Malware Analysis Report

2024-11-15 09:02

Sample ID 241111-ejyfpawjhq
Target 40c8505ae953230b7df57cd41ff9b958
SHA256 6d42b89a86c2e85f79f6652889209d14c641cde35d7a8c43fc7ea6a657f80957
Tags
nullmixer socelars aspackv2 discovery dropper execution stealer vmprotect fabookie gcleaner onlylogger smokeloader pub3 backdoor loader spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6d42b89a86c2e85f79f6652889209d14c641cde35d7a8c43fc7ea6a657f80957

Threat Level: Known bad

The file 40c8505ae953230b7df57cd41ff9b958 was found to be: Known bad.

Malicious Activity Summary

nullmixer socelars aspackv2 discovery dropper execution stealer vmprotect fabookie gcleaner onlylogger smokeloader pub3 backdoor loader spyware trojan

Fabookie family

Nullmixer family

SmokeLoader

Socelars payload

NullMixer

Socelars

Detect Fabookie payload

Smokeloader family

GCleaner

Socelars family

OnlyLogger

Gcleaner family

Onlylogger family

Fabookie

OnlyLogger payload

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

VMProtect packed file

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

ASPack v2.12-2.42

Looks up external IP address via web service

Drops Chrome extension

Blocklisted process makes network request

Legitimate hosting services abused for malware hosting/C2

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Browser Information Discovery

Program crash

Modifies data under HKEY_USERS

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Kills process with taskkill

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 03:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-11 03:58

Reported

2024-11-11 04:01

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3200 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe
PID 3200 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe
PID 3200 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe
PID 1740 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 420 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 420 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 420 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4788 wrote to memory of 1016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4788 wrote to memory of 1016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4788 wrote to memory of 1016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6242487ebee69_Mon2360fbbe475.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6242487fd82aa_Mon2391599e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 62424880dba59_Mon2373ae22.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 62424882a2d43_Mon2366e91c07.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248845c537_Mon23d60fef.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248871e3ed_Mon2348d8b4e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248bae0b4f_Mon2315c1392c.exe /mixtwo

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248bc6d13c_Mon235f07b88ae.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248bd917de_Mon2341a56212.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248bf51749_Mon23fd163f29.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248c03c802_Mon23cf6fc42c67.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248c2870d6_Mon23e0b3b0.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248c3cb9af_Mon237bf16061.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 106.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\setup_install.exe

MD5 83c766fb0a8d71f559d79d600ea05297
SHA1 8f4e1868bef695539f2b7cb83b3e336e959f3087
SHA256 3572b5d2013141cee24aa859fdd60398ef7d1c4ac40d2c080ecdb12129cb70ee
SHA512 1a49b39dc87ef672308b4a8bab0d1f9f9c0c51296b46f5cc46fa39312f94edf7f2bf1936367e0f7dc75c3ecb052558a75ced42189b4a4b218e8fe715ab163d88

C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/1740-49-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/1740-61-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1740-60-0x000000006494A000-0x000000006494F000-memory.dmp

memory/1740-59-0x0000000000ED0000-0x0000000000F5F000-memory.dmp

memory/1740-64-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\624248bc6d13c_Mon235f07b88ae.exe

MD5 a128f3490a3d62ec1f7c969771c9cb52
SHA1 73f71a45f68e317222ac704d30319fcbecdb8476
SHA256 4040769cb6796be3af8bd8b2c9d4be701155760766fddbd015b0bcb2b4fca52a
SHA512 ccf34b78a577bc12542e774574d21f3673710868705bf2c0ecdf6ce3414406ec63d5f65e3ff125f65e749a54d64e642492ee53d91a04d309228e2a73d7ab0a19

C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\624248c3cb9af_Mon237bf16061.exe

MD5 815d3b5cdc4aea7e8c8fe78434061694
SHA1 40aa8a3583d659aa86edf78db14f03917db6dda8
SHA256 226d6fc908bee0a523a09d1912f0b6b6958173ccd77997d45121d9091a7199b4
SHA512 b8cc6f302f86cbf3eea3c95ceda9302f543ebb6ed3cbbe5c038a1417a1536345cd44f8e89ec48579bc699d71c994eccd1dcbd43dca669931377f738072c2f95a

memory/1740-91-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1016-95-0x00000000050A0000-0x00000000056C8000-memory.dmp

memory/1016-94-0x00000000049C0000-0x00000000049F6000-memory.dmp

memory/1016-96-0x0000000004FE0000-0x0000000005002000-memory.dmp

memory/1016-98-0x0000000005930000-0x0000000005996000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kmt3dc3u.ruq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1016-97-0x00000000058C0000-0x0000000005926000-memory.dmp

memory/1016-108-0x00000000059A0000-0x0000000005CF4000-memory.dmp

memory/1016-109-0x0000000005F90000-0x0000000005FAE000-memory.dmp

memory/1016-110-0x0000000005FE0000-0x000000000602C000-memory.dmp

memory/1740-93-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1740-92-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1740-90-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1740-87-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/1740-84-0x0000000000400000-0x000000000051C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\624248c2870d6_Mon23e0b3b0.exe

MD5 9e7d2e1b5aac4613d906efa021b571a1
SHA1 b9665c6248bc56e1cbb8797d27aa6b0db5ba70f1
SHA256 52c5dea41a299961b4776d3794864ce84e9d51ac1858dd6afb395e0a638bc666
SHA512 5dfd847513b94feb7df2569518c5abf56723cf165a424e2ebfea9fb4b5d2d70a9d0a962d5f7c7f68b3fd9a005c7aeb1bf20d9c7bfb1ee7ed0a23455d78516549

C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\624248c03c802_Mon23cf6fc42c67.exe

MD5 79c79760259bd18332ca17a05dab283d
SHA1 b9afed2134363447d014b85c37820c5a44f33722
SHA256 e6eb127214bbef16c7372fbe85e1ba453f7aceee241398d2a8e0ec115c3625d3
SHA512 a4270de42d09caa42280b1a7538dc4e0897f17421987927ac8b37fde7e44f77feb9ce1386ffd594fe6262ebb817c2df5a2c20a4adb4b0261eae5d0b6a007aa06

C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\624248bf51749_Mon23fd163f29.exe

MD5 98362f1952eb1349f17f77bb70a9fbcc
SHA1 e8a2273215c3cea3100fa40536b0791fea27af8f
SHA256 9aa8aeb0262bc901878bda3a41b6ac7f727f1c3fe4e7bb9afa0000c371750321
SHA512 6faceb7a7d6c0b3d7ebd8afbd2e4dcfb95a6407bb4acf1012d50f462713b8f34adf51c2dc7f82281a6b84dfcb8bc0cbea68318f12ad9ad95558b9361500e0679

C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\624248bd917de_Mon2341a56212.exe

MD5 0913c141934828228be4bee6b08cadfe
SHA1 caf2f7ea94afc62792d91c1f2c1b99c05b1a2a1f
SHA256 3fa1c49f7dd6657c195dc68c13b50a0d7e2f3ec641f7108ffb3e041ea3713c95
SHA512 29bece87e4080db7098115f568dc9f5c25206147020d94438bff7ef5f17a918fae8a7546932e310648bf31be27bc4a29edf3e49051dd6e72aa9cf82e0ecd254b

C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\624248bae0b4f_Mon2315c1392c.exe

MD5 dc3a42af98906ce86ad0e67ce7153b45
SHA1 83141ef3b732302806b27e1bd4332d2964418f07
SHA256 399d9c5dc78b7696e0984cc265c6b142d70949694e86a8e38474aedcda4ff6f1
SHA512 f3df4c782941bd130d302d63323edaccddf59a1cbad10ca3262118c948c78df6dc520bff67ec26918c31b575dce6580d72da0d6c170cabe34c98f52acadb9cb6

C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\624248871e3ed_Mon2348d8b4e.exe

MD5 327366acede3d33a1d9b93396aee3eb9
SHA1 3df53825a46673b9fb97e68b2372f9dc27437b7f
SHA256 12183f88314a86429c1685dacb2cd7f87d1eac7094d52a19a92b45432800e051
SHA512 a7ce948ede1b8d02972322bb88498d6607dce39fd215df37ca58f016f5658436a556ec2425207f2434db7728b1ad1c19c7ec05110d82c094525c4bae7bf4894f

C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\624248845c537_Mon23d60fef.exe

MD5 5bc6b4fcbdb2edbd8ca492b9ba9059f9
SHA1 6ad0140809c7f71769bf7bdd652442ffc4c2bc35
SHA256 f0d2a8fa7d23f6546e377a0c6dc9019cf513d6474afc462bba517c82e5c1d4b8
SHA512 953cb941a5fc7ea44b36bf70b984990a5d0b6c2b4cb614dcedbf254dbb1b6940d345dd8531ef1f489b0d467ac98208533c8b94e44a53c931d4e9bc91f5af2718

C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\62424882a2d43_Mon2366e91c07.exe

MD5 52142a360efa5a88aa469593f3961bb4
SHA1 bb06f4b274789d3998ea3cbdc7d2056d4a99950f
SHA256 3a53d2f99cf9562803815dc1df898557919db19d54956b53840cbcf89c696dad
SHA512 de1e51dfb2a06bd0ad3142f7b2f33d78f5c2b07d0effc23074011d76a12a0d0591ea8a1b4fe753cf1482f8a438d2927fb92c4fb7a184029f35721e8b3f7fb5cc

C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\62424880dba59_Mon2373ae22.exe

MD5 81cf5e614873508b9ecba216112c276b
SHA1 cb3115f68ffe4f428fc141f113dff477530f17fb
SHA256 fae5984ff3106551dddee32196332ab4b9cabfe40476b80dd5aa8e1c9fcba413
SHA512 48fba232d56c6acd0a3e97a64d096a6782000cc4d6d34f7d2379a54e6339bf373c14e95ba966a1fd8ecc05582cfad4e9dea6d61bb5492a570fdc1f637db7d29f

C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\6242487fd82aa_Mon2391599e.exe

MD5 7bdeeadd41822f3c024fba58b16e2cdc
SHA1 13a3319b0545e7ff1d17f678093db9f8785bba5a
SHA256 d46ceb96d549e329a60607d9d4acca2d62560f8daaaa5fc60b50823567b9c24f
SHA512 1942f19d694616c56f874fc8df73da26beed8f290cf619d9f8443a03289c5d36ae830d1f6bf0e8adf79eddf062c9e48373677e0a2d593ee1666fae5148a3e4ad

C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\6242487ebee69_Mon2360fbbe475.exe

MD5 98c3385d313ae6d4cf1f192830f6b555
SHA1 31c572430094e9adbf5b7647c3621b2e8dfa7fe8
SHA256 4b2e2adafc390f535254a650a90e6a559fb3613a9f13ce648a024c078fcf40be
SHA512 fdd0406ef1abee43877c2ab2be9879e7232e773f7dac48f38a883b14306907c82110c712065a290bafac3cc8b0f4c0a13694847ad60a50a2b87e6aed2fd73aff

memory/1740-70-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1740-69-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1740-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1740-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1740-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1740-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1740-63-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1740-62-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1740-58-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1740-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zS08CBC8C7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/1016-112-0x0000000071200000-0x000000007124C000-memory.dmp

memory/1016-111-0x0000000006F50000-0x0000000006F82000-memory.dmp

memory/1016-122-0x0000000006540000-0x000000000655E000-memory.dmp

memory/1016-123-0x0000000007230000-0x00000000072D3000-memory.dmp

memory/1016-124-0x0000000007960000-0x0000000007FDA000-memory.dmp

memory/1016-125-0x0000000007000000-0x000000000701A000-memory.dmp

memory/1016-126-0x0000000007340000-0x000000000734A000-memory.dmp

memory/1016-127-0x0000000007530000-0x00000000075C6000-memory.dmp

memory/1016-128-0x00000000074C0000-0x00000000074D1000-memory.dmp

memory/1016-129-0x00000000074F0000-0x00000000074FE000-memory.dmp

memory/1016-130-0x0000000007500000-0x0000000007514000-memory.dmp

memory/1016-131-0x00000000075F0000-0x000000000760A000-memory.dmp

memory/1016-132-0x00000000075E0000-0x00000000075E8000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 03:58

Reported

2024-11-11 04:01

Platform

win7-20241023-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe"

Signatures

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2396 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2396 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2396 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2396 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2396 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2396 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2396 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2152 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe
PID 2152 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe
PID 2152 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe
PID 2152 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe
PID 2152 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe
PID 2152 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe
PID 2152 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe
PID 3016 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe

"C:\Users\Admin\AppData\Local\Temp\96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6242487ebee69_Mon2360fbbe475.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6242487fd82aa_Mon2391599e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 62424880dba59_Mon2373ae22.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 62424882a2d43_Mon2366e91c07.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248845c537_Mon23d60fef.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248871e3ed_Mon2348d8b4e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248bae0b4f_Mon2315c1392c.exe /mixtwo

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248bc6d13c_Mon235f07b88ae.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248bd917de_Mon2341a56212.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248bf51749_Mon23fd163f29.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248c03c802_Mon23cf6fc42c67.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248c2870d6_Mon23e0b3b0.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248c3cb9af_Mon237bf16061.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 e71bedc46122099d570715a1a7114d29
SHA1 b54aaf5dc06da686481e1801e1d7c84b731034c9
SHA256 bd2d33ab5f78ad9f2d7bb562dd217022694b7b737e131ee4e8ed6abc3610e3f8
SHA512 4435f7735acb93666960790f8dfebc0a1374121f6295cd638eeb4c1d80199d0422d982c539fb1ebaec22b22baab8d514725a81427c7bf2ec618c911e42cefb2f

\Users\Admin\AppData\Local\Temp\7zS868FB5D6\setup_install.exe

MD5 83c766fb0a8d71f559d79d600ea05297
SHA1 8f4e1868bef695539f2b7cb83b3e336e959f3087
SHA256 3572b5d2013141cee24aa859fdd60398ef7d1c4ac40d2c080ecdb12129cb70ee
SHA512 1a49b39dc87ef672308b4a8bab0d1f9f9c0c51296b46f5cc46fa39312f94edf7f2bf1936367e0f7dc75c3ecb052558a75ced42189b4a4b218e8fe715ab163d88

C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/3016-65-0x000000006B280000-0x000000006B2A6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS868FB5D6\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/3016-68-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3016-82-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\62424882a2d43_Mon2366e91c07.exe

MD5 52142a360efa5a88aa469593f3961bb4
SHA1 bb06f4b274789d3998ea3cbdc7d2056d4a99950f
SHA256 3a53d2f99cf9562803815dc1df898557919db19d54956b53840cbcf89c696dad
SHA512 de1e51dfb2a06bd0ad3142f7b2f33d78f5c2b07d0effc23074011d76a12a0d0591ea8a1b4fe753cf1482f8a438d2927fb92c4fb7a184029f35721e8b3f7fb5cc

C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\624248c2870d6_Mon23e0b3b0.exe

MD5 9e7d2e1b5aac4613d906efa021b571a1
SHA1 b9665c6248bc56e1cbb8797d27aa6b0db5ba70f1
SHA256 52c5dea41a299961b4776d3794864ce84e9d51ac1858dd6afb395e0a638bc666
SHA512 5dfd847513b94feb7df2569518c5abf56723cf165a424e2ebfea9fb4b5d2d70a9d0a962d5f7c7f68b3fd9a005c7aeb1bf20d9c7bfb1ee7ed0a23455d78516549

C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\624248bf51749_Mon23fd163f29.exe

MD5 98362f1952eb1349f17f77bb70a9fbcc
SHA1 e8a2273215c3cea3100fa40536b0791fea27af8f
SHA256 9aa8aeb0262bc901878bda3a41b6ac7f727f1c3fe4e7bb9afa0000c371750321
SHA512 6faceb7a7d6c0b3d7ebd8afbd2e4dcfb95a6407bb4acf1012d50f462713b8f34adf51c2dc7f82281a6b84dfcb8bc0cbea68318f12ad9ad95558b9361500e0679

C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\624248bc6d13c_Mon235f07b88ae.exe

MD5 a128f3490a3d62ec1f7c969771c9cb52
SHA1 73f71a45f68e317222ac704d30319fcbecdb8476
SHA256 4040769cb6796be3af8bd8b2c9d4be701155760766fddbd015b0bcb2b4fca52a
SHA512 ccf34b78a577bc12542e774574d21f3673710868705bf2c0ecdf6ce3414406ec63d5f65e3ff125f65e749a54d64e642492ee53d91a04d309228e2a73d7ab0a19

memory/3016-107-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3016-106-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3016-105-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3016-103-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/3016-100-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3016-99-0x0000000000400000-0x000000000051C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\624248871e3ed_Mon2348d8b4e.exe

MD5 327366acede3d33a1d9b93396aee3eb9
SHA1 3df53825a46673b9fb97e68b2372f9dc27437b7f
SHA256 12183f88314a86429c1685dacb2cd7f87d1eac7094d52a19a92b45432800e051
SHA512 a7ce948ede1b8d02972322bb88498d6607dce39fd215df37ca58f016f5658436a556ec2425207f2434db7728b1ad1c19c7ec05110d82c094525c4bae7bf4894f

C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\6242487fd82aa_Mon2391599e.exe

MD5 7bdeeadd41822f3c024fba58b16e2cdc
SHA1 13a3319b0545e7ff1d17f678093db9f8785bba5a
SHA256 d46ceb96d549e329a60607d9d4acca2d62560f8daaaa5fc60b50823567b9c24f
SHA512 1942f19d694616c56f874fc8df73da26beed8f290cf619d9f8443a03289c5d36ae830d1f6bf0e8adf79eddf062c9e48373677e0a2d593ee1666fae5148a3e4ad

C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\624248c3cb9af_Mon237bf16061.exe

MD5 815d3b5cdc4aea7e8c8fe78434061694
SHA1 40aa8a3583d659aa86edf78db14f03917db6dda8
SHA256 226d6fc908bee0a523a09d1912f0b6b6958173ccd77997d45121d9091a7199b4
SHA512 b8cc6f302f86cbf3eea3c95ceda9302f543ebb6ed3cbbe5c038a1417a1536345cd44f8e89ec48579bc699d71c994eccd1dcbd43dca669931377f738072c2f95a

C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\624248c03c802_Mon23cf6fc42c67.exe

MD5 79c79760259bd18332ca17a05dab283d
SHA1 b9afed2134363447d014b85c37820c5a44f33722
SHA256 e6eb127214bbef16c7372fbe85e1ba453f7aceee241398d2a8e0ec115c3625d3
SHA512 a4270de42d09caa42280b1a7538dc4e0897f17421987927ac8b37fde7e44f77feb9ce1386ffd594fe6262ebb817c2df5a2c20a4adb4b0261eae5d0b6a007aa06

C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\624248bd917de_Mon2341a56212.exe

MD5 0913c141934828228be4bee6b08cadfe
SHA1 caf2f7ea94afc62792d91c1f2c1b99c05b1a2a1f
SHA256 3fa1c49f7dd6657c195dc68c13b50a0d7e2f3ec641f7108ffb3e041ea3713c95
SHA512 29bece87e4080db7098115f568dc9f5c25206147020d94438bff7ef5f17a918fae8a7546932e310648bf31be27bc4a29edf3e49051dd6e72aa9cf82e0ecd254b

C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\624248bae0b4f_Mon2315c1392c.exe

MD5 dc3a42af98906ce86ad0e67ce7153b45
SHA1 83141ef3b732302806b27e1bd4332d2964418f07
SHA256 399d9c5dc78b7696e0984cc265c6b142d70949694e86a8e38474aedcda4ff6f1
SHA512 f3df4c782941bd130d302d63323edaccddf59a1cbad10ca3262118c948c78df6dc520bff67ec26918c31b575dce6580d72da0d6c170cabe34c98f52acadb9cb6

C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\624248845c537_Mon23d60fef.exe

MD5 5bc6b4fcbdb2edbd8ca492b9ba9059f9
SHA1 6ad0140809c7f71769bf7bdd652442ffc4c2bc35
SHA256 f0d2a8fa7d23f6546e377a0c6dc9019cf513d6474afc462bba517c82e5c1d4b8
SHA512 953cb941a5fc7ea44b36bf70b984990a5d0b6c2b4cb614dcedbf254dbb1b6940d345dd8531ef1f489b0d467ac98208533c8b94e44a53c931d4e9bc91f5af2718

C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\62424880dba59_Mon2373ae22.exe

MD5 81cf5e614873508b9ecba216112c276b
SHA1 cb3115f68ffe4f428fc141f113dff477530f17fb
SHA256 fae5984ff3106551dddee32196332ab4b9cabfe40476b80dd5aa8e1c9fcba413
SHA512 48fba232d56c6acd0a3e97a64d096a6782000cc4d6d34f7d2379a54e6339bf373c14e95ba966a1fd8ecc05582cfad4e9dea6d61bb5492a570fdc1f637db7d29f

C:\Users\Admin\AppData\Local\Temp\7zS868FB5D6\6242487ebee69_Mon2360fbbe475.exe

MD5 98c3385d313ae6d4cf1f192830f6b555
SHA1 31c572430094e9adbf5b7647c3621b2e8dfa7fe8
SHA256 4b2e2adafc390f535254a650a90e6a559fb3613a9f13ce648a024c078fcf40be
SHA512 fdd0406ef1abee43877c2ab2be9879e7232e773f7dac48f38a883b14306907c82110c712065a290bafac3cc8b0f4c0a13694847ad60a50a2b87e6aed2fd73aff

memory/3016-85-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3016-84-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3016-83-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3016-81-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3016-80-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3016-79-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3016-78-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3016-77-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3016-76-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS868FB5D6\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

\Users\Admin\AppData\Local\Temp\7zS868FB5D6\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

\Users\Admin\AppData\Local\Temp\7zS868FB5D6\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 03:58

Reported

2024-11-11 04:01

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aieoplapobidheellikiicjfpamacpfd\11.23.45_0\manifest.json C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c2870d6_Mon23e0b3b0.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c03c802_Mon23cf6fc42c67.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4284 set thread context of 3368 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248bd917de_Mon2341a56212.exe C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248bd917de_Mon2341a56212.exe

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248bf51749_Mon23fd163f29.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c03c802_Mon23cf6fc42c67.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248bae0b4f_Mon2315c1392c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c2870d6_Mon23e0b3b0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c3cb9af_Mon237bf16061.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248bd917de_Mon2341a56212.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-J593J.tmp\624248bf51749_Mon23fd163f29.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248bd917de_Mon2341a56212.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\6242487ebee69_Mon2360fbbe475.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248bd917de_Mon2341a56212.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248bd917de_Mon2341a56212.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248bd917de_Mon2341a56212.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133757711567244750" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c2870d6_Mon23e0b3b0.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c2870d6_Mon23e0b3b0.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c2870d6_Mon23e0b3b0.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c2870d6_Mon23e0b3b0.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c2870d6_Mon23e0b3b0.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c3cb9af_Mon237bf16061.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c3cb9af_Mon237bf16061.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c3cb9af_Mon237bf16061.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c3cb9af_Mon237bf16061.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c3cb9af_Mon237bf16061.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c3cb9af_Mon237bf16061.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c3cb9af_Mon237bf16061.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c3cb9af_Mon237bf16061.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\C9G2A1675DBHHJ0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C9G2A1675DBHHJ0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3968 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3968 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3968 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2804 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe
PID 2804 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe
PID 2804 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe
PID 4396 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\6242487ebee69_Mon2360fbbe475.exe
PID 1476 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\6242487ebee69_Mon2360fbbe475.exe
PID 1476 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\6242487ebee69_Mon2360fbbe475.exe
PID 1424 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1424 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1424 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4444 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\6242487ebee69_Mon2360fbbe475.exe C:\Windows\SysWOW64\cmd.exe
PID 4444 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\6242487ebee69_Mon2360fbbe475.exe C:\Windows\SysWOW64\cmd.exe
PID 4444 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\6242487ebee69_Mon2360fbbe475.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248bae0b4f_Mon2315c1392c.exe
PID 2908 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248bae0b4f_Mon2315c1392c.exe
PID 2908 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248bae0b4f_Mon2315c1392c.exe
PID 1400 wrote to memory of 3944 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248bf51749_Mon23fd163f29.exe
PID 1400 wrote to memory of 3944 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248bf51749_Mon23fd163f29.exe
PID 1400 wrote to memory of 3944 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248bf51749_Mon23fd163f29.exe
PID 2172 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248bc6d13c_Mon235f07b88ae.exe

Processes

C:\Users\Admin\AppData\Local\Temp\96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe

"C:\Users\Admin\AppData\Local\Temp\96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6242487ebee69_Mon2360fbbe475.exe

C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\6242487ebee69_Mon2360fbbe475.exe

6242487ebee69_Mon2360fbbe475.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6242487fd82aa_Mon2391599e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 62424880dba59_Mon2373ae22.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 62424882a2d43_Mon2366e91c07.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248845c537_Mon23d60fef.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248871e3ed_Mon2348d8b4e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248bae0b4f_Mon2315c1392c.exe /mixtwo

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248bc6d13c_Mon235f07b88ae.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248bd917de_Mon2341a56212.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248bf51749_Mon23fd163f29.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248c03c802_Mon23cf6fc42c67.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248c2870d6_Mon23e0b3b0.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248c3cb9af_Mon237bf16061.exe

C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248bae0b4f_Mon2315c1392c.exe

624248bae0b4f_Mon2315c1392c.exe /mixtwo

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248bf51749_Mon23fd163f29.exe

624248bf51749_Mon23fd163f29.exe

C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c03c802_Mon23cf6fc42c67.exe

624248c03c802_Mon23cf6fc42c67.exe

C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248bc6d13c_Mon235f07b88ae.exe

624248bc6d13c_Mon235f07b88ae.exe

C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248bd917de_Mon2341a56212.exe

624248bd917de_Mon2341a56212.exe

C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c2870d6_Mon23e0b3b0.exe

624248c2870d6_Mon23e0b3b0.exe

C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c3cb9af_Mon237bf16061.exe

624248c3cb9af_Mon237bf16061.exe

C:\Users\Admin\AppData\Local\Temp\is-J593J.tmp\624248bf51749_Mon23fd163f29.tmp

"C:\Users\Admin\AppData\Local\Temp\is-J593J.tmp\624248bf51749_Mon23fd163f29.tmp" /SL5="$7005A,140006,56320,C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248bf51749_Mon23fd163f29.exe"

C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248bd917de_Mon2341a56212.exe

624248bd917de_Mon2341a56212.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2196 -ip 2196

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2196 -ip 2196

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2196 -ip 2196

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 752

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2196 -ip 2196

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2196 -ip 2196

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 660

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb6b0dcc40,0x7ffb6b0dcc4c,0x7ffb6b0dcc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2128,i,14570661818436239849,10728569613301013554,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2124 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1844,i,14570661818436239849,10728569613301013554,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2160 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2304,i,14570661818436239849,10728569613301013554,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2496 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,14570661818436239849,10728569613301013554,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3148 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,14570661818436239849,10728569613301013554,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3180 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4548,i,14570661818436239849,10728569613301013554,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4472 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4660,i,14570661818436239849,10728569613301013554,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4656 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4680,i,14570661818436239849,10728569613301013554,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4804 /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2196 -ip 2196

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2196 -ip 2196

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 824

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4368,i,14570661818436239849,10728569613301013554,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4836 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4784,i,14570661818436239849,10728569613301013554,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4836 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5108,i,14570661818436239849,10728569613301013554,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4340 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5128,i,14570661818436239849,10728569613301013554,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5136 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5096,i,14570661818436239849,10728569613301013554,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5116 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5160,i,14570661818436239849,10728569613301013554,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4824 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5116,i,14570661818436239849,10728569613301013554,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4796 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\C9G2A1675DBHHJ0.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5004,i,14570661818436239849,10728569613301013554,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5300 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.icodeps.com udp
US 8.8.8.8:53 blackhk1.beget.tech udp
US 172.232.4.213:443 www.icodeps.com tcp
US 8.8.8.8:53 ce25059.tmweb.ru udp
RU 5.23.50.132:80 ce25059.tmweb.ru tcp
US 8.8.8.8:53 ookla-insights.s3.pl-waw.scw.cloud udp
US 8.8.8.8:53 ip-api.com udp
PL 151.115.10.4:80 ookla-insights.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 vh342.timeweb.ru udp
RU 5.23.50.132:443 vh342.timeweb.ru tcp
US 8.8.8.8:53 213.4.232.172.in-addr.arpa udp
US 8.8.8.8:53 132.50.23.5.in-addr.arpa udp
US 8.8.8.8:53 4.10.115.151.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 speedtestqs7etrh4mbk323pz.s3.pl-waw.scw.cloud udp
PL 151.115.10.4:80 speedtestqs7etrh4mbk323pz.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 www.hhiuew33.com udp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.23.210.82:80 r11.o.lencr.org tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 82.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 ww99.icodeps.com udp
US 67.225.218.41:80 ww99.icodeps.com tcp
US 8.8.8.8:53 41.218.225.67.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 ww1.icodeps.com udp
DE 64.190.63.136:80 ww1.icodeps.com tcp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 136.63.190.64.in-addr.arpa udp
US 8.8.8.8:53 161.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 appwebstat.biz udp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 appwebstat.biz udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 216.58.204.74:443 ogads-pa.googleapis.com tcp
GB 216.58.201.110:443 apis.google.com tcp
GB 216.58.204.74:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 play.google.com udp
GB 172.217.16.238:443 play.google.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 clients2.google.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 216.58.213.1:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 1.213.58.216.in-addr.arpa udp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 e71bedc46122099d570715a1a7114d29
SHA1 b54aaf5dc06da686481e1801e1d7c84b731034c9
SHA256 bd2d33ab5f78ad9f2d7bb562dd217022694b7b737e131ee4e8ed6abc3610e3f8
SHA512 4435f7735acb93666960790f8dfebc0a1374121f6295cd638eeb4c1d80199d0422d982c539fb1ebaec22b22baab8d514725a81427c7bf2ec618c911e42cefb2f

C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\setup_install.exe

MD5 83c766fb0a8d71f559d79d600ea05297
SHA1 8f4e1868bef695539f2b7cb83b3e336e959f3087
SHA256 3572b5d2013141cee24aa859fdd60398ef7d1c4ac40d2c080ecdb12129cb70ee
SHA512 1a49b39dc87ef672308b4a8bab0d1f9f9c0c51296b46f5cc46fa39312f94edf7f2bf1936367e0f7dc75c3ecb052558a75ced42189b4a4b218e8fe715ab163d88

C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/4396-66-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4396-80-0x0000000064940000-0x0000000064959000-memory.dmp

memory/4444-90-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248bf51749_Mon23fd163f29.exe

MD5 98362f1952eb1349f17f77bb70a9fbcc
SHA1 e8a2273215c3cea3100fa40536b0791fea27af8f
SHA256 9aa8aeb0262bc901878bda3a41b6ac7f727f1c3fe4e7bb9afa0000c371750321
SHA512 6faceb7a7d6c0b3d7ebd8afbd2e4dcfb95a6407bb4acf1012d50f462713b8f34adf51c2dc7f82281a6b84dfcb8bc0cbea68318f12ad9ad95558b9361500e0679

C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c3cb9af_Mon237bf16061.exe

MD5 815d3b5cdc4aea7e8c8fe78434061694
SHA1 40aa8a3583d659aa86edf78db14f03917db6dda8
SHA256 226d6fc908bee0a523a09d1912f0b6b6958173ccd77997d45121d9091a7199b4
SHA512 b8cc6f302f86cbf3eea3c95ceda9302f543ebb6ed3cbbe5c038a1417a1536345cd44f8e89ec48579bc699d71c994eccd1dcbd43dca669931377f738072c2f95a

C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248bae0b4f_Mon2315c1392c.exe

MD5 dc3a42af98906ce86ad0e67ce7153b45
SHA1 83141ef3b732302806b27e1bd4332d2964418f07
SHA256 399d9c5dc78b7696e0984cc265c6b142d70949694e86a8e38474aedcda4ff6f1
SHA512 f3df4c782941bd130d302d63323edaccddf59a1cbad10ca3262118c948c78df6dc520bff67ec26918c31b575dce6580d72da0d6c170cabe34c98f52acadb9cb6

memory/4396-116-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1680-118-0x0000000004DF0000-0x0000000005418000-memory.dmp

memory/3944-121-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4836-127-0x0000000000A90000-0x0000000000C09000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-J593J.tmp\624248bf51749_Mon23fd163f29.tmp

MD5 25ffc23f92cf2ee9d036ec921423d867
SHA1 4be58697c7253bfea1672386eaeeb6848740d7d6
SHA256 1bbabc7a7f29c1512b368d2b620fc05441b622f72aa76cf9ee6be0aecd22a703
SHA512 4e8c7f5b42783825b3b146788ca2ee237186d5a6de4f1c413d9ef42874c4e7dd72b4686c545dde886e0923ade0f5d121a4eddfe7bfc58c3e0bd45a6493fe6710

memory/2912-135-0x0000000140000000-0x00000001406C5000-memory.dmp

memory/4836-134-0x0000000001010000-0x0000000001012000-memory.dmp

memory/4836-149-0x0000000002B30000-0x0000000002B77000-memory.dmp

memory/4836-148-0x0000000000A90000-0x0000000000C09000-memory.dmp

memory/1680-158-0x0000000005620000-0x0000000005686000-memory.dmp

memory/1680-163-0x00000000057C0000-0x0000000005B14000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248bd917de_Mon2341a56212.exe

MD5 0913c141934828228be4bee6b08cadfe
SHA1 caf2f7ea94afc62792d91c1f2c1b99c05b1a2a1f
SHA256 3fa1c49f7dd6657c195dc68c13b50a0d7e2f3ec641f7108ffb3e041ea3713c95
SHA512 29bece87e4080db7098115f568dc9f5c25206147020d94438bff7ef5f17a918fae8a7546932e310648bf31be27bc4a29edf3e49051dd6e72aa9cf82e0ecd254b

memory/3368-166-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3368-164-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4a1p2lix.flu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1680-152-0x00000000055B0000-0x0000000005616000-memory.dmp

memory/1680-151-0x0000000005510000-0x0000000005532000-memory.dmp

memory/4836-133-0x0000000000A90000-0x0000000000C09000-memory.dmp

memory/4836-132-0x0000000000A90000-0x0000000000C09000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-L72K8.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248bc6d13c_Mon235f07b88ae.exe

MD5 a128f3490a3d62ec1f7c969771c9cb52
SHA1 73f71a45f68e317222ac704d30319fcbecdb8476
SHA256 4040769cb6796be3af8bd8b2c9d4be701155760766fddbd015b0bcb2b4fca52a
SHA512 ccf34b78a577bc12542e774574d21f3673710868705bf2c0ecdf6ce3414406ec63d5f65e3ff125f65e749a54d64e642492ee53d91a04d309228e2a73d7ab0a19

C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c03c802_Mon23cf6fc42c67.exe

MD5 79c79760259bd18332ca17a05dab283d
SHA1 b9afed2134363447d014b85c37820c5a44f33722
SHA256 e6eb127214bbef16c7372fbe85e1ba453f7aceee241398d2a8e0ec115c3625d3
SHA512 a4270de42d09caa42280b1a7538dc4e0897f17421987927ac8b37fde7e44f77feb9ce1386ffd594fe6262ebb817c2df5a2c20a4adb4b0261eae5d0b6a007aa06

C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248c2870d6_Mon23e0b3b0.exe

MD5 9e7d2e1b5aac4613d906efa021b571a1
SHA1 b9665c6248bc56e1cbb8797d27aa6b0db5ba70f1
SHA256 52c5dea41a299961b4776d3794864ce84e9d51ac1858dd6afb395e0a638bc666
SHA512 5dfd847513b94feb7df2569518c5abf56723cf165a424e2ebfea9fb4b5d2d70a9d0a962d5f7c7f68b3fd9a005c7aeb1bf20d9c7bfb1ee7ed0a23455d78516549

memory/1680-117-0x00000000046E0000-0x0000000004716000-memory.dmp

memory/4396-113-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/4396-112-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4396-111-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4396-110-0x0000000064940000-0x0000000064959000-memory.dmp

memory/4396-109-0x0000000000400000-0x000000000051C000-memory.dmp

memory/4444-108-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4444-107-0x0000000064940000-0x0000000064959000-memory.dmp

memory/4444-105-0x000000006EB40000-0x000000006EB63000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248871e3ed_Mon2348d8b4e.exe

MD5 327366acede3d33a1d9b93396aee3eb9
SHA1 3df53825a46673b9fb97e68b2372f9dc27437b7f
SHA256 12183f88314a86429c1685dacb2cd7f87d1eac7094d52a19a92b45432800e051
SHA512 a7ce948ede1b8d02972322bb88498d6607dce39fd215df37ca58f016f5658436a556ec2425207f2434db7728b1ad1c19c7ec05110d82c094525c4bae7bf4894f

C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\624248845c537_Mon23d60fef.exe

MD5 5bc6b4fcbdb2edbd8ca492b9ba9059f9
SHA1 6ad0140809c7f71769bf7bdd652442ffc4c2bc35
SHA256 f0d2a8fa7d23f6546e377a0c6dc9019cf513d6474afc462bba517c82e5c1d4b8
SHA512 953cb941a5fc7ea44b36bf70b984990a5d0b6c2b4cb614dcedbf254dbb1b6940d345dd8531ef1f489b0d467ac98208533c8b94e44a53c931d4e9bc91f5af2718

C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\62424882a2d43_Mon2366e91c07.exe

MD5 52142a360efa5a88aa469593f3961bb4
SHA1 bb06f4b274789d3998ea3cbdc7d2056d4a99950f
SHA256 3a53d2f99cf9562803815dc1df898557919db19d54956b53840cbcf89c696dad
SHA512 de1e51dfb2a06bd0ad3142f7b2f33d78f5c2b07d0effc23074011d76a12a0d0591ea8a1b4fe753cf1482f8a438d2927fb92c4fb7a184029f35721e8b3f7fb5cc

C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\62424880dba59_Mon2373ae22.exe

MD5 81cf5e614873508b9ecba216112c276b
SHA1 cb3115f68ffe4f428fc141f113dff477530f17fb
SHA256 fae5984ff3106551dddee32196332ab4b9cabfe40476b80dd5aa8e1c9fcba413
SHA512 48fba232d56c6acd0a3e97a64d096a6782000cc4d6d34f7d2379a54e6339bf373c14e95ba966a1fd8ecc05582cfad4e9dea6d61bb5492a570fdc1f637db7d29f

C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\6242487fd82aa_Mon2391599e.exe

MD5 7bdeeadd41822f3c024fba58b16e2cdc
SHA1 13a3319b0545e7ff1d17f678093db9f8785bba5a
SHA256 d46ceb96d549e329a60607d9d4acca2d62560f8daaaa5fc60b50823567b9c24f
SHA512 1942f19d694616c56f874fc8df73da26beed8f290cf619d9f8443a03289c5d36ae830d1f6bf0e8adf79eddf062c9e48373677e0a2d593ee1666fae5148a3e4ad

memory/4444-91-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4444-89-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4444-87-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/4444-83-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\6242487ebee69_Mon2360fbbe475.exe

MD5 98c3385d313ae6d4cf1f192830f6b555
SHA1 31c572430094e9adbf5b7647c3621b2e8dfa7fe8
SHA256 4b2e2adafc390f535254a650a90e6a559fb3613a9f13ce648a024c078fcf40be
SHA512 fdd0406ef1abee43877c2ab2be9879e7232e773f7dac48f38a883b14306907c82110c712065a290bafac3cc8b0f4c0a13694847ad60a50a2b87e6aed2fd73aff

memory/4444-88-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4396-79-0x000000006494A000-0x000000006494F000-memory.dmp

memory/4396-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4396-77-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4396-76-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4396-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4396-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4396-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4396-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4396-71-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4396-70-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4396-69-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/4396-65-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1680-180-0x0000000005CA0000-0x0000000005CBE000-memory.dmp

memory/1680-181-0x0000000005D40000-0x0000000005D8C000-memory.dmp

memory/4244-185-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/3944-186-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1680-197-0x0000000006280000-0x00000000062B2000-memory.dmp

memory/1680-209-0x0000000006C80000-0x0000000006D23000-memory.dmp

memory/1680-208-0x0000000006250000-0x000000000626E000-memory.dmp

memory/1680-198-0x000000006EE80000-0x000000006EECC000-memory.dmp

memory/4704-210-0x000000006EE80000-0x000000006EECC000-memory.dmp

memory/1680-220-0x0000000007610000-0x0000000007C8A000-memory.dmp

memory/1680-221-0x0000000006FD0000-0x0000000006FEA000-memory.dmp

memory/4704-222-0x0000000007850000-0x000000000785A000-memory.dmp

memory/1680-225-0x0000000007240000-0x00000000072D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4FA8FA87\arxiv.zip

MD5 4298fa80523abf31d8d2dba0eecc47f4
SHA1 57849373d58c4afee2cfc8e64839b9f03929a67a
SHA256 5585cf0ec6321a62b8d7572e5eaaec6c092577d63713b503713e81288e8466ce
SHA512 548e1821d46e590c7782485be58a8b214819f7279dd537bff95101c165e6dc68783c67eb3cf41e6791029b1cb8221c76a04c32eb8b93ab12d38ada1376997bc5

memory/4704-229-0x00000000079D0000-0x00000000079E1000-memory.dmp

memory/1680-230-0x0000000007200000-0x000000000720E000-memory.dmp

memory/1680-231-0x0000000007210000-0x0000000007224000-memory.dmp

memory/1680-235-0x0000000007300000-0x000000000731A000-memory.dmp

memory/4704-236-0x0000000007AF0000-0x0000000007AF8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 117cfc8fad9b9b77c4f08857090d6bf8
SHA1 be761f967d232c87a2897df8009ee5af2bca8896
SHA256 eac293130e274c55f1d2ac16dc694ee811e52b5adf6448ef47e6eb7c78f3c57d
SHA512 01595f49514b218e707a1d784269314248eba2ff95ff9e3ceafb12032a772d1f002b4b2ef9ed3f0cc5ccf5a1c8ee31bee71f266b5b05194012a38805b1686dda

memory/4836-257-0x0000000000A90000-0x0000000000C09000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 2b0a3dfb9f19fdd74fb3454f21d01de7
SHA1 19e80dbc5e8f93cd64804605c391c09476350220
SHA256 a7220daf0337a10b0e7ac0bcd8fe5ac5a647d4c10631df67aebd1d9ada6dd1c8
SHA512 0e3fb0435d7d454649bf41348b91265d680f14cefd1109058af04c2b51fe9df6591c76a903db2209fcd9774ce0c91857e12f4b591c1b3d1cb6ec5ff069fc8a90

\??\pipe\crashpad_4424_LPLHDEKXHKXSTLYE

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4836-272-0x0000000000A90000-0x0000000000C09000-memory.dmp

memory/2196-271-0x0000000000400000-0x00000000004AB000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/2196-297-0x0000000000400000-0x00000000004AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\scoped_dir4424_2018722491\cbde54d2-2322-4185-992c-51e6988cba91.tmp

MD5 da75bb05d10acc967eecaac040d3d733
SHA1 95c08e067df713af8992db113f7e9aec84f17181
SHA256 33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
SHA512 56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

C:\Users\Admin\AppData\Local\Temp\scoped_dir4424_2018722491\CRX_INSTALL\_locales\en_CA\messages.json

MD5 558659936250e03cc14b60ebf648aa09
SHA1 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA256 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA512 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

MD5 4ec1df2da46182103d2ffc3b92d20ca5
SHA1 fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA256 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

MD5 07ffbe5f24ca348723ff8c6c488abfb8
SHA1 6dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA256 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA512 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 18d6da5b352d2c2d3310a4899149c762
SHA1 4f27e14237c2e399557f2e018bb686b1ff567c2d
SHA256 0e5040bf8187f414799011e624d6be5feb382e7c4252e914e9fb87bf3253fbe7
SHA512 95e1ad622ee6b9ef54bbe5d935d7c3ab9b61f530755e65323e2c62a1a2f749b44a070d142ee78df3a65e386f7484f309ec34c01f4220bbf51144b6a0509da7a6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 6d4b2d75cb015e9b2173242a6e74ac41
SHA1 85f64c60d8bc9c8d7bc5adf1c39879218c6c0704
SHA256 8cf67dd2b6a3762e8295b6f4c788e9320b307b2ae499881acc62f537eae0e043
SHA512 ed4a0af713d853ded7360f739afa2aadd25e10d2da608daf218dae707f08e714216d5335f7c4cab92498a6f5f44e70f2e624cb9351b6d60e93acf10efd9ef5eb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 c2ce55f42202305a07a3ec760d9eb8a4
SHA1 2612bb7e33b1538dba12d75ec4c6b4d092c82bdf
SHA256 bc17929cf06d56b74d032d6fbb81ea56149dd5bd5ba3ed5d64b440ed6a75a5ae
SHA512 4b31c6d26b3044f88ea2869a1e15bf42c3ddb11395bdf473558160b12680d66ae037436c8b1a1981e91eb84e4b9ace1bb52c57e5bb9fbf6644e434ec90df05c6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 5e889521d44109be2247e95227d3e092
SHA1 62ddaaada2f7c25b67c380403f16117133cececa
SHA256 6c5b79cbea7827d840fd289b37f63c0d236f9259e67ef09c6f3c915513a46641
SHA512 c32503216000997147d714d084a6e0f3338622b5c3e34910de27208a06f33ad16b65944d8b976e4ff3a06b4ac0579199038d7a46c66d3f17156b33113b73fdfe

memory/4836-706-0x0000000000A90000-0x0000000000C09000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 eb5fb46c4f130bab830fc60c445095f8
SHA1 3bbdc9b3b4f1ea4d6d8d5834db0a3d693a40bfae
SHA256 28debbb063dfa95336a25b96f21c42c2c945c8de97c21aeda70dd73c29908a99
SHA512 c4f936f09a63520f5e6fc27aa4c54b1c605a887c0f9342e097da3df636310edada65c51af7ae16738b505183a754aed4781e36bb1f260bdef82776441ed43b17

C:\Users\Admin\AppData\Local\Temp\C9G2A1675DBHHJ0.exe

MD5 8719ce641e7c777ac1b0eaec7b5fa7c7
SHA1 c04de52cb511480cc7d00d67f1d9e17b02d6406b
SHA256 6283ac6ecbf4c4038cf44896dd221c7c11152bac77273709330409032c3e72ea
SHA512 7be5bd6d2342dd02818f1979e7e74a6376658711ac82a59b2af1a67207cfd3c7416b657af01216473b15132e4aa5c6675f0eb8ee6343192c7dfc4a5249ccaa97

memory/4836-716-0x0000000002B30000-0x0000000002B77000-memory.dmp

memory/4836-718-0x0000000000A90000-0x0000000000C09000-memory.dmp

memory/4956-719-0x000001914D290000-0x000001914D296000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 8ba60dfdb8ed399d3a7c3d324622bf4d
SHA1 0178d5282b55578302ab2efe21b4cd380110a35a
SHA256 8acbbf7653ac44d75a04c8b7b9106777d50165b7270b7f5fdae52c7e7d71119a
SHA512 a13ef28a1a0884ad162e3e02313bd327f3e2ddafb9a0590385cf0ea2b02958d875578c82907f8ec13bcddb0b316716ce4ac817f3962f70308c851f51e8c8ed95

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 cfdf17fc1bf57511fa1c5394004c238d
SHA1 d3f75ff84238ef1bc81212d9aa6b05db2b5c926f
SHA256 6b1cba350af04810e8a579464f85743e4fc36709dd70bc0c842741e9857aaf83
SHA512 868f138a5e9de106303e60fe1bcc3c9dfdf330ad9071a9f12a60f6d53ea1f769db139acae3aa6d942d330b202984ab318cbd8c9efcf43903a00ff2f55342172a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 5efa0a11f284f1052cc950abf7ab4ff8
SHA1 73b9e589b92fe31baa093c70acacff39ee40f613
SHA256 2909700f88597da6ec0e7c009e4dee4a9c0aff944ef00f7fef5ed567225d4f1c
SHA512 323d5212b12333d31978cf47f81adbd8e7a705f04cb4371a0e5ececcc61b5178b3db94196f61fb75354c9c0d5523f0bbe1fe3eb2fad79240cba78a5556dbe473

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 6ec8557e2acd990aa88c63645c9550cb
SHA1 9b3faf0f1ffa62cee414b1855636a2bbbc2faadf
SHA256 7106d13fa1422f400555dc1bab88e95c783f6f088f500ca75c8f5631da033e89
SHA512 e89cde220549a05fa562e10ece1ec003425b5480c5bbc8594d3cc31d9186421cf4b9fbd92e4a9d4bf1bb5c94f278aded1a34df8b1fc2f4e474f2839a4b924aed

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 361ca159a9ee53444556160a76054b61
SHA1 5aca65799615d7522f55df61b9c7ce8fefc6004a
SHA256 905441eae097dbc72051ab4afd89c42fda68caba8b425bd3cf8ca596e727a1d9
SHA512 00854a3c2c6c2b4f25a87246e9e64ef613d7b714bfdd6c36ea0ecb6318e9f5f8e10f1c82ba4b3fb5acdee1dd4670bbb800c4169982d1c60d5f38ccc92b13fd0f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 cccf2053b75eccf732c5d0409c00a0c9
SHA1 51b2f954cbacc5c58099a7bb276176a640ae3bfd
SHA256 74bab82639ed3a9838624d51279a121d33b0359cb2f4191c70c59d7e4752df94
SHA512 ecb772f2d037df0a8efa5aa70659e66aac7d5d23b1f37c2735170087f04a990e8c6f6e3dc06e132d5d751c847fc260577759e9b11e1a97ff9352b10b41bfba39

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 c606ef5b13a075889c29af0d118c1097
SHA1 45ece167b2629252b91178a792480ee7b40926f0
SHA256 6246654400ea336e66cf10e7fd82425a385d9e8204d26a347a0c5bb0bb133e2a
SHA512 eb65b7fe7d99d423503ad6af40b163d94558c76a1808e2ba65f87a8be113b45eaea19109966545dbf1ce4fc9a5340301f2d3df17df774c891c3fe78bccf17554

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 a3e0a9c316edef9e1fb8f223a0921331
SHA1 4284afd34e0d405a57575fc6e02867a93ee7a0ad
SHA256 a749cef4572f0c050ca16b581f797770943bcb5680671e7f10a42eac0aeef2ba
SHA512 062975950ddc7b39eda24b7875f8f74327529d45409a8482fe02f0c1340f57bf3dcbbe8e45209ed5296921495a91f780ad8eb15b7075813a05fa23857b0acf69

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 7eaf74a93f24afcb0eb7b7f0f701fb6c
SHA1 fda46fa919032d4ecd126cea45398c14192f8163
SHA256 bec6cf41a8335db21c19693723922c6440597622a58e0149cfece5fc686a8453
SHA512 f0c97eb5787614a00c72aae44ec1f44890ac69e4dac1c30c7c4e62690d78b63ef8c58495f1f819125d8cffda9520030a8bd97de93311fe3dbef0966b7914a037

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 1691c3c96b43065a7bd881ca30553b47
SHA1 fe94f318299fa0546c3f76886e7303e3dcada7a9
SHA256 c7aa745ed3847185f76bfe7dd67e2c4d75fcfc27f71f93ea9221751b820a07ac
SHA512 9e477bc2971801c8bd8af079e41cdad559a3729574bc4501baec589c0e474dc008cbf3f33d063aa8aea00d5d87f0696d72036f5be624e25731bba0d8da8debfd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 8dcb2545e3496771da0eb7b3d665f468
SHA1 b125ccee351cdb1682b64be73032c22c3330e7a5
SHA256 d89781addbffe8f2eb0e5b76b985e249b39dd709803b3fee7b1691b46fcc0398
SHA512 b5ff9710ecf077611b6c15f36a517a3cefe4469ac4ddf8739c9cbb09c1b3b2a6adb67d67a83b42a3a89069a5e7a171a8cc9706cadbfcdb25b116e64cbe8470dc

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-11 03:58

Reported

2024-11-11 04:01

Platform

win7-20240903-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\6242487fd82aa_Mon2391599e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248845c537_Mon23d60fef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\62424882a2d43_Mon2366e91c07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c3cb9af_Mon237bf16061.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\6242487ebee69_Mon2360fbbe475.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248bd917de_Mon2341a56212.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248bae0b4f_Mon2315c1392c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c03c802_Mon23cf6fc42c67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LQIFO.tmp\62424882a2d43_Mon2366e91c07.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248bf51749_Mon23fd163f29.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\62424880dba59_Mon2373ae22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248871e3ed_Mon2348d8b4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-57NNL.tmp\624248bf51749_Mon23fd163f29.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248bd917de_Mon2341a56212.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\62424880dba59_Mon2373ae22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248bc6d13c_Mon235f07b88ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\62424882a2d43_Mon2366e91c07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DON3A.tmp\62424882a2d43_Mon2366e91c07.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\J8668GGD48A9H13.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248845c537_Mon23d60fef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248845c537_Mon23d60fef.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\62424882a2d43_Mon2366e91c07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\62424882a2d43_Mon2366e91c07.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c3cb9af_Mon237bf16061.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c3cb9af_Mon237bf16061.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\6242487ebee69_Mon2360fbbe475.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\6242487ebee69_Mon2360fbbe475.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\6242487ebee69_Mon2360fbbe475.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\6242487ebee69_Mon2360fbbe475.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\6242487ebee69_Mon2360fbbe475.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248bd917de_Mon2341a56212.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248bd917de_Mon2341a56212.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248bae0b4f_Mon2315c1392c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248bae0b4f_Mon2315c1392c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\62424882a2d43_Mon2366e91c07.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248bf51749_Mon23fd163f29.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248bf51749_Mon23fd163f29.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\62424880dba59_Mon2373ae22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\62424880dba59_Mon2373ae22.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248bd917de_Mon2341a56212.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248871e3ed_Mon2348d8b4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248871e3ed_Mon2348d8b4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\62424880dba59_Mon2373ae22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248bf51749_Mon23fd163f29.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LQIFO.tmp\62424882a2d43_Mon2366e91c07.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248bd917de_Mon2341a56212.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248bd917de_Mon2341a56212.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\62424880dba59_Mon2373ae22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\62424880dba59_Mon2373ae22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LQIFO.tmp\62424882a2d43_Mon2366e91c07.tmp N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\62424882a2d43_Mon2366e91c07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\62424882a2d43_Mon2366e91c07.exe N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c03c802_Mon23cf6fc42c67.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2860 set thread context of 884 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248bd917de_Mon2341a56212.exe C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248bd917de_Mon2341a56212.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-DON3A.tmp\62424882a2d43_Mon2366e91c07.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC395A137\6242487ebee69_Mon2360fbbe475.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248bae0b4f_Mon2315c1392c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-LQIFO.tmp\62424882a2d43_Mon2366e91c07.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC395A137\62424880dba59_Mon2373ae22.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC395A137\62424882a2d43_Mon2366e91c07.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC395A137\62424882a2d43_Mon2366e91c07.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248845c537_Mon23d60fef.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248bd917de_Mon2341a56212.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248bd917de_Mon2341a56212.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC395A137\62424880dba59_Mon2373ae22.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248871e3ed_Mon2348d8b4e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-57NNL.tmp\624248bf51749_Mon23fd163f29.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c03c802_Mon23cf6fc42c67.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c3cb9af_Mon237bf16061.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248bf51749_Mon23fd163f29.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DON3A.tmp\62424882a2d43_Mon2366e91c07.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\6242487fd82aa_Mon2391599e.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe
PID 2364 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe
PID 2364 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe
PID 2364 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe
PID 2364 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe
PID 2364 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe
PID 2364 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe
PID 2808 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC395A137\6242487fd82aa_Mon2391599e.exe
PID 2396 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC395A137\6242487fd82aa_Mon2391599e.exe
PID 2396 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC395A137\6242487fd82aa_Mon2391599e.exe
PID 2396 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC395A137\6242487fd82aa_Mon2391599e.exe
PID 2808 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6242487ebee69_Mon2360fbbe475.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6242487fd82aa_Mon2391599e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 62424880dba59_Mon2373ae22.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 62424882a2d43_Mon2366e91c07.exe

C:\Users\Admin\AppData\Local\Temp\7zSC395A137\6242487fd82aa_Mon2391599e.exe

6242487fd82aa_Mon2391599e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248845c537_Mon23d60fef.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248871e3ed_Mon2348d8b4e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248bae0b4f_Mon2315c1392c.exe /mixtwo

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248bc6d13c_Mon235f07b88ae.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248bd917de_Mon2341a56212.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248bf51749_Mon23fd163f29.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248c03c802_Mon23cf6fc42c67.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248c2870d6_Mon23e0b3b0.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 624248c3cb9af_Mon237bf16061.exe

C:\Users\Admin\AppData\Local\Temp\7zSC395A137\6242487ebee69_Mon2360fbbe475.exe

6242487ebee69_Mon2360fbbe475.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248bd917de_Mon2341a56212.exe

624248bd917de_Mon2341a56212.exe

C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248845c537_Mon23d60fef.exe

624248845c537_Mon23d60fef.exe

C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248bae0b4f_Mon2315c1392c.exe

624248bae0b4f_Mon2315c1392c.exe /mixtwo

C:\Users\Admin\AppData\Local\Temp\7zSC395A137\62424882a2d43_Mon2366e91c07.exe

62424882a2d43_Mon2366e91c07.exe

C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c03c802_Mon23cf6fc42c67.exe

624248c03c802_Mon23cf6fc42c67.exe

C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c3cb9af_Mon237bf16061.exe

624248c3cb9af_Mon237bf16061.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Users\Admin\AppData\Local\Temp\is-LQIFO.tmp\62424882a2d43_Mon2366e91c07.tmp

"C:\Users\Admin\AppData\Local\Temp\is-LQIFO.tmp\62424882a2d43_Mon2366e91c07.tmp" /SL5="$8014E,870458,780800,C:\Users\Admin\AppData\Local\Temp\7zSC395A137\62424882a2d43_Mon2366e91c07.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC395A137\62424880dba59_Mon2373ae22.exe

62424880dba59_Mon2373ae22.exe

C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248bf51749_Mon23fd163f29.exe

624248bf51749_Mon23fd163f29.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248871e3ed_Mon2348d8b4e.exe

624248871e3ed_Mon2348d8b4e.exe

C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe

624248c2870d6_Mon23e0b3b0.exe

C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248bd917de_Mon2341a56212.exe

624248bd917de_Mon2341a56212.exe

C:\Users\Admin\AppData\Local\Temp\7zSC395A137\62424880dba59_Mon2373ae22.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC395A137\62424880dba59_Mon2373ae22.exe" -h

C:\Users\Admin\AppData\Local\Temp\is-57NNL.tmp\624248bf51749_Mon23fd163f29.tmp

"C:\Users\Admin\AppData\Local\Temp\is-57NNL.tmp\624248bf51749_Mon23fd163f29.tmp" /SL5="$501B8,140006,56320,C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248bf51749_Mon23fd163f29.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 272

C:\Users\Admin\AppData\Local\Temp\7zSC395A137\62424882a2d43_Mon2366e91c07.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC395A137\62424882a2d43_Mon2366e91c07.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248bc6d13c_Mon235f07b88ae.exe

624248bc6d13c_Mon235f07b88ae.exe

C:\Users\Admin\AppData\Local\Temp\is-DON3A.tmp\62424882a2d43_Mon2366e91c07.tmp

"C:\Users\Admin\AppData\Local\Temp\is-DON3A.tmp\62424882a2d43_Mon2366e91c07.tmp" /SL5="$9014E,870458,780800,C:\Users\Admin\AppData\Local\Temp\7zSC395A137\62424882a2d43_Mon2366e91c07.exe" /SILENT

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /Y .\WJZ~MF~9.0S

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1700 -s 480

C:\Users\Admin\AppData\Local\Temp\J8668GGD48A9H13.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 484

Network

Country Destination Domain Proto
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 www.icodeps.com udp
US 8.8.8.8:53 blackhk1.beget.tech udp
US 172.232.4.213:443 www.icodeps.com tcp
US 8.8.8.8:53 ookla-insights.s3.pl-waw.scw.cloud udp
US 172.232.4.213:443 www.icodeps.com tcp
US 172.232.4.213:443 www.icodeps.com tcp
PL 151.115.10.3:80 ookla-insights.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 ce25059.tmweb.ru udp
US 172.232.4.213:443 www.icodeps.com tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 speedtestqs7etrh4mbk323pz.s3.pl-waw.scw.cloud udp
RU 5.23.50.132:80 ce25059.tmweb.ru tcp
PL 151.115.10.3:80 speedtestqs7etrh4mbk323pz.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 getnek.com udp
US 8.8.8.8:53 vh342.timeweb.ru udp
RU 5.23.50.132:443 vh342.timeweb.ru tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 appwebstat.biz udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 www.hhiuew33.com udp
US 8.8.8.8:53 fashion-academy.net udp
US 8.8.8.8:53 gardnersoftwera.com udp
US 8.8.8.8:53 all-smart-green.com udp
US 199.59.243.227:80 all-smart-green.com tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.18:80 crl.microsoft.com tcp
US 78.14.113.227:8080 tcp
US 78.14.113.227:8080 tcp
US 8.8.8.8:53 xoxctajs.aquamarineboilinghorse.online udp

Files

\Users\Admin\AppData\Local\Temp\7zSC395A137\setup_install.exe

MD5 83c766fb0a8d71f559d79d600ea05297
SHA1 8f4e1868bef695539f2b7cb83b3e336e959f3087
SHA256 3572b5d2013141cee24aa859fdd60398ef7d1c4ac40d2c080ecdb12129cb70ee
SHA512 1a49b39dc87ef672308b4a8bab0d1f9f9c0c51296b46f5cc46fa39312f94edf7f2bf1936367e0f7dc75c3ecb052558a75ced42189b4a4b218e8fe715ab163d88

C:\Users\Admin\AppData\Local\Temp\7zSC395A137\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zSC395A137\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/2808-54-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC395A137\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/2808-58-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC395A137\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zSC395A137\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2808-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2808-76-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2808-75-0x000000006494A000-0x000000006494F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC395A137\62424880dba59_Mon2373ae22.exe

MD5 81cf5e614873508b9ecba216112c276b
SHA1 cb3115f68ffe4f428fc141f113dff477530f17fb
SHA256 fae5984ff3106551dddee32196332ab4b9cabfe40476b80dd5aa8e1c9fcba413
SHA512 48fba232d56c6acd0a3e97a64d096a6782000cc4d6d34f7d2379a54e6339bf373c14e95ba966a1fd8ecc05582cfad4e9dea6d61bb5492a570fdc1f637db7d29f

C:\Users\Admin\AppData\Local\Temp\7zSC395A137\6242487ebee69_Mon2360fbbe475.exe

MD5 98c3385d313ae6d4cf1f192830f6b555
SHA1 31c572430094e9adbf5b7647c3621b2e8dfa7fe8
SHA256 4b2e2adafc390f535254a650a90e6a559fb3613a9f13ce648a024c078fcf40be
SHA512 fdd0406ef1abee43877c2ab2be9879e7232e773f7dac48f38a883b14306907c82110c712065a290bafac3cc8b0f4c0a13694847ad60a50a2b87e6aed2fd73aff

memory/2808-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC395A137\62424882a2d43_Mon2366e91c07.exe

MD5 52142a360efa5a88aa469593f3961bb4
SHA1 bb06f4b274789d3998ea3cbdc7d2056d4a99950f
SHA256 3a53d2f99cf9562803815dc1df898557919db19d54956b53840cbcf89c696dad
SHA512 de1e51dfb2a06bd0ad3142f7b2f33d78f5c2b07d0effc23074011d76a12a0d0591ea8a1b4fe753cf1482f8a438d2927fb92c4fb7a184029f35721e8b3f7fb5cc

C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c03c802_Mon23cf6fc42c67.exe

MD5 79c79760259bd18332ca17a05dab283d
SHA1 b9afed2134363447d014b85c37820c5a44f33722
SHA256 e6eb127214bbef16c7372fbe85e1ba453f7aceee241398d2a8e0ec115c3625d3
SHA512 a4270de42d09caa42280b1a7538dc4e0897f17421987927ac8b37fde7e44f77feb9ce1386ffd594fe6262ebb817c2df5a2c20a4adb4b0261eae5d0b6a007aa06

C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248bd917de_Mon2341a56212.exe

MD5 0913c141934828228be4bee6b08cadfe
SHA1 caf2f7ea94afc62792d91c1f2c1b99c05b1a2a1f
SHA256 3fa1c49f7dd6657c195dc68c13b50a0d7e2f3ec641f7108ffb3e041ea3713c95
SHA512 29bece87e4080db7098115f568dc9f5c25206147020d94438bff7ef5f17a918fae8a7546932e310648bf31be27bc4a29edf3e49051dd6e72aa9cf82e0ecd254b

memory/2808-101-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248845c537_Mon23d60fef.exe

MD5 5bc6b4fcbdb2edbd8ca492b9ba9059f9
SHA1 6ad0140809c7f71769bf7bdd652442ffc4c2bc35
SHA256 f0d2a8fa7d23f6546e377a0c6dc9019cf513d6474afc462bba517c82e5c1d4b8
SHA512 953cb941a5fc7ea44b36bf70b984990a5d0b6c2b4cb614dcedbf254dbb1b6940d345dd8531ef1f489b0d467ac98208533c8b94e44a53c931d4e9bc91f5af2718

C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248bae0b4f_Mon2315c1392c.exe

MD5 dc3a42af98906ce86ad0e67ce7153b45
SHA1 83141ef3b732302806b27e1bd4332d2964418f07
SHA256 399d9c5dc78b7696e0984cc265c6b142d70949694e86a8e38474aedcda4ff6f1
SHA512 f3df4c782941bd130d302d63323edaccddf59a1cbad10ca3262118c948c78df6dc520bff67ec26918c31b575dce6580d72da0d6c170cabe34c98f52acadb9cb6

memory/640-123-0x0000000002840000-0x00000000029B9000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c3cb9af_Mon237bf16061.exe

MD5 815d3b5cdc4aea7e8c8fe78434061694
SHA1 40aa8a3583d659aa86edf78db14f03917db6dda8
SHA256 226d6fc908bee0a523a09d1912f0b6b6958173ccd77997d45121d9091a7199b4
SHA512 b8cc6f302f86cbf3eea3c95ceda9302f543ebb6ed3cbbe5c038a1417a1536345cd44f8e89ec48579bc699d71c994eccd1dcbd43dca669931377f738072c2f95a

memory/1144-121-0x0000000000400000-0x00000000004CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248bc6d13c_Mon235f07b88ae.exe

MD5 a128f3490a3d62ec1f7c969771c9cb52
SHA1 73f71a45f68e317222ac704d30319fcbecdb8476
SHA256 4040769cb6796be3af8bd8b2c9d4be701155760766fddbd015b0bcb2b4fca52a
SHA512 ccf34b78a577bc12542e774574d21f3673710868705bf2c0ecdf6ce3414406ec63d5f65e3ff125f65e749a54d64e642492ee53d91a04d309228e2a73d7ab0a19

C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248bf51749_Mon23fd163f29.exe

MD5 98362f1952eb1349f17f77bb70a9fbcc
SHA1 e8a2273215c3cea3100fa40536b0791fea27af8f
SHA256 9aa8aeb0262bc901878bda3a41b6ac7f727f1c3fe4e7bb9afa0000c371750321
SHA512 6faceb7a7d6c0b3d7ebd8afbd2e4dcfb95a6407bb4acf1012d50f462713b8f34adf51c2dc7f82281a6b84dfcb8bc0cbea68318f12ad9ad95558b9361500e0679

memory/2008-109-0x0000000000510000-0x0000000000524000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248c2870d6_Mon23e0b3b0.exe

MD5 9e7d2e1b5aac4613d906efa021b571a1
SHA1 b9665c6248bc56e1cbb8797d27aa6b0db5ba70f1
SHA256 52c5dea41a299961b4776d3794864ce84e9d51ac1858dd6afb395e0a638bc666
SHA512 5dfd847513b94feb7df2569518c5abf56723cf165a424e2ebfea9fb4b5d2d70a9d0a962d5f7c7f68b3fd9a005c7aeb1bf20d9c7bfb1ee7ed0a23455d78516549

memory/2008-108-0x0000000000510000-0x0000000000524000-memory.dmp

memory/2844-132-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2844-139-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2844-138-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2844-137-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2844-136-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2844-145-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2844-144-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2460-151-0x0000000000020000-0x000000000004C000-memory.dmp

memory/2020-152-0x0000000001130000-0x00000000012A9000-memory.dmp

memory/2844-142-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3020-156-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2844-141-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2844-133-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2808-100-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2808-99-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/884-174-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1092-180-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/1144-184-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2248-183-0x0000000000400000-0x0000000000682000-memory.dmp

memory/884-178-0x0000000000400000-0x0000000000409000-memory.dmp

memory/884-173-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VK9QY8HRO32AEXPJE7N3.temp

MD5 bf8a82c787e321e90f8f074fb88c0eb5
SHA1 e52a63b401f90b48f612e5a2e30f2ab0eb674323
SHA256 2de0a5dfed8453ae3402fe013f650c5d68c283d58683b4c47ee0d834a163f993
SHA512 63ac485d69be0ddd1b5205b5d7ed6297a817495a50c2235e886d1444290304d1b3a50aca3974d27f1b27ed669aa741db156b32d566f82d3be19ebd0e3426ed96

memory/2460-165-0x0000000000510000-0x0000000000516000-memory.dmp

memory/2808-98-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2808-96-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2808-92-0x0000000000400000-0x000000000051C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC395A137\624248871e3ed_Mon2348d8b4e.exe

MD5 327366acede3d33a1d9b93396aee3eb9
SHA1 3df53825a46673b9fb97e68b2372f9dc27437b7f
SHA256 12183f88314a86429c1685dacb2cd7f87d1eac7094d52a19a92b45432800e051
SHA512 a7ce948ede1b8d02972322bb88498d6607dce39fd215df37ca58f016f5658436a556ec2425207f2434db7728b1ad1c19c7ec05110d82c094525c4bae7bf4894f

C:\Users\Admin\AppData\Local\Temp\7zSC395A137\6242487fd82aa_Mon2391599e.exe

MD5 7bdeeadd41822f3c024fba58b16e2cdc
SHA1 13a3319b0545e7ff1d17f678093db9f8785bba5a
SHA256 d46ceb96d549e329a60607d9d4acca2d62560f8daaaa5fc60b50823567b9c24f
SHA512 1942f19d694616c56f874fc8df73da26beed8f290cf619d9f8443a03289c5d36ae830d1f6bf0e8adf79eddf062c9e48373677e0a2d593ee1666fae5148a3e4ad

memory/2808-73-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2808-72-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2808-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2808-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2808-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2808-67-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2808-66-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2808-65-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2020-197-0x0000000001130000-0x00000000012A9000-memory.dmp

memory/2020-198-0x0000000001130000-0x00000000012A9000-memory.dmp

memory/1700-191-0x0000000140000000-0x00000001406C5000-memory.dmp

memory/2020-201-0x00000000003B0000-0x00000000003F7000-memory.dmp

memory/2020-200-0x0000000001130000-0x00000000012A9000-memory.dmp

memory/2020-199-0x00000000002B0000-0x00000000002B2000-memory.dmp

memory/2020-190-0x0000000000A00000-0x0000000000B79000-memory.dmp

memory/2020-189-0x0000000000A00000-0x0000000000B79000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-DON3A.tmp\62424882a2d43_Mon2366e91c07.tmp

MD5 bf0e3b12f2997dc8963a7185da858ae1
SHA1 750dfeb4768878a2a70708f7852137b29f84afdc
SHA256 9e2310fd47d35e832659298351275ec7aa30034d41d3669d22344738ffc23256
SHA512 2c115c105766edcf1a9a221bb897294a7d71eea4245ec659e5f0294523333cd141714e7cde6ab6535b0c4615f9b0cad7889968262287f192bb7b4c1cc8593a17

C:\Users\Admin\AppData\Local\Temp\is-RC9U4.tmp\idp.dll

MD5 55c310c0319260d798757557ab3bf636
SHA1 0892eb7ed31d8bb20a56c6835990749011a2d8de
SHA256 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512 e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

memory/640-208-0x0000000002840000-0x00000000029B9000-memory.dmp

memory/988-215-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/3020-216-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2684-220-0x0000000002890000-0x0000000003890000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab28E4.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar2A00.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2684-286-0x000000002D3A0000-0x000000002D451000-memory.dmp

memory/2684-288-0x000000002D460000-0x000000002D4FD000-memory.dmp

memory/2684-290-0x000000002D460000-0x000000002D4FD000-memory.dmp

memory/2684-287-0x000000002D460000-0x000000002D4FD000-memory.dmp

memory/2020-294-0x0000000001130000-0x00000000012A9000-memory.dmp

memory/2132-296-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/948-295-0x0000000000400000-0x0000000000486000-memory.dmp

memory/2020-297-0x0000000001130000-0x00000000012A9000-memory.dmp

memory/2020-300-0x0000000000A00000-0x0000000000B79000-memory.dmp

memory/2020-299-0x0000000000A00000-0x0000000000B79000-memory.dmp

memory/1704-302-0x0000000000400000-0x0000000000682000-memory.dmp

memory/1092-301-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2684-303-0x0000000002890000-0x0000000003890000-memory.dmp

memory/2020-306-0x00000000003B0000-0x00000000003F7000-memory.dmp

memory/2020-308-0x0000000001130000-0x00000000012A9000-memory.dmp

memory/1620-309-0x000000013F640000-0x000000013F646000-memory.dmp

memory/2132-310-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/2132-311-0x0000000000400000-0x00000000004AB000-memory.dmp