp\621f949237c58_Wed168fc449f.tmp" /SL5="$70226,140006,56320,C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f949237c58_Wed168fc449f.exe"

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9490c9091_Wed16d3d6c5.exe

621f9490c9091_Wed16d3d6c5.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3300 -ip 3300

C:\Users\Admin\AppData\Local\Temp\is-47LA7.tmp\621f948a0fc8a_Wed1650732795.tmp

"C:\Users\Admin\AppData\Local\Temp\is-47LA7.tmp\621f948a0fc8a_Wed1650732795.tmp" /SL5="$60218,870458,780800,C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948a0fc8a_Wed1650732795.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 216 -ip 216

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948449020_Wed163088fdd.exe

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948449020_Wed163088fdd.exe

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948855a5b_Wed16c9c6da01a3.exe

"C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948855a5b_Wed16c9c6da01a3.exe" -h

C:\Users\Admin\AppData\Local\Temp\8MAA6FE30KF5425.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 356

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948a0fc8a_Wed1650732795.exe

"C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948a0fc8a_Wed1650732795.exe" /SILENT

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 624

C:\Users\Admin\AppData\Local\Temp\is-CGAT4.tmp\621f948a0fc8a_Wed1650732795.tmp

"C:\Users\Admin\AppData\Local\Temp\is-CGAT4.tmp\621f948a0fc8a_Wed1650732795.tmp" /SL5="$201EA,870458,780800,C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948a0fc8a_Wed1650732795.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948449020_Wed163088fdd.exe

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948449020_Wed163088fdd.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3300 -ip 3300

C:\Users\Admin\AppData\Local\Temp\11111.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3300 -ip 3300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 748

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" .\ZMJYD.C /s

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3300 -ip 3300

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 720

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3300 -ip 3300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 780

C:\Users\Admin\AppData\Local\Temp\11111.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fffdf00cc40,0x7fffdf00cc4c,0x7fffdf00cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1824,i,4594668936251375692,1093576696432906537,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1820 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2072,i,4594668936251375692,1093576696432906537,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2076 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2264,i,4594668936251375692,1093576696432906537,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2464 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,4594668936251375692,1093576696432906537,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,4594668936251375692,1093576696432906537,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3284 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4560,i,4594668936251375692,1093576696432906537,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4540 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4692,i,4594668936251375692,1093576696432906537,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4708 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4700,i,4594668936251375692,1093576696432906537,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3720 /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3300 -ip 3300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3300 -ip 3300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 868

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4968,i,4594668936251375692,1093576696432906537,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4696 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3696,i,4594668936251375692,1093576696432906537,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4952 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5088,i,4594668936251375692,1093576696432906537,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4952 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4932,i,4594668936251375692,1093576696432906537,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4824 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5160,i,4594668936251375692,1093576696432906537,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5148 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5076,i,4594668936251375692,1093576696432906537,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5464 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5108,i,4594668936251375692,1093576696432906537,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5408 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\e58b040.exe

"C:\Users\Admin\AppData\Local\Temp\e58b040.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4240 -ip 4240

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 792

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5064,i,4594668936251375692,1093576696432906537,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3664 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 www.icodeps.com udp
US 172.232.25.148:443 www.icodeps.com tcp
US 8.8.8.8:53 duoproc.net udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 yeager.s3.pl-waw.scw.cloud udp
PL 151.115.10.3:80 yeager.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 148.25.232.172.in-addr.arpa udp
US 8.8.8.8:53 onenew-cloudapps.com udp
US 8.8.8.8:53 ackerman.s3.pl-waw.scw.cloud udp
PL 151.115.10.4:80 ackerman.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 all-smart-green.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 199.59.243.227:80 all-smart-green.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 3.10.115.151.in-addr.arpa udp
US 8.8.8.8:53 4.10.115.151.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 227.243.59.199.in-addr.arpa udp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.23.210.75:80 r11.o.lencr.org tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 fuck-systems.com udp
US 8.8.8.8:53 75.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ww99.icodeps.com udp
US 67.225.218.41:80 ww99.icodeps.com tcp
US 8.8.8.8:53 ww1.icodeps.com udp
DE 64.190.63.136:80 ww1.icodeps.com tcp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 41.218.225.67.in-addr.arpa udp
US 8.8.8.8:53 136.63.190.64.in-addr.arpa udp
US 8.8.8.8:53 161.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
RU 92.255.57.154:11841 tcp
US 8.8.8.8:53 appwebstat.biz udp
US 8.8.8.8:53 onenew-cloudapps.com udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 www.hhiuew33.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 216.58.201.110:443 apis.google.com tcp
GB 172.217.169.10:443 ogads-pa.googleapis.com tcp
US 8.8.8.8:53 appwebstat.biz udp
GB 172.217.169.10:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 228.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 10.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.16.238:443 play.google.com tcp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.178.14:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 216.58.213.1:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 1.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
RU 92.255.57.154:11841 tcp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
FR 77.132.171.49:8080 tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
RU 92.255.57.154:11841 tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
RU 92.255.57.154:11841 tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
RU 92.255.57.154:11841 tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
RU 92.255.57.154:11841 tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\setup_install.exe

MD5 dc72933d86bf031b858123f48c4fd14f
SHA1 ee6b17d8e965f2175dc7837c1b7cb0020c24a781
SHA256 a4fa4aa6dbd692660840d051ec283d262f32037ccadf9445d2ea86dd664b5831
SHA512 62be755bf2d61c747e94dc2f4a6efebc28cad43ded8d249188bc682f225ee8fad3bfc7ce1c85b1fc81c0c26c845dc7c19882bbd18008051bed0d6082fcf320c4

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/4064-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4064-72-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9482b3cb5_Wed16d6773e4.exe

MD5 98c3385d313ae6d4cf1f192830f6b555
SHA1 31c572430094e9adbf5b7647c3621b2e8dfa7fe8
SHA256 4b2e2adafc390f535254a650a90e6a559fb3613a9f13ce648a024c078fcf40be
SHA512 fdd0406ef1abee43877c2ab2be9879e7232e773f7dac48f38a883b14306907c82110c712065a290bafac3cc8b0f4c0a13694847ad60a50a2b87e6aed2fd73aff

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948855a5b_Wed16c9c6da01a3.exe

MD5 894759b7ce3835029711d032205ec472
SHA1 e8824dffbc468e4dcdfd06094597776b3c4be593
SHA256 c12d359da11bc33309ac9d661aec047669aee7986bfd8326d122a26c055e0044
SHA512 ea25a7fd901eb9dedf93eb5e026de1406315599429ee31080828a59cd8cb6dd763ef307c329ef5f422b3cfaa136f2aa7b1412f013bbbd9aecf97a7c9195d127b

memory/3240-111-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3240-113-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948a0fc8a_Wed1650732795.exe

MD5 8f12876ff6f721e9b9786733f923ed5a
SHA1 4898a00c846f82316cc632007966dfb5f626ad43
SHA256 9aa138a385805dc69f7c082a3994538fea2127d18f352a74ab8505ccd74fa533
SHA512 1069e733a45c7a2bec67cae1b465bdd4a76051673a7bb0a7dba21a240d9e4d3d18f5915ace58e5a666d824e57355907c7ac23fc23d4fcf38af5a6e54115f1b48

memory/4576-120-0x0000000002E40000-0x0000000002E76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948fe5007_Wed163feaf0.exe

MD5 749b436db9150b62721e67aa8d5bdebb
SHA1 a5b77f7cede8c4c40d96e941a941862b6a9c1a23
SHA256 9d400635b2cb61d461ade25b36097fc8e66c8d963c1cd3ab0d6864b9c016bbfc
SHA512 ccfbffc9ca5dde45e1a834336e0f1df4a9c0e8658a7c4f07f5dec347005b2c4f9bdd5c6d5981680ba9a84d4169f9a26d4a53c930def39cd298947ec7cf8db0f3

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f94aa19419_Wed16184b9bf0.exe

MD5 9955dd419c83119488778affdab16717
SHA1 da24a018dc2411f9c646c8770b34ad659387e931
SHA256 91c178a3c15eb95b93cd8d61be8a80c2eac2b66149e744b9e23a53fb9c68927f
SHA512 e4dfb73ab1812e22f783d269d9cdc7814134237d35887bc55dc1e105e3d95f64ed6851200dbecd8819e71927ac542fefbdbdf7b7bc318e90806a0912a2212e90

memory/2040-132-0x00000000008F0000-0x0000000000A78000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-PODRL.tmp\621f949237c58_Wed168fc449f.tmp

MD5 25ffc23f92cf2ee9d036ec921423d867
SHA1 4be58697c7253bfea1672386eaeeb6848740d7d6
SHA256 1bbabc7a7f29c1512b368d2b620fc05441b622f72aa76cf9ee6be0aecd22a703
SHA512 4e8c7f5b42783825b3b146788ca2ee237186d5a6de4f1c413d9ef42874c4e7dd72b4686c545dde886e0923ade0f5d121a4eddfe7bfc58c3e0bd45a6493fe6710

memory/2040-147-0x00000000008F0000-0x0000000000A78000-memory.dmp

memory/4748-153-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-1T70U.tmp\idp.dll

MD5 55c310c0319260d798757557ab3bf636
SHA1 0892eb7ed31d8bb20a56c6835990749011a2d8de
SHA256 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512 e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

C:\Users\Admin\AppData\Local\Temp\8MAA6FE30KF5425.exe

MD5 8719ce641e7c777ac1b0eaec7b5fa7c7
SHA1 c04de52cb511480cc7d00d67f1d9e17b02d6406b
SHA256 6283ac6ecbf4c4038cf44896dd221c7c11152bac77273709330409032c3e72ea
SHA512 7be5bd6d2342dd02818f1979e7e74a6376658711ac82a59b2af1a67207cfd3c7416b657af01216473b15132e4aa5c6675f0eb8ee6343192c7dfc4a5249ccaa97

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uszlwmg5.mro.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4708-188-0x0000025971CA0000-0x0000025971CA6000-memory.dmp

memory/2240-192-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/4576-196-0x0000000006420000-0x000000000643E000-memory.dmp

memory/4576-200-0x0000000006780000-0x00000000067CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-CGAT4.tmp\621f948a0fc8a_Wed1650732795.tmp

MD5 83b531c1515044f8241cd9627fbfbe86
SHA1 d2f7096e18531abb963fc9af7ecc543641570ac8
SHA256 565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c
SHA512 9f7304ecb7573c0b8b4d7a2f49bcb9902499523b84502609f81b6f1b84faa1152a46ea13813987567ce574bd7b9d7b3f44b2b76389d8135487dc3c7f5e314f1b

memory/4692-207-0x0000000000400000-0x0000000000682000-memory.dmp

memory/4764-219-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1940-218-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/816-206-0x0000000000400000-0x00000000004BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\11111.exe

MD5 94989927a6611e1919f84e1871922b63
SHA1 b602e4c47c9c42c273b68a1ce85f0814c0e05deb
SHA256 6abf00e8457005606b0286fba4abc75bdb5d8d8267b17678d719122946db5c17
SHA512 ce69c1597f759efdb61ba441a5c16b587b77e3780e134c312dc832a502a1933b04f6b981e0e4b5c998c38d77b25763d2c2875cb790b142f44a416dcf75880b6e

memory/216-232-0x0000000000400000-0x000000000064B000-memory.dmp

memory/1628-234-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948449020_Wed163088fdd.exe

MD5 c5ae00bc9521abc87b2143826b88731a
SHA1 ef44d7c5cc9fa1b61070a2aacd76a4718ccacf5e
SHA256 2d23db5f735a5b3111cdf867a611d73c757797bc28f099feef6d5d14154b31b1
SHA512 1f91288c9608cd83a3b7355b8523a3175b369d771cd5b3142ea8eb2c1ee0f3e69f13618e5ce5b7c6bc068cee61211bdc3a2a17c874a3802892125e97a0dd522a

memory/4576-176-0x0000000005E20000-0x0000000006174000-memory.dmp

memory/4576-168-0x0000000005DB0000-0x0000000005E16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-02S5F.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/4576-160-0x0000000005D40000-0x0000000005DA6000-memory.dmp

memory/4576-155-0x0000000005CA0000-0x0000000005CC2000-memory.dmp

memory/2760-154-0x00000000051C0000-0x0000000005764000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9490c9091_Wed16d3d6c5.exe

MD5 65a916a503ac8875b7a38d04f9ec53cd
SHA1 6fe3351cdd4e684ee2eccceabe7ec515f508a6a2
SHA256 bc84e7b06f99196ef82c0d5356644ed3fe1d897257e9e8149cf83e686e285618
SHA512 574071f47f85552cc8de4c26230528db1a7034a5ac454d704a29cfe2d919c9be36f23aa2be4c5ed59554613fe20382a95d5b7e31e43d32e0cd3fc7e4a2b1be71

memory/4748-148-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2040-145-0x0000000000DE0000-0x0000000000DE2000-memory.dmp

memory/2040-144-0x0000000001390000-0x00000000013D2000-memory.dmp

memory/2040-143-0x00000000008F0000-0x0000000000A78000-memory.dmp

memory/2040-142-0x00000000008F0000-0x0000000000A78000-memory.dmp

memory/3240-139-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3240-138-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3240-137-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3240-135-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/4576-131-0x0000000005600000-0x0000000005C28000-memory.dmp

memory/2760-125-0x0000000002590000-0x00000000025AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f949237c58_Wed168fc449f.exe

MD5 c427835b14238569c986d5543b36e0cb
SHA1 552d3752d6276cf8eebbf0ef976954e340930b14
SHA256 8804babd5cc914c36e67fb2a2b3086ce3b3a6b7d676749f5700f9eb41796c458
SHA512 dfe034d6f89a0068d9f1c33e4cc0df47ebfa0d38dc33884295a466f1126b24dbe78e56ef905f218636a2b3f780b28a62f5164ddf01502324854a81163c7539b8

memory/1940-118-0x0000000000400000-0x00000000004CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948d05937_Wed16374c3beda.exe

MD5 aa5254e8284e33aa8f60e9f4e9e8b1c5
SHA1 465f8b854048fc21a99b2f746c961bea598a4c38
SHA256 9780e353d9670c8ab8177d23af1ec3acdaa740a9f5f13f77e88f1f9de5ed8323
SHA512 024062930947a3d34d5fc01f1633aa8a09524a9537651269f090f800f9a248d551a7144e2726f9b3303c81237c00149b8bbe2f0de235d70ebe525534eac91fde

memory/4764-123-0x0000000000400000-0x0000000000414000-memory.dmp

memory/5040-121-0x0000000002BF0000-0x0000000002BF6000-memory.dmp

memory/2760-114-0x0000000004A90000-0x0000000004B06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948e7f7ef_Wed16b426d6adc1.exe

MD5 afe6087457ae59ca0d071370f60a3e86
SHA1 b576cae50f011161d729a257ea3c3f3ff9b47dd6
SHA256 d77eb517c120ffc52cb3bc21e2c592625073b0ba287f9f5cf8e9822a6fe00a95
SHA512 3aecbb441a22f247e84288e94020759f567e1d086a5f59cdd119e14612bb71a1c1dc5cbc80b951456fecdc10737b69a47bc3dc07059dbb94a46aab85247ba570

memory/3240-112-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3240-98-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f948b816de_Wed16bd6eaa.exe

MD5 f47ef25d6fbd8fb1709ac978104480d9
SHA1 861dee7ae35269baf7429147f1089004dbdbbc75
SHA256 b141a340d0703b0dbe579bf42a8eb865b6d8bdc6ec5323215e7de9eeb890c788
SHA512 cf0332bcb6a75be665aafae033b3e810c0120aac02c3c3a4b5534788420ee7013e03bbaffa830fc34be19750efba1ef5205b2c356825ba02f6664816e98442d8

memory/4064-109-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4064-106-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4064-105-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4064-99-0x0000000000400000-0x000000000051C000-memory.dmp

memory/4064-108-0x0000000064940000-0x0000000064959000-memory.dmp

memory/5040-107-0x0000000000B60000-0x0000000000B8E000-memory.dmp

memory/4064-104-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2760-96-0x0000000000180000-0x00000000001D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f9486b4516_Wed16eb16ea4.exe

MD5 e1a8bb1c0d082168f5433a1bdd03b66b
SHA1 71e43669b4a74b4f830d3e74f5750dc7be78e085
SHA256 1286c91bd81aaccf5df1da0c78298a91d1d77bcddfe65871568b0661fb227929
SHA512 11fd29f912d52bb0984f39b4c12d7f2ead645abf0866b8e6f725a3c1bae154bb120859ce9e6f1010edf01f6dc7f3a2b6ca5071fff2e8a88c4e8a134808bfee49

memory/3240-93-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\621f94837e687_Wed16b4f13b0b4.exe

MD5 5b667f4b728b93ed5951e7bfddf8fb21
SHA1 00258995bd0f0b43af92656d217903e62b4229bd
SHA256 ac6cbfa5a8097b446fc0b6d7fb464c55425cf8093f3147f65b0bde3a08e1f3c1
SHA512 4f3fc716db01afab932bb800e4b26a729f47f693b4490176548cc67cca9c9957e155a04fd10ecf098c8a1c02dbca3dc8695cc67af545376aff771c207a6eee77

memory/3240-86-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4064-71-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4064-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4064-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4064-66-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4064-65-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4064-64-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4064-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4064-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4064-62-0x0000000064940000-0x0000000064959000-memory.dmp

memory/4064-61-0x0000000064941000-0x000000006494F000-memory.dmp

memory/4064-60-0x0000000000720000-0x00000000007AF000-memory.dmp

memory/4064-59-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS04EBD197\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/4064-50-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1628-237-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2040-240-0x00000000008F0000-0x0000000000A78000-memory.dmp

memory/2040-238-0x0000000001390000-0x00000000013D2000-memory.dmp

memory/4576-241-0x00000000069E0000-0x0000000006A12000-memory.dmp

memory/4576-242-0x00000000743E0000-0x000000007442C000-memory.dmp

memory/648-254-0x00000000743E0000-0x000000007442C000-memory.dmp

memory/4576-253-0x00000000073E0000-0x0000000007483000-memory.dmp

memory/4576-252-0x00000000069C0000-0x00000000069DE000-memory.dmp

memory/648-267-0x0000000007170000-0x000000000718A000-memory.dmp

memory/648-266-0x00000000077B0000-0x0000000007E2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5 b22568baf45a6351b051f205d16f361c
SHA1 feb1eae198dd01878180a0f5bd4da6e20f0037a1
SHA256 1120f5e74c271c2a19557d1393782acd5d8f6a16917d63fb67a24cfc23ee372a
SHA512 827e1d73991f68963cf93e378674c1cda95a6b11ad7b239eeae0d7f8c5ef4372bc00c1bb8b6451ce7fdc7ba61784bb293b929543779a24242f5cf47d5526a20a

memory/648-273-0x00000000071F0000-0x00000000071FA000-memory.dmp

memory/648-278-0x00000000073E0000-0x0000000007476000-memory.dmp

memory/2112-280-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4692-279-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

memory/648-282-0x0000000007370000-0x0000000007381000-memory.dmp

memory/2112-284-0x0000000005210000-0x0000000005222000-memory.dmp

memory/2112-283-0x0000000005770000-0x0000000005D88000-memory.dmp

memory/2112-285-0x0000000005340000-0x000000000544A000-memory.dmp

memory/2112-286-0x0000000005270000-0x00000000052AC000-memory.dmp

memory/4576-287-0x0000000007980000-0x000000000798E000-memory.dmp

memory/648-288-0x00000000073B0000-0x00000000073C4000-memory.dmp

memory/4576-289-0x0000000007A80000-0x0000000007A9A000-memory.dmp

memory/648-290-0x0000000007490000-0x0000000007498000-memory.dmp

memory/4088-295-0x0000000000400000-0x0000000000483000-memory.dmp

memory/4088-301-0x0000000000400000-0x0000000000483000-memory.dmp

memory/3300-302-0x0000000000400000-0x0000000000670000-memory.dmp

memory/2240-323-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/3168-324-0x0000000000400000-0x0000000000682000-memory.dmp

memory/4692-335-0x000000002DE00000-0x000000002DEB1000-memory.dmp

memory/3300-336-0x0000000000400000-0x0000000000670000-memory.dmp

memory/4692-340-0x000000002DEC0000-0x000000002DF5C000-memory.dmp

memory/4692-337-0x000000002DEC0000-0x000000002DF5C000-memory.dmp

memory/4692-341-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 fbcaa8e79fdd6c29a68f8427b8947695
SHA1 433df0807361e9e995eb6e1603103f1f129883c5
SHA256 9e6da02b3082678ae9e97d910d3373ea9f2743464f1adc90289ae6014960fa20
SHA512 f1f785541d1407981a97549160bc509857b035b5862626bd33ff49fb2b4fd958f507950f173745d8b7250a3c71b46d6a5fc6b1a711b10204ec015255c0cdb318

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 a2741eb87f538744896bc27ff995284c
SHA1 e2acfda47a2b0f564d625b6b511981d48a4cf001
SHA256 e34dba381b3b1f717b2e4d892efc89ad457ecc2d5baae9663e926ebc5127a5e7
SHA512 dd8b8d3f73ef2dc92f66d681fbc8e1be691c91911155eb5b60a65ad138b6556959664c7430debc1a6fefc383c26aeeecf8f36e6dd535ce22426369e95eeaa4f4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 147ff97b22176f51a60bb180fb3de190
SHA1 3fc2b936afc047f0692f30bea9d8bc39d4026693
SHA256 e7f2b7efe9236df1c1c11e17037cdb15dbc5055bc46264885e39a9cdb9354783
SHA512 e5347f3bcf3103486f9a75d75674696baf12bafbc1dcd11145ee8d14397cca8ab494afff77ad9746d3f951a590646e963a191aa810b2554ce147beb975ff2760

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 53d1d11c7ea25d280f452a0f6eadc854
SHA1 79b8c28a674da2b5e1fb41b0072fcb64a6460da1
SHA256 58fde225b719d7dab81ec871dd6a64d5e698be69cf72fd47d26327fba8802445
SHA512 bfb34ef8bfac29383c7ac797bf00161e4cb53dceaed5dffab907f0cc70e13285331453bcd4808796b54c7cd61d60d0d960bdc93c4c31d12ee5f964d8d98b85de

C:\Users\Admin\AppData\Local\Temp\scoped_dir5004_353164369\00122cf9-24c7-41e0-9d9f-8770bafd97e5.tmp

MD5 da75bb05d10acc967eecaac040d3d733
SHA1 95c08e067df713af8992db113f7e9aec84f17181
SHA256 33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
SHA512 56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 c8d2b5eed0671270fa2b6ec1ba1ea317
SHA1 84ad889c239db53070e1720763a9cbc30f729996
SHA256 468d609cb3aca24c3fcc55bf48de0f20e8b978bb286aece5aec27796914c3e8d
SHA512 bacc462d6a96a9e698c1db430a9fee97722b82c1ed8772b750ce156f43a5329afab251d29b2928183b3159123d3b776385deb98c1598ad90018de57c5f2f996c

C:\Users\Admin\AppData\Local\Temp\scoped_dir5004_353164369\CRX_INSTALL\_locales\en_CA\messages.json

MD5 558659936250e03cc14b60ebf648aa09
SHA1 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA256 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA512 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

MD5 4ec1df2da46182103d2ffc3b92d20ca5
SHA1 fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA256 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

MD5 07ffbe5f24ca348723ff8c6c488abfb8
SHA1 6dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA256 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA512 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 bb6e920fe8e3adcbd4eee9025f65b26e
SHA1 743afd3685a4b7007f0593ed4641dd150b1f9d8c
SHA256 839bd15127cbe9b2e2e145d70b7c3ed63d6cd0c7e131e9d7ce1a4f45215ef2cd
SHA512 189804ea1466d22a3cd228feb3a6aa4c448daef43355161b59d9944bdc835c46cb448904ac55e387e23c4c302f87b2e48755adf30525d58ff5a1fcd231394472

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 99c30f63c65785f0ca73737bfbf02d7e
SHA1 6d67c933c52d9624a75f8bd32f345dec19d19d6d
SHA256 854790d987d20af02b00f565a1a7c78918caca704692dbce103fbd2ae5351bba
SHA512 40ad6c6626f51ed8f529c229b32406e7d374839e270683fcf29b89ccd64b14c54caa85e01d108904c97e13132a635c98fc94af3fa57aeab85f5b511cbe2b1a9f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 c2fa30f83bc576ce3ea76b3d566231e4
SHA1 299917bd7ac3c403a68c27531b8ffb550bb1d6a7
SHA256 959d61a3e3166681bb481c59f11e3567008452e5c58cef8563a2422fbe977a05
SHA512 9f7862d3f9da39f10b8a4f75054c82e603c625a2c628c20f853843abdb8ca3843a4707bd2b124f2319d472c2b64b6b789d3165ea307b0fc1becac0c98728ed1a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 73a4067c9c3f2348b04c645b5e5cff72
SHA1 f8e73f41b53c81e20797b1747226ce57b65a6809
SHA256 2f1c2317d08f6f5a035dc3dac0e1cedf09f0f2b99c467ddf0e200677f1352c12
SHA512 5069ba1bebcdad322431f6f9aaec5c3323c53b81b23b88b75f3a0aff73f40c3a88a66727974611281546941af556e36e09fe21b4591d8d81ab29113757d33040

C:\Users\Admin\AppData\Local\Temp\e58b040.exe

MD5 620bda3df817bff8deb38758d1dc668c
SHA1 9933523941851b42047f2b7a1324eb8daa8fb1ff
SHA256 b74d7ff45768a1ee6f267e895de3e46cca505edf205563ef3f7db827f38363b3
SHA512 bc9e932860f63090bab251057bc1fd6875c410c2358321eaa74fccc117561b91e4ce6b24d5e7bb13dc44732ae151b7c33fe201acbb5af689d7f2d248dfb8c568

memory/4240-862-0x0000000000430000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 d693e9200a152a9fe68668a5d160dd42
SHA1 351f8c7226b61292cd0264491eb317ea46c71d00
SHA256 9d5f7442e7cd281ae66cce1a4048bd4d6e9428434343db9dbcfd0ce2000717fe
SHA512 2c1feec128654e06d2badc80834da619376b919ed8150ca6a753fcd7fac0111487dda9be9b99d30b753935c994bd93e8e9d3e364a495a3a6fe028f5b355868fe

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 a008d2d7d1324a8f6d158d680fafa590
SHA1 41d5f87cecb273ef46ad600644f665e8dc1550a6
SHA256 c405cb7bf136a889ee03ef6e10768ff568488f3174f3a36b494395ffc782067f
SHA512 c8a5471426c86140b48d8b7a31ac514539853610f229dc52f0322f38e3f24ffba38405b9a4bb9988d165334f01172dbb841a7003a6852fdb8f1b9d5132f312e6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 340d8f83de319345d6dece935ba47b55
SHA1 4b36af3a6ed1bdf4cb94b72a0c9276b79a27297c
SHA256 c8037721eeeff581dd8e62cfb21935713e49eb635877e1e1cafa63bcef9c30a8
SHA512 ea366c3ce426707e186aff9f066048e6523fe5b9b168a1fa22dac7976caba65b2c2782b865644bd733bceb5c09bbf66f0c245f104d713ae1854052e65909fd5a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 432a98e3222d4924f4203a2cc379954c
SHA1 c1658b7bbc90c18fd763ac931ad36969a0e70e2b
SHA256 fab478f981ae6819173f979709d31b144caf92703d7cbd9fc928c4093d75e286
SHA512 a9285fe9ad8e679414fd9c92937d2ef56d4fffaa36b4d14e20152c14f20b0cd112edb2e9df28e4867ccdcd9109048f764ac00ff6a43179912e3f6eb249cd56ec

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 1f6cea18de43df9d690ad9a20b4752d1
SHA1 88f544737d482012c8cbfc300452cf58ee94777e
SHA256 9069ac3f3aa6326551c6a7c86a2663d87c31c032807b5e4c43520cba90b0ce88
SHA512 998647e15b4b4be20f4a87a83359fcf77a9bcee6853c5c0ee37a04a6ab82f064192df171f1e887a17f06ce13e92954288ef2aa87c1ca5960cb7b8df9b4205bc1