fabookie | e0cab8a5482851e6f5803e7733f7fbbf0e50fc3b0427b6386c3c4fd99a8d73d5

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0cab8a5482851e6f5803e7733f7fbbf0e50fc3b0427b6386c3c4fd99a8d73d5.exe
Size

7.5MB
MD5

7e95861bfb9a3eae5a1c0365297ec490
SHA1

458f1b294b7a1ebc5a29030fd066d7124970b251
SHA256

e0cab8a5482851e6f5803e7733f7fbbf0e50fc3b0427b6386c3c4fd99a8d73d5
SHA512

78066b7275328d403e99def49700d34635ad68c190baacf6652509e9403d53035e89f213ceff72ca76fa29673ccb9894ac5c321a18e0508060718432b447573a
SSDEEP

196608:xqwVbwdkjjHPyoXYqMkV3xH6OP5hHnYtmj643Rd:xtBwdG7PDIqtVBHkS

Score

10^/10

fabookie nullmixer redline socelars vidar 915 media25pqs aspackv2 discovery dropper execution infostealer spyware stealer

Malware Config

Extracted

Family

socelars

http://www.chosenncrowned.com/

Extracted

Family

redline

Botnet

media25pqs

65.108.69.168:13293

Attributes

auth_value
e792d0d7a03fceb57d0e07caa26bb34f

Extracted

Family

nullmixer

http://hornygl.xyz/

Extracted

Family

vidar

Version

49.2

Botnet

915

https://mstdn.social/@kipriauk9

https://qoto.org/@kipriauk8

Attributes

profile_id
915

Signatures

Detect Fabookie payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023cbd-78.dat	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Fabookie family
fabookie
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
Nullmixer family
nullmixer
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/5008-182-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Redline family
redline
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars

Socelars payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023cbc-71.dat	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Detected Nirsoft tools 5 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/files/0x0007000000023cbd-78.dat	Nirsoft
behavioral2/memory/1360-205-0x0000000000400000-0x0000000000455000-memory.dmp	Nirsoft
behavioral2/files/0x0007000000023cd7-204.dat	Nirsoft
behavioral2/files/0x0008000000023cd7-285.dat	Nirsoft
behavioral2/memory/3428-287-0x0000000000400000-0x000000000047C000-memory.dmp	Nirsoft

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/files/0x0007000000023cbd-78.dat	WebBrowserPassView
behavioral2/files/0x0008000000023cd7-285.dat	WebBrowserPassView
behavioral2/memory/3428-287-0x0000000000400000-0x000000000047C000-memory.dmp	WebBrowserPassView

Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral2/memory/4440-283-0x0000000000400000-0x000000000053F000-memory.dmp	family_vidar

Blocklisted process makes network request 1 IoCs

flow	pid	Process
91	1428	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1700	powershell.exe
4972	powershell.exe

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0007000000023cad-47.dat	aspack_v212_v242
behavioral2/files/0x0007000000023cb0-53.dat	aspack_v212_v242
behavioral2/files/0x0007000000023cae-48.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Mon0333ecac229eb22.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Mon0337242833e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	e0cab8a5482851e6f5803e7733f7fbbf0e50fc3b0427b6386c3c4fd99a8d73d5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Mon034a40f4c2.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Mon0376e7a8f67a.exe

Executes dropped EXE 20 IoCs

pid	Process
1068	setup_install.exe
3464	Mon034a40f4c2.exe
4532	Mon03f186a0d10.exe
2760	Mon03184374b6827dae2.exe
3584	Mon0337242833e.exe
4820	Mon034a40f4c2.tmp
2424	Mon0333ecac229eb22.exe
4440	Mon036f89e9eef8271.exe
1312	Mon0376e7a8f67a.exe
4180	Mon0318a4864788e065.exe
2172	Mon03ff1e89e18831.exe
1544	Mon03c16839a9b.exe
3204	Mon036bb55bb30d.exe
2924	Mon034a40f4c2.exe
4432	Mon0333ecac229eb22.exe
2468	Mon034a40f4c2.tmp
5008	Mon03184374b6827dae2.exe
1360	11111.exe
3428	11111.exe
2908	e58bb7b.exe

Loads dropped DLL 12 IoCs

pid	Process
1068	setup_install.exe
1068	setup_install.exe
1068	setup_install.exe
1068	setup_install.exe
1068	setup_install.exe
1068	setup_install.exe
4820	Mon034a40f4c2.tmp
2468	Mon034a40f4c2.tmp
1712	rundll32.exe
1712	rundll32.exe
1428	rundll32.exe
1428	rundll32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfhgpjbcoignfibliobpclhpfnadhofn\10.59.13_0\manifest.json	Mon03f186a0d10.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
12	iplogger.org
9	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2760 set thread context of 5008	2760	Mon03184374b6827dae2.exe	115

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1192	1068	WerFault.exe	83
2092	4180	WerFault.exe	110
4552	3204	WerFault.exe	114
2356	2908	WerFault.exe	161

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon034a40f4c2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon034a40f4c2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon036bb55bb30d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon034a40f4c2.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon03f186a0d10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon036f89e9eef8271.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon0333ecac229eb22.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon0333ecac229eb22.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e58bb7b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon03184374b6827dae2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon034a40f4c2.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0cab8a5482851e6f5803e7733f7fbbf0e50fc3b0427b6386c3c4fd99a8d73d5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon0376e7a8f67a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon0318a4864788e065.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon03184374b6827dae2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon0337242833e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Mon0318a4864788e065.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Mon0318a4864788e065.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Mon0318a4864788e065.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3860	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133768526017987200"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	Mon0376e7a8f67a.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	Mon0337242833e.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1700	powershell.exe
4972	powershell.exe
1700	powershell.exe
1700	powershell.exe
4972	powershell.exe
4972	powershell.exe
3428	11111.exe
3428	11111.exe
3428	11111.exe
3428	11111.exe
3664	chrome.exe
3664	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	4972	powershell.exe
Token: SeCreateTokenPrivilege	4532	Mon03f186a0d10.exe
Token: SeAssignPrimaryTokenPrivilege	4532	Mon03f186a0d10.exe
Token: SeLockMemoryPrivilege	4532	Mon03f186a0d10.exe
Token: SeIncreaseQuotaPrivilege	4532	Mon03f186a0d10.exe
Token: SeMachineAccountPrivilege	4532	Mon03f186a0d10.exe
Token: SeTcbPrivilege	4532	Mon03f186a0d10.exe
Token: SeSecurityPrivilege	4532	Mon03f186a0d10.exe
Token: SeTakeOwnershipPrivilege	4532	Mon03f186a0d10.exe
Token: SeLoadDriverPrivilege	4532	Mon03f186a0d10.exe
Token: SeSystemProfilePrivilege	4532	Mon03f186a0d10.exe
Token: SeSystemtimePrivilege	4532	Mon03f186a0d10.exe
Token: SeProfSingleProcessPrivilege	4532	Mon03f186a0d10.exe
Token: SeIncBasePriorityPrivilege	4532	Mon03f186a0d10.exe
Token: SeCreatePagefilePrivilege	4532	Mon03f186a0d10.exe
Token: SeCreatePermanentPrivilege	4532	Mon03f186a0d10.exe
Token: SeBackupPrivilege	4532	Mon03f186a0d10.exe
Token: SeRestorePrivilege	4532	Mon03f186a0d10.exe
Token: SeShutdownPrivilege	4532	Mon03f186a0d10.exe
Token: SeDebugPrivilege	4532	Mon03f186a0d10.exe
Token: SeAuditPrivilege	4532	Mon03f186a0d10.exe
Token: SeSystemEnvironmentPrivilege	4532	Mon03f186a0d10.exe
Token: SeChangeNotifyPrivilege	4532	Mon03f186a0d10.exe
Token: SeRemoteShutdownPrivilege	4532	Mon03f186a0d10.exe
Token: SeUndockPrivilege	4532	Mon03f186a0d10.exe
Token: SeSyncAgentPrivilege	4532	Mon03f186a0d10.exe
Token: SeEnableDelegationPrivilege	4532	Mon03f186a0d10.exe
Token: SeManageVolumePrivilege	4532	Mon03f186a0d10.exe
Token: SeImpersonatePrivilege	4532	Mon03f186a0d10.exe
Token: SeCreateGlobalPrivilege	4532	Mon03f186a0d10.exe
Token: 31	4532	Mon03f186a0d10.exe
Token: 32	4532	Mon03f186a0d10.exe
Token: 33	4532	Mon03f186a0d10.exe
Token: 34	4532	Mon03f186a0d10.exe
Token: 35	4532	Mon03f186a0d10.exe
Token: SeDebugPrivilege	2760	Mon03184374b6827dae2.exe
Token: SeDebugPrivilege	1544	Mon03c16839a9b.exe
Token: SeDebugPrivilege	3860	taskkill.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 1068	1428	e0cab8a5482851e6f5803e7733f7fbbf0e50fc3b0427b6386c3c4fd99a8d73d5.exe	83
PID 1428 wrote to memory of 1068	1428	e0cab8a5482851e6f5803e7733f7fbbf0e50fc3b0427b6386c3c4fd99a8d73d5.exe	83
PID 1428 wrote to memory of 1068	1428	e0cab8a5482851e6f5803e7733f7fbbf0e50fc3b0427b6386c3c4fd99a8d73d5.exe	83
PID 1068 wrote to memory of 2704	1068	setup_install.exe	86
PID 1068 wrote to memory of 2704	1068	setup_install.exe	86
PID 1068 wrote to memory of 2704	1068	setup_install.exe	86
PID 1068 wrote to memory of 4480	1068	setup_install.exe	87
PID 1068 wrote to memory of 4480	1068	setup_install.exe	87
PID 1068 wrote to memory of 4480	1068	setup_install.exe	87
PID 4480 wrote to memory of 4972	4480	cmd.exe	88
PID 4480 wrote to memory of 4972	4480	cmd.exe	88
PID 4480 wrote to memory of 4972	4480	cmd.exe	88
PID 2704 wrote to memory of 1700	2704	cmd.exe	89
PID 2704 wrote to memory of 1700	2704	cmd.exe	89
PID 2704 wrote to memory of 1700	2704	cmd.exe	89
PID 1068 wrote to memory of 1116	1068	setup_install.exe	90
PID 1068 wrote to memory of 1116	1068	setup_install.exe	90
PID 1068 wrote to memory of 1116	1068	setup_install.exe	90
PID 1068 wrote to memory of 2324	1068	setup_install.exe	91
PID 1068 wrote to memory of 2324	1068	setup_install.exe	91
PID 1068 wrote to memory of 2324	1068	setup_install.exe	91
PID 1068 wrote to memory of 4744	1068	setup_install.exe	92
PID 1068 wrote to memory of 4744	1068	setup_install.exe	92
PID 1068 wrote to memory of 4744	1068	setup_install.exe	92
PID 1068 wrote to memory of 5040	1068	setup_install.exe	93
PID 1068 wrote to memory of 5040	1068	setup_install.exe	93
PID 1068 wrote to memory of 5040	1068	setup_install.exe	93
PID 1068 wrote to memory of 3664	1068	setup_install.exe	136
PID 1068 wrote to memory of 3664	1068	setup_install.exe	136
PID 1068 wrote to memory of 3664	1068	setup_install.exe	136
PID 1068 wrote to memory of 4160	1068	setup_install.exe	95
PID 1068 wrote to memory of 4160	1068	setup_install.exe	95
PID 1068 wrote to memory of 4160	1068	setup_install.exe	95
PID 1068 wrote to memory of 1564	1068	setup_install.exe	96
PID 1068 wrote to memory of 1564	1068	setup_install.exe	96
PID 1068 wrote to memory of 1564	1068	setup_install.exe	96
PID 1068 wrote to memory of 4832	1068	setup_install.exe	97
PID 1068 wrote to memory of 4832	1068	setup_install.exe	97
PID 1068 wrote to memory of 4832	1068	setup_install.exe	97
PID 1068 wrote to memory of 4776	1068	setup_install.exe	98
PID 1068 wrote to memory of 4776	1068	setup_install.exe	98
PID 1068 wrote to memory of 4776	1068	setup_install.exe	98
PID 4744 wrote to memory of 3464	4744	cmd.exe	99
PID 4744 wrote to memory of 3464	4744	cmd.exe	99
PID 4744 wrote to memory of 3464	4744	cmd.exe	99
PID 1068 wrote to memory of 1812	1068	setup_install.exe	144
PID 1068 wrote to memory of 1812	1068	setup_install.exe	144
PID 1068 wrote to memory of 1812	1068	setup_install.exe	144
PID 1116 wrote to memory of 4532	1116	cmd.exe	101
PID 1116 wrote to memory of 4532	1116	cmd.exe	101
PID 1116 wrote to memory of 4532	1116	cmd.exe	101
PID 1068 wrote to memory of 3576	1068	setup_install.exe	103
PID 1068 wrote to memory of 3576	1068	setup_install.exe	103
PID 1068 wrote to memory of 3576	1068	setup_install.exe	103
PID 5040 wrote to memory of 2760	5040	cmd.exe	104
PID 5040 wrote to memory of 2760	5040	cmd.exe	104
PID 5040 wrote to memory of 2760	5040	cmd.exe	104
PID 2324 wrote to memory of 3584	2324	cmd.exe	102
PID 2324 wrote to memory of 3584	2324	cmd.exe	102
PID 2324 wrote to memory of 3584	2324	cmd.exe	102
PID 3464 wrote to memory of 4820	3464	Mon034a40f4c2.exe	107
PID 3464 wrote to memory of 4820	3464	Mon034a40f4c2.exe	107
PID 3464 wrote to memory of 4820	3464	Mon034a40f4c2.exe	107
PID 3664 wrote to memory of 2424	3664	cmd.exe	133

C:\Users\Admin\AppData\Local\Temp\e0cab8a5482851e6f5803e7733f7fbbf0e50fc3b0427b6386c3c4fd99a8d73d5.exe
"C:\Users\Admin\AppData\Local\Temp\e0cab8a5482851e6f5803e7733f7fbbf0e50fc3b0427b6386c3c4fd99a8d73d5.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Users\Admin\AppData\Local\Temp\7zS49515997\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS49515997\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4480
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon03f186a0d10.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1116
  - - C:\Users\Admin\AppData\Local\Temp\7zS49515997\Mon03f186a0d10.exe
      Mon03f186a0d10.exe
      4⤵
      Executes dropped EXE
      Drops Chrome extension
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4532
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1344
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3860
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        5⤵
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3664
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffe71fecc40,0x7ffe71fecc4c,0x7ffe71fecc58
        6⤵
        
        PID:3204
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1932,i,13918900502887585852,192262293031031692,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1928 /prefetch:2
        6⤵
        
        PID:4680
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2172,i,13918900502887585852,192262293031031692,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2212 /prefetch:3
        6⤵
        
        PID:4828
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,13918900502887585852,192262293031031692,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2480 /prefetch:8
        6⤵
        
        PID:4916
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,13918900502887585852,192262293031031692,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3156 /prefetch:1
        6⤵
        
        PID:3272
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2220,i,13918900502887585852,192262293031031692,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3276 /prefetch:1
        6⤵
        
        PID:3840
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4492,i,13918900502887585852,192262293031031692,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4532 /prefetch:1
        6⤵
        
        PID:2860
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4376,i,13918900502887585852,192262293031031692,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4828 /prefetch:8
        6⤵
        
        PID:4024
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4756,i,13918900502887585852,192262293031031692,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4744 /prefetch:8
        6⤵
        
        PID:3996
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4872,i,13918900502887585852,192262293031031692,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5048 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon0337242833e.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Users\Admin\AppData\Local\Temp\7zS49515997\Mon0337242833e.exe
      Mon0337242833e.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:3584
    - - C:\Windows\SysWOW64\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\SFNX63.cPl",
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2424
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\SFNX63.cPl",
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\SFNX63.cPl",
        7⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\SFNX63.cPl",
        8⤵
        Blocklisted process makes network request
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\e58bb7b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e58bb7b.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 780
        10⤵
        Program crash
        
        PID:2356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon034a40f4c2.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4744
  - - C:\Users\Admin\AppData\Local\Temp\7zS49515997\Mon034a40f4c2.exe
      Mon034a40f4c2.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3464
    - - C:\Users\Admin\AppData\Local\Temp\is-184SU.tmp\Mon034a40f4c2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-184SU.tmp\Mon034a40f4c2.tmp" /SL5="$40114,1570064,56832,C:\Users\Admin\AppData\Local\Temp\7zS49515997\Mon034a40f4c2.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4820
      - C:\Users\Admin\AppData\Local\Temp\7zS49515997\Mon034a40f4c2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS49515997\Mon034a40f4c2.exe" /SILENT
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\is-694UJ.tmp\Mon034a40f4c2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-694UJ.tmp\Mon034a40f4c2.tmp" /SL5="$80286,1570064,56832,C:\Users\Admin\AppData\Local\Temp\7zS49515997\Mon034a40f4c2.exe" /SILENT
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon03184374b6827dae2.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5040
  - - C:\Users\Admin\AppData\Local\Temp\7zS49515997\Mon03184374b6827dae2.exe
      Mon03184374b6827dae2.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2760
    - - C:\Users\Admin\AppData\Local\Temp\7zS49515997\Mon03184374b6827dae2.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS49515997\Mon03184374b6827dae2.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon0333ecac229eb22.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3664
  - - C:\Users\Admin\AppData\Local\Temp\7zS49515997\Mon0333ecac229eb22.exe
      Mon0333ecac229eb22.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2424
    - - C:\Users\Admin\AppData\Local\Temp\7zS49515997\Mon0333ecac229eb22.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS49515997\Mon0333ecac229eb22.exe" -u
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon03ff1e89e18831.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4160
  - - C:\Users\Admin\AppData\Local\Temp\7zS49515997\Mon03ff1e89e18831.exe
      Mon03ff1e89e18831.exe
      4⤵
      Executes dropped EXE
      PID:2172
    - - C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1360
    - - C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon036f89e9eef8271.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1564
  - - C:\Users\Admin\AppData\Local\Temp\7zS49515997\Mon036f89e9eef8271.exe
      Mon036f89e9eef8271.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon0376e7a8f67a.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4832
  - - C:\Users\Admin\AppData\Local\Temp\7zS49515997\Mon0376e7a8f67a.exe
      Mon0376e7a8f67a.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:1312
    - - C:\Windows\SysWOW64\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\SFNX63.cPl",
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3608
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\SFNX63.cPl",
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\SFNX63.cPl",
        7⤵
        
        PID:1096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon0318a4864788e065.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4776
  - - C:\Users\Admin\AppData\Local\Temp\7zS49515997\Mon0318a4864788e065.exe
      Mon0318a4864788e065.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks SCSI registry key(s)
      PID:4180
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 356
        5⤵
        Program crash
        
        PID:2092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon03c16839a9b.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1812
  - - C:\Users\Admin\AppData\Local\Temp\7zS49515997\Mon03c16839a9b.exe
      Mon03c16839a9b.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon036bb55bb30d.exe /mixtwo
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3576
  - - C:\Users\Admin\AppData\Local\Temp\7zS49515997\Mon036bb55bb30d.exe
      Mon036bb55bb30d.exe /mixtwo
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3204
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 408
        5⤵
        Program crash
        
        PID:4552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 588
    3⤵
    - Program crash
    PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1068 -ip 1068
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3204 -ip 3204
1⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4180 -ip 4180
1⤵
PID:1764

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2908 -ip 2908
1⤵
PID:1396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b17d8144dfbee41450f005fd2a6cc4cd

SHA1
7234ee4fb906dbea7ab471165df7b3c66df8435b

SHA256
caf98aad55082fc7b3760273bfabcf01aa166aed8a7dcb9dfb223209a5f561c3

SHA512
39fdb4f28086786594c10760ba01836d7b09023019a7267b9b85cb989a45a6d979621674d7d82b842ddf0bac3dd3845941a9455e453a41f7ac533ada15d68ffa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
27c6a3f223356d03cac15a92b8d4eb0b

SHA1
24c5a23c3bd3ebf9a30018595c634b722af69433

SHA256
ab904dc28f8284a1b3897ac9f2d02c07d00f51b875edbdaafdfa5623943600ec

SHA512
979fdd9c2dee7e5f1f0702433e1420a842e52a79ddab9cc41b0de2ebb472eba98bd1de250e4d09176ea8c259ff5b292c14d9fd066365e62dec240e5d2145a7b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
3b53144e386004b630597766476c98b9

SHA1
4c0c7d2a2217a487a8b8424f9672bed63fb71ae3

SHA256
a32b76d82e84990955c72080ffa29ca3a6c27b8af6e160ce6a5ab47b2b37d147

SHA512
5857d957a5a675ee79cddd711f1436df084aa22675199cfc37fed73ac7dbd513684abf56e19ad5a4227c7f5bafbaf07089a76c66b6722c5678abd144a9c896a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1008d3e5347e796fc64c1ff69a01182f

SHA1
9fd6ceacf0f0bbb0bafb9dd1731a27871ae0f5de

SHA256
69f7ddb0c32845310304c4b9c54642757dc52e4cae2a2895a1a45fdb98f10606

SHA512
89b8a984ba5202880367467064b71c273ad22ffffad383b2fb534593ea94919501d4d2796e3fada6c3cdd184f6c2310022c8dac32f2de37766c3634b8b5dbc11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fe988ec75f38b2523a9365a1d0bf87cb

SHA1
b0876e22dd252627e7aa90556e164ed09b9269c8

SHA256
8ba08755a521c8adef2e24550cd505129d1263fabc6b7e5f023d85affa3b42de

SHA512
a0a0f38cc143f3dc35ab22f1ea8977ee8fd36d89f5c61804c5a7b167cd8369c93e49f5f76811b94ea9e61a2840d6cb2869e068326ae6481155b704c6a9a76820

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cbcce2ab08ced986ccdced1aae120873

SHA1
6774ed9187213d7b431bc8742da9880647fd601c

SHA256
1f9161b381437f5abd49f2e5f76c71da393404bde65d375889963a2b1e20be3b

SHA512
acb091cfddc4ceaedd34d9dad04a53d75ba2b421a1a459a6f270e32e038f3db8aaf17cc88958b9d5be5667cc2d2c265e93854efcb747b1b00ac58fe628da0223

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
132534da96cb4ad313bef8a3b5acdc74

SHA1
ac60bf36139a6922bc0e23caee9fb33a09ca9465

SHA256
991e352ed82648de5501df032a6f6f6d0aea7d9c7f535c7ea2fdeec0715d507d

SHA512
eae0a31478bb170a4dbd1e9fc5439140e1974665342845bc0de5cb932d8eeb05597622e874525c02ff904e964971a956b0fca9e1a5af23588c476de7d5dcd1f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f80a40ceb9d3c82eac29bd6b1f7f7c8f

SHA1
aa135ce70352cb0b9c3defe6331435cc4683834c

SHA256
68768cc816436f9653f0d50200ec817948cf9e1fa01f593876c32c825d516500

SHA512
13c12302a70fd1f19ca2065d53fd7caae63ee49b41ea51e127b958e8d193f655025fa399107c1d8c87bfa6dbcfeabb864aa814c6ae3da8d0b89695b4016739ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
f58419196c169c0e4de7a6018c870fe7

SHA1
e4802d79e9e044faf7e18774285f54fb060aec18

SHA256
82748bb633ac8d60021928b42de6f82670377e9bbfc9b8ed583e893724199db2

SHA512
d5d6034fe1cb9131b5c64bfebd4d62818e06f27a1aa55dc4a44f39b5318458b680f9004690e2557168c75ce9c0ed088d81f13cd69d9f2d895225ae706353ea1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
0f8fb39ca60325da6d71ba81e03a34b2

SHA1
58761ae05ce6d5fee6158f8fcdad68c1259edb33

SHA256
b6a6ae508cf8acbc56eed6a01b0c7edb669ef8056f4eda329495571a0c16b901

SHA512
864ea82112b3069d898fb951873657ae4cb7c3b1a5364d2e877a5a34526c60c1877d87b9712e3b90ef416eae539b83348743aa162b7c0cc88951863368cfef11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
67b343ad4d5272657f2192663727cb6b

SHA1
3c3241383084d29b64a15fc5f8d9969dc3d0835b

SHA256
825e465c5bca16ee07abb44b3c669918773cbc9321f901cd9c48de1f3d6c4370

SHA512
d46f4cba597fd362a1610606401572bc08d58e3f55d19781867475dea3b8a6eb1288636a2275baa00292add69fabee8c321a5f175b70c8423b67c76713ffca3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
e05bb75da254cd4056b54b4e0c186c76

SHA1
b33bd876018b411dc9ac2e3e741c70d1d5eee94b

SHA256
54337c8f9669c860f4a34fb14b1d0548e2dcea4ebe725e318426c6f45faa7a5e

SHA512
edf918d6dd6e80ef8e3075d03d82d04daa5f22aee680388df6fb76928966835878da7bcd78c905d2247f01131242a091a17be520e8a297dae8de7612cff56a03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Mon03184374b6827dae2.exe.log

Filesize
700B

MD5
e5352797047ad2c91b83e933b24fbc4f

SHA1
9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772

SHA256
b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c

SHA512
dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
19fbcf772c17ef1952a44f44087f2192

SHA1
4907e1e01a16cd729a6a57b071e770534a88494b

SHA256
8b35c58595dbdbc66e90cdda6eb7aa2135e57d0d2aea51fdbaa2f854d4c6b450

SHA512
375e50647e48f913a789b21d1213505f640ca1d53a6438f0b31c248c0020556201f5d521c42f0e1d5f488c674db9604f77066f6f166545a2cb152a159fa044f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\11111.exe

Filesize
311KB

MD5
cc0d6b6813f92dbf5be3ecacf44d662a

SHA1
b968c57a14ddada4128356f6e39fb66c6d864d3f

SHA256
0c2ade2993927f6de828e30c07156c19751b55650a05c965631ca0ea1c983498

SHA512
4d4275338cd8a089c25757440b876654b569d39bfd970109cceb09c29ca79c8f3b1fdfcc6316ef18a9eb68cddf0c2d6daa0fa27fafc1f27b8103b4aa1db1fbc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\11111.exe

Filesize
391KB

MD5
7165e9d7456520d1f1644aa26da7c423

SHA1
177f9116229a021e24f80c4059999c4c52f9e830

SHA256
40ca14be87ccee1c66cce8ce07d7ed9b94a0f7b46d84f9147c4bbf6ddab75a67

SHA512
fe80996a7f5c64815c19db1fa582581aa1934ea8d1050e686b4f65bcdd000df1decdf711e0e4b1de8a2aa4fcb1ac95cebb0316017c42e80d8386bd3400fcaecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS49515997\Mon03184374b6827dae2.exe

Filesize
526KB

MD5
7df1d7d115da507238cf409fa1bd0b91

SHA1
a133c62a14f3871c552a0bcad87a291d5744c2cf

SHA256
2bed8e9c8a557e04ab5f5c3b2a4a26133f62993277dbf0fa0ab574eabb4eddd0

SHA512
2ab249240a4c76d65a225787f2207f38a08cd3e2756bf23c2446343a583fb32a51b5e5674c3af2100a55e53ab49167c462061f251d19e3f89c23526d752c688a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS49515997\Mon0318a4864788e065.exe

Filesize
327KB

MD5
47e1245ae15e44e2df28280d95ad2741

SHA1
cb5abc70156154368ff10271fa1c1e80dab6d417

SHA256
c614c4dfbc4fd75a9ccd3ed8b14440de34a7c1945ccf865a414e2e3111162696

SHA512
032df7df40c06266c25a25a2efd945bfd7591dc442b3f4183163491f432f1be8ce2b0554067c3fe02361aeb962bd53d20878db3bec495a52c13787b31dceadeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS49515997\Mon0333ecac229eb22.exe

Filesize
124KB

MD5
b6f7de71dcc4573e5e5588d6876311fc

SHA1
645b41e6ea119615db745dd8e776672a4ba59c57

SHA256
73437218cd12895c7a59c0c03009417705ed231d323e3a1ad279750e46bcc8ad

SHA512
ca297d40f0e2cc45d5737627a1aaeec61bf7c6f425acadb14e689b4392fcc4a17e74dc1514fb3bf8d9a6a91b5cea38801996a2a7ee2dee0c335bfb2f103c6d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS49515997\Mon0337242833e.exe

Filesize
1.9MB

MD5
d1ec05df172b32843f1564bc34feef68

SHA1
29ae8b1a96f294b2f420c7710c81740e79eb2b91

SHA256
e7bfb6e1cba02dd07c20e937a535193f25e87194be8fa6f949a967dc7bd919cf

SHA512
500e55b9976837acf11c97021361f7a57c7425f25e95aab20f5d83fe5c8d582de7bcae0b500cbaf85da52fc739aaaef7a3bd5f8d8b500820b83a0bbd286d26fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS49515997\Mon034a40f4c2.exe

Filesize
1.7MB

MD5
99918fe3d5011f5e084492e0d9701779

SHA1
55f7a03c6380bb9f51793be0774681b473e07c9f

SHA256
558a67043fbcd0bc37d34c99ff16f66b259b24b44811516ceff678964ec655c4

SHA512
682f1c6c648319c974e608defa41b714d0e8c3670d3f5e669b7227aaf5400285f9f0c6c5c82c50518031d8a93a3cfd591031651068d5a458a6606f2bf51d3e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS49515997\Mon036bb55bb30d.exe

Filesize
1.1MB

MD5
aa75aa3f07c593b1cd7441f7d8723e14

SHA1
f8e9190ccb6b36474c63ed65a74629ad490f2620

SHA256
af890b72e50681eee069a7024c0649ac99f60e781cb267d4849dae4b310d59c1

SHA512
b1984c431939e92ea6918afbbc226691d1e46e48f11db906fec3b7e5c49075f33027a2c6a16ab4861c906faa6b50fddc44201922e44a0243f9883b701316ca2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS49515997\Mon036f89e9eef8271.exe

Filesize
759KB

MD5
f85794c2bf341a1efe78cdad0b1b4dc5

SHA1
d7ff2be2dafed282b5eda883ee7d02a4eca75194

SHA256
6455d5f4eae530ace507b2ac338777b408e99094acf96bbef7603d7af641b833

SHA512
91f98cff29225a025114013a9ce7423a3e5646725a927606f66577724a691b367004ca8d36ce51f129243a6a87003abd8dd09fa7b195e8ecf70fbc73305f7790

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS49515997\Mon0376e7a8f67a.exe

Filesize
1.9MB

MD5
a3ba569405d0fa3f577e9c83b6c303af

SHA1
2ba0d6724aa30dc474ee00a06573e8652a117eac

SHA256
2799a1a7d1a6d1e1dc2746bea858c4052cab03833b069beac261a9f4ad56be90

SHA512
f23907f89db9e9bc6ce80faf1577a461de9ddd23009069a3ab4ab8bc18f610a6c5b44bac5469145fdc61ba130755c02baf83783d7a31d0de747d1b11f260ad0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS49515997\Mon03c16839a9b.exe

Filesize
316KB

MD5
8427ae0ce0ded0794b9e0b3dd422702e

SHA1
6e5350072840eb80a09e2c28ce22c2bca8e2aab1

SHA256
8ca5df6f0a4bbc6ae6a0f56b5b2c72e253c4cc72c40919d8984039de8f45e41a

SHA512
90cb046d28eb7e956f99e024a89c05a14cae99580122d99fe49872b36c8f8de95331dd4fee60458b118f96ab40baf770c3f07dbcef2b4b6530832fcb00feac78

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS49515997\Mon03f186a0d10.exe

Filesize
1.4MB

MD5
28a0b3751b521af221baa3a76f32c8c1

SHA1
f71aaa12ac600549120b062cbbd852b1a1807c43

SHA256
710ceb98e12443d28a9fd280b453eade11bc3483f6280dc224eb48ed327028ca

SHA512
a3773694f59a8f4c7cd06f7dc97c41bf943cf2e9b6283027964890f0122e26c9822e6b91b3ac23eacefa6954b0b983e7dd9226bfb37682f1645f8c85b24fda4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS49515997\Mon03ff1e89e18831.exe

Filesize
1.9MB

MD5
74e88352f861cb12890a36f1e475b4af

SHA1
7dd54ab35260f277b8dcafb556dd66f4667c22d1

SHA256
64578ffca840ebc3f791f1faa21252941d9fd384622d54a28226659ad05650a3

SHA512
18a6911b0d86088d265f49471c52d901a39d1549f9ac36681946a1b91fdb2f71f162ddf4b4659be061302fae6d616852d44c9a151f66eb53bbcc2fde6e7b9463

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS49515997\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS49515997\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS49515997\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS49515997\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS49515997\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS49515997\setup_install.exe

Filesize
2.1MB

MD5
cd66b43b6558d0e17a0e92fd7ac42787

SHA1
90aedefa4b7082676d02568eb31012e40d1d6655

SHA256
ea8907747931024f386f148247b5cf0c1fff53df0d61ab6a1d85c84809511aab

SHA512
5f5848a056eaab118bf2a80fdf5fc0b6262654c9564a955f9e956ed89c102c610346e1d8de75a4b1840166062fe3299b70c049c8f6d25109cc073a91288a0b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_frnkaxu0.c0j.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e58bb7b.exe

Filesize
11KB

MD5
620bda3df817bff8deb38758d1dc668c

SHA1
9933523941851b42047f2b7a1324eb8daa8fb1ff

SHA256
b74d7ff45768a1ee6f267e895de3e46cca505edf205563ef3f7db827f38363b3

SHA512
bc9e932860f63090bab251057bc1fd6875c410c2358321eaa74fccc117561b91e4ce6b24d5e7bb13dc44732ae151b7c33fe201acbb5af689d7f2d248dfb8c568

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Filesize
1KB

MD5
3d4c08e0305687969de78f4aee28efcf

SHA1
771f74f271f6a11682748d45bf4af001aba77bb3

SHA256
1503e9477eb640b1befe748ad5e10f04593ab144fc2cd748d0fa65d267b43fd5

SHA512
b3da9f9084a31a60213da905b4a8aacf204efeafc0b71816ef91266ab57fd8c8ee8a1119f4aedc198e220af4ecfa2b91a30cf06957cf7261354ab24a0c591476

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Filesize
31B

MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-184SU.tmp\Mon034a40f4c2.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6GTUB.tmp\idp.dll

Filesize
216KB

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DFF8J.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1068-56-0x0000000064941000-0x000000006494F000-memory.dmp

Filesize
56KB

Download
memory/1068-58-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1068-62-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1068-193-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/1068-195-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1068-61-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1068-60-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1068-59-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1068-66-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1068-55-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1068-57-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1068-196-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1068-197-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1068-198-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1068-188-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1068-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1068-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1068-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1068-67-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1068-54-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1360-205-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1428-380-0x000000002ECC0000-0x000000002ED50000-memory.dmp

Filesize
576KB

Download
memory/1428-375-0x000000002DA80000-0x000000002EC07000-memory.dmp

Filesize
17.5MB

Download
memory/1428-340-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1428-376-0x000000002EC10000-0x000000002ECA6000-memory.dmp

Filesize
600KB

Download
memory/1428-366-0x000000002D9E0000-0x000000002DA7C000-memory.dmp

Filesize
624KB

Download
memory/1428-377-0x000000002ECC0000-0x000000002ED50000-memory.dmp

Filesize
576KB

Download
memory/1428-364-0x000000002D9E0000-0x000000002DA7C000-memory.dmp

Filesize
624KB

Download
memory/1428-368-0x000000002D9E0000-0x000000002DA7C000-memory.dmp

Filesize
624KB

Download
memory/1428-397-0x0000000000780000-0x0000000000785000-memory.dmp

Filesize
20KB

Download
memory/1428-363-0x000000002D920000-0x000000002D9D1000-memory.dmp

Filesize
708KB

Download
memory/1428-396-0x0000000000770000-0x0000000000773000-memory.dmp

Filesize
12KB

Download
memory/1428-370-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1428-374-0x000000002D9E0000-0x000000002DA7C000-memory.dmp

Filesize
624KB

Download
memory/1544-138-0x000001A20FA70000-0x000001A20FAC8000-memory.dmp

Filesize
352KB

Download
memory/1544-160-0x000001A20FE80000-0x000001A20FE86000-memory.dmp

Filesize
24KB

Download
memory/1544-152-0x000001A20FEA0000-0x000001A20FEE6000-memory.dmp

Filesize
280KB

Download
memory/1544-142-0x000001A20FE70000-0x000001A20FE76000-memory.dmp

Filesize
24KB

Download
memory/1700-211-0x0000000006310000-0x0000000006342000-memory.dmp

Filesize
200KB

Download
memory/1700-274-0x0000000073060000-0x0000000073810000-memory.dmp

Filesize
7.7MB

Download
memory/1700-239-0x00000000070E0000-0x00000000070FA000-memory.dmp

Filesize
104KB

Download
memory/1700-238-0x0000000007720000-0x0000000007D9A000-memory.dmp

Filesize
6.5MB

Download
memory/1700-68-0x000000007306E000-0x000000007306F000-memory.dmp

Filesize
4KB

Download
memory/1700-212-0x000000006E110000-0x000000006E15C000-memory.dmp

Filesize
304KB

Download
memory/1700-241-0x0000000007160000-0x000000000716A000-memory.dmp

Filesize
40KB

Download
memory/1700-74-0x0000000005040000-0x0000000005668000-memory.dmp

Filesize
6.2MB

Download
memory/1700-222-0x0000000006F70000-0x0000000006F8E000-memory.dmp

Filesize
120KB

Download
memory/1700-250-0x00000000072E0000-0x00000000072F1000-memory.dmp

Filesize
68KB

Download
memory/1700-87-0x0000000073060000-0x0000000073810000-memory.dmp

Filesize
7.7MB

Download
memory/1700-260-0x000000007306E000-0x000000007306F000-memory.dmp

Filesize
4KB

Download
memory/1700-282-0x0000000073060000-0x0000000073810000-memory.dmp

Filesize
7.7MB

Download
memory/1700-154-0x0000000005D10000-0x0000000005D2E000-memory.dmp

Filesize
120KB

Download
memory/1700-89-0x0000000005750000-0x00000000057B6000-memory.dmp

Filesize
408KB

Download
memory/1700-96-0x00000000057C0000-0x0000000005B14000-memory.dmp

Filesize
3.3MB

Download
memory/1700-114-0x0000000073060000-0x0000000073810000-memory.dmp

Filesize
7.7MB

Download
memory/1712-323-0x000000002D7B0000-0x000000002E937000-memory.dmp

Filesize
17.5MB

Download
memory/1712-322-0x000000002D710000-0x000000002D7AC000-memory.dmp

Filesize
624KB

Download
memory/1712-321-0x0000000002750000-0x0000000003750000-memory.dmp

Filesize
16.0MB

Download
memory/1712-310-0x000000002D710000-0x000000002D7AC000-memory.dmp

Filesize
624KB

Download
memory/1712-312-0x000000002D710000-0x000000002D7AC000-memory.dmp

Filesize
624KB

Download
memory/1712-309-0x000000002D710000-0x000000002D7AC000-memory.dmp

Filesize
624KB

Download
memory/1712-307-0x000000002D640000-0x000000002D6F1000-memory.dmp

Filesize
708KB

Download
memory/1712-324-0x000000002E940000-0x000000002E9D6000-memory.dmp

Filesize
600KB

Download
memory/1712-337-0x000000002E9F0000-0x000000002EA80000-memory.dmp

Filesize
576KB

Download
memory/1712-248-0x0000000002750000-0x0000000003750000-memory.dmp

Filesize
16.0MB

Download
memory/2468-314-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2760-141-0x0000000005360000-0x0000000005904000-memory.dmp

Filesize
5.6MB

Download
memory/2760-116-0x00000000003A0000-0x000000000042A000-memory.dmp

Filesize
552KB

Download
memory/2760-134-0x0000000004AE0000-0x0000000004AFE000-memory.dmp

Filesize
120KB

Download
memory/2760-133-0x0000000004B00000-0x0000000004B76000-memory.dmp

Filesize
472KB

Download
memory/2908-450-0x0000000000C60000-0x0000000000C68000-memory.dmp

Filesize
32KB

Download
memory/2924-313-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2924-147-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3204-187-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3204-139-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3428-287-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3464-110-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3464-157-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4180-189-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/4440-283-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4820-150-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4972-97-0x0000000073060000-0x0000000073810000-memory.dmp

Filesize
7.7MB

Download
memory/4972-90-0x0000000005DF0000-0x0000000005E56000-memory.dmp

Filesize
408KB

Download
memory/4972-237-0x0000000007E80000-0x00000000084FA000-memory.dmp

Filesize
6.5MB

Download
memory/4972-158-0x0000000006A50000-0x0000000006A9C000-memory.dmp

Filesize
304KB

Download
memory/4972-69-0x0000000073060000-0x0000000073810000-memory.dmp

Filesize
7.7MB

Download
memory/4972-86-0x0000000005D50000-0x0000000005D72000-memory.dmp

Filesize
136KB

Download
memory/4972-278-0x0000000073060000-0x0000000073810000-memory.dmp

Filesize
7.7MB

Download
memory/4972-275-0x0000000073060000-0x0000000073810000-memory.dmp

Filesize
7.7MB

Download
memory/4972-223-0x000000006E110000-0x000000006E15C000-memory.dmp

Filesize
304KB

Download
memory/4972-273-0x0000000007B10000-0x0000000007B18000-memory.dmp

Filesize
32KB

Download
memory/4972-271-0x0000000007B20000-0x0000000007B3A000-memory.dmp

Filesize
104KB

Download
memory/4972-70-0x0000000004F20000-0x0000000004F56000-memory.dmp

Filesize
216KB

Download
memory/4972-268-0x0000000007A30000-0x0000000007A44000-memory.dmp

Filesize
80KB

Download
memory/4972-240-0x0000000073060000-0x0000000073810000-memory.dmp

Filesize
7.7MB

Download
memory/4972-266-0x0000000007A20000-0x0000000007A2E000-memory.dmp

Filesize
56KB

Download
memory/4972-75-0x0000000073060000-0x0000000073810000-memory.dmp

Filesize
7.7MB

Download
memory/4972-233-0x0000000007750000-0x00000000077F3000-memory.dmp

Filesize
652KB

Download
memory/4972-261-0x0000000073060000-0x0000000073810000-memory.dmp

Filesize
7.7MB

Download
memory/4972-249-0x0000000007A60000-0x0000000007AF6000-memory.dmp

Filesize
600KB

Download
memory/5008-183-0x0000000005B30000-0x0000000006148000-memory.dmp

Filesize
6.1MB

Download
memory/5008-184-0x00000000055C0000-0x00000000055D2000-memory.dmp

Filesize
72KB

Download
memory/5008-182-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5008-186-0x0000000005660000-0x000000000569C000-memory.dmp

Filesize
240KB

Download
memory/5008-185-0x00000000056F0000-0x00000000057FA000-memory.dmp

Filesize
1.0MB

Download