Analysis Overview
SHA256
2fc7d93dc85c813ecf2157ef43e53845ad46343b17ec0648f55101a8330005d6
Threat Level: Known bad
The file 2fc7d93dc85c813ecf2157ef43e53845ad46343b17ec0648f55101a8330005d6 was found to be: Known bad.
Malicious Activity Summary
Socelars
GCleaner
Fabookie
Smokeloader family
RedLine
RedLine payload
Redline family
Socelars payload
Socelars family
NullMixer
Detect Fabookie payload
Nullmixer family
SmokeLoader
Gcleaner family
Onlylogger family
Fabookie family
OnlyLogger
OnlyLogger payload
Detected Nirsoft tools
NirSoft WebBrowserPassView
Blocklisted process makes network request
Loads dropped DLL
ASPack v2.12-2.42
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Checks installed software on the system
Command and Scripting Interpreter: PowerShell
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops Chrome extension
Looks up geolocation information via web service
Adds Run key to start application
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
UPX packed file
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Program crash
Browser Information Discovery
Enumerates system info in registry
Checks SCSI registry key(s)
Kills process with taskkill
Suspicious behavior: GetForegroundWindowSpam
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 09:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-09 09:03
Reported
2024-11-09 09:06
Platform
win7-20240903-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
GCleaner
Gcleaner family
NullMixer
Nullmixer family
OnlyLogger
Onlylogger family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SmokeLoader
Smokeloader family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\QWE00000.gol\\\"" | C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ae24e70_Thu12a74e4137.exe | N/A |
Checks installed software on the system
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Looks up geolocation information via web service
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ad20a43_Thu120f4aad3d7.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2172 set thread context of 2092 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a688404_Thu122ae6bbac.exe | C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a688404_Thu122ae6bbac.exe |
| PID 1584 set thread context of 1632 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292af47cdd_Thu12168454a4a.exe | C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292af47cdd_Thu12168454a4a.exe |
| PID 236 set thread context of 780 | N/A | C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif | C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ae24e70_Thu12a74e4137.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a688404_Thu122ae6bbac.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-0PM59.tmp\61f292a4b3280_Thu12692268df32.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292adcd500_Thu12dd12e2c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292b2a8973_Thu12d2978de30.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292af47cdd_Thu12168454a4a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292af47cdd_Thu12168454a4a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a4b3280_Thu12692268df32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f78d430.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\find.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\11111.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a688404_Thu122ae6bbac.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292aaee251_Thu12817405.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\11111.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a8a0a6c_Thu12fda79da.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-2F27F.tmp\61f292aaee251_Thu12817405.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\control.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a50b8fa_Thu12c85191.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-HIOL3.tmp\61f292aaee251_Thu12817405.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292adcd500_Thu12dd12e2c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\waitfor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ad20a43_Thu120f4aad3d7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292b10868e_Thu12702ecb5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ac194f1_Thu1230653d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292aaee251_Thu12817405.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ad20a43_Thu120f4aad3d7.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\11111.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\11111.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-2F27F.tmp\61f292aaee251_Thu12817405.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292adcd500_Thu12dd12e2c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292adcd500_Thu12dd12e2c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292adcd500_Thu12dd12e2c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292adcd500_Thu12dd12e2c.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292a3b1188_Thu12926eaf6b3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292a4b3280_Thu12692268df32.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292a50b8fa_Thu12c85191.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292a688404_Thu122ae6bbac.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292a8a0a6c_Thu12fda79da.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292aaee251_Thu12817405.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292ac194f1_Thu1230653d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292ad20a43_Thu120f4aad3d7.exe
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a50b8fa_Thu12c85191.exe
61f292a50b8fa_Thu12c85191.exe
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe
61f292a3b1188_Thu12926eaf6b3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292adcd500_Thu12dd12e2c.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292ae24e70_Thu12a74e4137.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292ae71b3f_Thu1291f781.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292af47cdd_Thu12168454a4a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292b10868e_Thu12702ecb5.exe /mixtwo
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292b2a8973_Thu12d2978de30.exe
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a8a0a6c_Thu12fda79da.exe
61f292a8a0a6c_Thu12fda79da.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292b465d58_Thu127ed1404d.exe
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ae71b3f_Thu1291f781.exe
61f292ae71b3f_Thu1291f781.exe
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ac194f1_Thu1230653d.exe
61f292ac194f1_Thu1230653d.exe
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292adcd500_Thu12dd12e2c.exe
61f292adcd500_Thu12dd12e2c.exe
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a4b3280_Thu12692268df32.exe
61f292a4b3280_Thu12692268df32.exe
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ad20a43_Thu120f4aad3d7.exe
61f292ad20a43_Thu120f4aad3d7.exe
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a688404_Thu122ae6bbac.exe
61f292a688404_Thu122ae6bbac.exe
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292aaee251_Thu12817405.exe
61f292aaee251_Thu12817405.exe
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292b10868e_Thu12702ecb5.exe
61f292b10868e_Thu12702ecb5.exe /mixtwo
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a688404_Thu122ae6bbac.exe
61f292a688404_Thu122ae6bbac.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Users\Admin\AppData\Local\Temp\is-HIOL3.tmp\61f292aaee251_Thu12817405.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HIOL3.tmp\61f292aaee251_Thu12817405.tmp" /SL5="$8015A,870458,780800,C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292aaee251_Thu12817405.exe"
C:\Users\Admin\AppData\Local\Temp\is-0PM59.tmp\61f292a4b3280_Thu12692268df32.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0PM59.tmp\61f292a4b3280_Thu12692268df32.tmp" /SL5="$70158,140559,56832,C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a4b3280_Thu12692268df32.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C timeout 19
C:\Windows\SysWOW64\timeout.exe
timeout 19
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292b465d58_Thu127ed1404d.exe
61f292b465d58_Thu127ed1404d.exe
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ae24e70_Thu12a74e4137.exe
61f292ae24e70_Thu12a74e4137.exe
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292af47cdd_Thu12168454a4a.exe
61f292af47cdd_Thu12168454a4a.exe
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292b2a8973_Thu12d2978de30.exe
61f292b2a8973_Thu12d2978de30.exe
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292adcd500_Thu12dd12e2c.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292adcd500_Thu12dd12e2c.exe" -a
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292aaee251_Thu12817405.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292aaee251_Thu12817405.exe" /SILENT
C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Esistenza.wbk
C:\Users\Admin\AppData\Local\Temp\is-2F27F.tmp\61f292aaee251_Thu12817405.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2F27F.tmp\61f292aaee251_Thu12817405.tmp" /SL5="$501EA,870458,780800,C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292aaee251_Thu12817405.exe" /SILENT
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\CZlKA.Q5
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\CZlKA.Q5
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 480
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^tDPdzRbUMNXkpbEMSMKZXPerlnGmckXJGXqJvnomwNbPoElbkyeDIDcfALyUkXmAQhFkvUdzDkXpshUFgogfpxwrCLpKzhhtgXYVZZwdO$" Impaziente.wbk
C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif
Sul.exe.pif J
C:\Windows\SysWOW64\waitfor.exe
waitfor /t 10 citDNEKXehVmhlzMlgdNbKGouCJxkZjiUQRiy
C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif
C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif J
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 332 -s 1424
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292af47cdd_Thu12168454a4a.exe
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292af47cdd_Thu12168454a4a.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292af47cdd_Thu12168454a4a.exe
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292af47cdd_Thu12168454a4a.exe
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292af47cdd_Thu12168454a4a.exe
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292af47cdd_Thu12168454a4a.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\SysWOW64\rundll32.exe
rundll32
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 484
C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif
C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1640 -s 488
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\CZlKA.Q5
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\CZlKA.Q5
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 1148
C:\Users\Admin\AppData\Local\Temp\f78d430.exe
"C:\Users\Admin\AppData\Local\Temp\f78d430.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 652
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hornygl.xyz | udp |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 8.8.8.8:53 | appwebstat.biz | udp |
| N/A | 127.0.0.1:49303 | tcp | |
| N/A | 127.0.0.1:49305 | tcp | |
| US | 52.203.72.196:443 | www.listincode.com | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 8.8.8.8:53 | zenitsu.s3.pl-waw.scw.cloud | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| PL | 151.115.10.3:80 | zenitsu.s3.pl-waw.scw.cloud | tcp |
| US | 8.8.8.8:53 | inosuke.s3.pl-waw.scw.cloud | udp |
| PL | 151.115.10.3:80 | inosuke.s3.pl-waw.scw.cloud | tcp |
| US | 54.205.158.59:443 | www.listincode.com | tcp |
| US | 8.8.8.8:53 | onlinehueplet.com | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| DE | 92.246.89.93:80 | onlinehueplet.com | tcp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | signaturebusinesspark.com | udp |
| US | 8.8.8.8:53 | KLGqdXSVxgZGfuYBAcEbdNW.KLGqdXSVxgZGfuYBAcEbdNW | udp |
| US | 8.8.8.8:53 | signaturebusinesspark.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | presstheme.me | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| RU | 92.255.57.115:11841 | tcp | |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| NL | 81.4.105.174:80 | tcp | |
| US | 8.8.8.8:53 | www.hhiuew33.com | udp |
| US | 8.8.8.8:53 | dll1.stdcdn.com | udp |
| DE | 92.246.89.93:80 | onlinehueplet.com | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| CH | 80.67.82.89:80 | crl.microsoft.com | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| RU | 92.255.57.115:11841 | tcp | |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| RU | 92.255.57.115:11841 | tcp | |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| FR | 77.132.68.187:8080 | tcp | |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| RU | 92.255.57.115:11841 | tcp | |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| FR | 77.132.68.187:8080 | tcp | |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| RU | 92.255.57.115:11841 | tcp | |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| RU | 92.255.57.115:11841 | tcp | |
| US | 104.26.2.46:443 | iplogger.org | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe
| MD5 | b14eef8f9059c67b05c710b51d150f82 |
| SHA1 | 645988e081d1948cae842614cc75875aec8cf68c |
| SHA256 | 3b9601b7d67b3e2541bf93f753248aae02ea9ba0fb46186d6d0ee97634052e0e |
| SHA512 | bdfcac2b5631b38a0555c1f0c70f3bec0d67955adf0d8f679d05a1218e2d9e5d0c7bf0a5d221235b96aec99e35d3521f9030bdab511bfbfeaa6a20f9b3c942e5 |
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/2528-58-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/2528-63-0x000000006B440000-0x000000006B4CF000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS0480EDC6\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/2528-71-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2528-70-0x000000006494A000-0x000000006494F000-memory.dmp
memory/2528-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a50b8fa_Thu12c85191.exe
| MD5 | 4fda4b291bdc23439208635f8b4f10e5 |
| SHA1 | 6911fce737067d5bbeab05960ecd56d3a0fe0dfb |
| SHA256 | 79a77b41388477a3cb157995c0ad1757a8ced2b49fc968dc5d8c28806aaee480 |
| SHA512 | 5ca7652ea5c795dd613da2ef773e048efa240d4cb5b6970d91ddb2367eda27e879d735360625725881d4940b23b6e153cb148b630f183d21025b31b4675b17cb |
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe
| MD5 | fbd3940d1ad28166d8539eae23d44d5b |
| SHA1 | 55fff8a0aa435885fc86f7f33fec24558aa21ef5 |
| SHA256 | 21ceb2021197d8b5f73f8f264163e1f73e6a454ff0dffad24e87037f3a0b9ac7 |
| SHA512 | 26efcab71ea6ffd07c800a9ab014adc1813742d99923e17f02d92ffe5fccc8ad1efbf1e6124fd68fd1638e0d9c5f9a79b8c3faf2ae85c71ead6fb8940e26ad11 |
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a688404_Thu122ae6bbac.exe
| MD5 | a05b981f73e296c8edf29ea9f68b8355 |
| SHA1 | f959ea0a5569320682e194bd87ae3fbf0b382647 |
| SHA256 | 3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100 |
| SHA512 | d71c1655c13a4ea043caaa5533fe8b2b25f4146f5c750a801b4b19b3df514fedda7413dd9448be1b09eb6b532384d9439b1bb0628129413706224a051ea34ace |
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a4b3280_Thu12692268df32.exe
| MD5 | 5b14369c347439becacaa0883c07f17b |
| SHA1 | 126b0012934a2bf5aab025d931feb3b4315a2d9a |
| SHA256 | 8f362cedd16992cd2605b87129e491620b323f2a60e0cbb2f77d66a38f1e2307 |
| SHA512 | 4abd011ac7e4dba50cef3d166ca3c2c4148e737291f196e68c61f3a19e0e2b13bef5bb95fa53223cbc5ae514467309da6c92f1acfa194980624282d7c88c521b |
memory/2528-80-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2528-79-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2528-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2528-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2528-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2528-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2528-74-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2528-73-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2528-72-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a8a0a6c_Thu12fda79da.exe
| MD5 | b8ecec542a07067a193637269973c2e8 |
| SHA1 | 97178479fd0fc608d6c0fbf243a0bb136d7b0ecb |
| SHA256 | fc6b5ec20b7f2c902e9413c71be5718eb58640d86189306fe4c592af70fe3b7e |
| SHA512 | 730d74a72c7af91b10f06ae98235792740bed2afc86eb8ddc15ecaf7c31ec757ac3803697644ac0f60c2e8e0fd875b94299763ac0fed74d392ac828b61689893 |
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ac194f1_Thu1230653d.exe
| MD5 | af0de0482a6545057fb04ece77e0e83e |
| SHA1 | a5275870f175a76ae14d965211d02a5214adb5c2 |
| SHA256 | 605f47756284111370f163638d93e580830db4dd10b16a274735c052ea1f2c8a |
| SHA512 | 92b76a20957a3daafd588434cb6259213af9689a1dd75c97f61f16ceff95e1e79924431ad4f8a075b90535081a00b6ced7ffada6db8a843a4f8ecaa27ca1e96d |
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292aaee251_Thu12817405.exe
| MD5 | e65bf2d56fcaa18c1a8d0d481072dc62 |
| SHA1 | c7492c7e09b329bed044e9ee45e425e0817c22f4 |
| SHA256 | c24f98a0e80be8f215f9b93c9823497c1ea547ca9fdd3621ef6a96dfb1eaa895 |
| SHA512 | 39c3400315055b2c9fdb3d9d9d54f4a8c7120721aa0850c29d313824846cec7aae74b1f25569636d9eb81184f211e0bc391de02c212b6f0994a42096268414a9 |
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ad20a43_Thu120f4aad3d7.exe
| MD5 | 8b361d36500a8a4abd21c08235e6c0c8 |
| SHA1 | c52bb8ead2e3b7dfb45f8e1163a2ae05588d70ce |
| SHA256 | dc791b99f5e4e21d1022fe5cf80231da85fd716cf0132a25d1596b9680e45cf5 |
| SHA512 | 6ebdbd3c45d869bb8852e6662cd0f2f397322f3907377b60f6c70910a8a01d955b30b59ee93d76001688a465449bcbb061169e85a4e67b102a537440909cf10a |
memory/1572-126-0x00000000004D0000-0x0000000000593000-memory.dmp
memory/1572-125-0x0000000000400000-0x00000000004C3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292b465d58_Thu127ed1404d.exe
| MD5 | 79400b1fd740d9cb7ec7c2c2e9a7d618 |
| SHA1 | 8ab8d7dcd469853f61ca27b8afe2ab6e0f2a1bb3 |
| SHA256 | 556d5c93b2ceb585711ccce22e39e3327f388b893d76a3a7974967fe99a6fa7f |
| SHA512 | 3ed024b02d7410d5ddc7bb772a2b3e8a5516a16d1cb5fac9f5d925da84b376b67117daf238fb53c7707e6bb86a0198534ad1e79b6ebed979b505b3faf9ae55ac |
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292af47cdd_Thu12168454a4a.exe
| MD5 | 2fd3235d23e379fcca10cf25661689c8 |
| SHA1 | ac4c74c6c95693a6d9d67caf55a6106eaa408959 |
| SHA256 | a88f3682d185f01cd91890951a27f04e925f10bd61b1ded566889c0e008c3ccc |
| SHA512 | e33873304eba441d8b5938ba1f28636c78ac751633ed209f8970d1aafcf193203941fc8ba59e151ea7d010b9d65476d486e07b4f045d0409222d6f8d99bcfbb0 |
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ae24e70_Thu12a74e4137.exe
| MD5 | cc722fd0bd387cf472350dc2dd7ddd1e |
| SHA1 | 49d288ddbb09265a586dd8d6629c130be7063afa |
| SHA256 | 588a87d450987dfb3a72361c012b36285a5b3087cc8c282b6f2de46ae95291f2 |
| SHA512 | 893375a8816bc333a9521b50d26b4018d1a3181b502dac73cef3357755651d833744a42bfd7f2daeb6e15d420600b91cdb910a0a1fb1a28d5012697a1f92733b |
memory/1836-121-0x0000000000400000-0x00000000004C3000-memory.dmp
memory/2872-130-0x00000000001B0000-0x00000000001B8000-memory.dmp
memory/1836-116-0x0000000000400000-0x00000000004C3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292adcd500_Thu12dd12e2c.exe
| MD5 | b0448525c5a00135bb5b658cc6745574 |
| SHA1 | a08d53ce43ad01d47564a7dcdb87383652ef29f5 |
| SHA256 | b53ec612c61b38e29a8500f8d495e81dfdedc6b277958f36acfee6b8ee50a859 |
| SHA512 | b52e28e22916964a3d4d46e8fd09ba1f5c4867bd812d3c9af278bbeaf0ccfd9573e2bfc836c63079bc5de419b2c362247f85c3c494dfc66baf5cbadc6dbf462d |
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ae71b3f_Thu1291f781.exe
| MD5 | ce54b9287c3e4b5733035d0be085d989 |
| SHA1 | 07a17e423bf89d9b056562d822a8f651aeb33c96 |
| SHA256 | e2beaf61ef8408e20b5dd05ffab6e1a62774088b3acdebd834f51d77f9824112 |
| SHA512 | c85680a63c9e852dfee438c9b8d47443f8b998ea1f8f573b3fcf1e31abc44415a1c18bac2bc6c5fb2caed0872a69fc9be758a510b9049c854fd48e31bf0815a0 |
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292b2a8973_Thu12d2978de30.exe
| MD5 | 9691ad5126152a385a01220ee47221c1 |
| SHA1 | 48465630edcdc71525c792c0b855ef0d321f6a5e |
| SHA256 | 34da41baf54a2522aa5b332f1678400f2fb271e12dcfad3870ef47d37ac4ba67 |
| SHA512 | b7b3ac05988ec34d586f7764bbe2bce43ca3c9361ce3626f041eefb635d8ab3af047009ce74cce50cdddb6dbec35b60139a50e9f2598e86cdf484c60e4be5949 |
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292b10868e_Thu12702ecb5.exe
| MD5 | 6cda68905cfd314c1b5dcafd6adebc96 |
| SHA1 | c6e952b5190121ab0c082a2de4bc0caf06d1dcf0 |
| SHA256 | 927c40d5808645ff97bbf5fc4c1d517d37a801c81553dc54becd8a0770ee54b0 |
| SHA512 | 952074dffb293dd455751a44f18409adf4afa2c4c2f130dc2b6368791b78af06cf19bdbdc4278ccdb4ca3326db100fc695245543aa5e447927c4c095640d98c6 |
memory/1572-135-0x00000000003C0000-0x00000000003D8000-memory.dmp
memory/1572-134-0x0000000000350000-0x000000000038E000-memory.dmp
memory/1572-133-0x00000000003F0000-0x00000000003F1000-memory.dmp
memory/1572-132-0x0000000000400000-0x00000000004C3000-memory.dmp
memory/2092-145-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1972-148-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2164-146-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/2092-144-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2348-151-0x00000000011A0000-0x00000000011C0000-memory.dmp
memory/1572-155-0x0000000000250000-0x000000000025A000-memory.dmp
memory/1420-159-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2092-162-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1208-176-0x0000000000400000-0x0000000000682000-memory.dmp
memory/2956-179-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/1584-178-0x00000000000C0000-0x000000000014A000-memory.dmp
memory/2164-177-0x0000000000400000-0x00000000004CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-2F27F.tmp\61f292aaee251_Thu12817405.tmp
| MD5 | 83b531c1515044f8241cd9627fbfbe86 |
| SHA1 | d2f7096e18531abb963fc9af7ecc543641570ac8 |
| SHA256 | 565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c |
| SHA512 | 9f7304ecb7573c0b8b4d7a2f49bcb9902499523b84502609f81b6f1b84faa1152a46ea13813987567ce574bd7b9d7b3f44b2b76389d8135487dc3c7f5e314f1b |
C:\Users\Admin\AppData\Local\Temp\is-9FU41.tmp\idp.dll
| MD5 | 55c310c0319260d798757557ab3bf636 |
| SHA1 | 0892eb7ed31d8bb20a56c6835990749011a2d8de |
| SHA256 | 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed |
| SHA512 | e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57 |
memory/1972-202-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2448-201-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2636-224-0x0000000002870000-0x0000000003870000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabFFC2.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/2528-233-0x0000000064940000-0x0000000064959000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\11111.exe
| MD5 | 94989927a6611e1919f84e1871922b63 |
| SHA1 | b602e4c47c9c42c273b68a1ce85f0814c0e05deb |
| SHA256 | 6abf00e8457005606b0286fba4abc75bdb5d8d8267b17678d719122946db5c17 |
| SHA512 | ce69c1597f759efdb61ba441a5c16b587b77e3780e134c312dc832a502a1933b04f6b981e0e4b5c998c38d77b25763d2c2875cb790b142f44a416dcf75880b6e |
memory/1696-244-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1836-241-0x0000000000400000-0x00000000004C3000-memory.dmp
memory/1696-240-0x0000000000240000-0x00000000002C0000-memory.dmp
memory/1696-239-0x0000000000240000-0x00000000002C0000-memory.dmp
memory/1696-238-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1836-248-0x0000000000400000-0x00000000004C3000-memory.dmp
memory/1572-249-0x0000000000400000-0x00000000004C3000-memory.dmp
memory/1572-250-0x0000000000350000-0x000000000038E000-memory.dmp
memory/1572-251-0x00000000003C0000-0x00000000003D8000-memory.dmp
memory/1572-253-0x0000000000400000-0x00000000004C3000-memory.dmp
memory/2528-260-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2528-259-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2528-258-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2528-257-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2528-255-0x0000000000400000-0x000000000051C000-memory.dmp
memory/1604-265-0x0000000000400000-0x000000000045C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\11111.exe
| MD5 | d0527733abcc5c58735e11d43061b431 |
| SHA1 | 28de9d191826192721e325787b8a50a84328cffd |
| SHA256 | b4ef7ee228c1500f7bb3686361b1a246954efe04cf14d218b5ee709bc0d88b45 |
| SHA512 | 7704b215fade38c9a4aa2395263f3d4d9392b318b5644146464d233006a6de86f53a5f6e47cd909c0d968e3ef4db397f52e28ca4d6a1b2e88e1c40a1dbde3fb5 |
memory/2696-266-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2696-268-0x0000000000240000-0x00000000002C3000-memory.dmp
memory/2696-267-0x0000000000240000-0x00000000002C3000-memory.dmp
memory/2956-269-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/2828-270-0x0000000000400000-0x0000000000682000-memory.dmp
memory/2528-280-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2528-279-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2528-278-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2528-277-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2528-275-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2528-271-0x0000000000400000-0x000000000051C000-memory.dmp
memory/1632-290-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1632-289-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1632-287-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1632-285-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1632-283-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1632-281-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1632-293-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2696-304-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2696-306-0x0000000000240000-0x00000000002C3000-memory.dmp
memory/2696-305-0x0000000000240000-0x00000000002C3000-memory.dmp
memory/2696-309-0x0000000000400000-0x0000000000483000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\f78d430.exe
| MD5 | 620bda3df817bff8deb38758d1dc668c |
| SHA1 | 9933523941851b42047f2b7a1324eb8daa8fb1ff |
| SHA256 | b74d7ff45768a1ee6f267e895de3e46cca505edf205563ef3f7db827f38363b3 |
| SHA512 | bc9e932860f63090bab251057bc1fd6875c410c2358321eaa74fccc117561b91e4ce6b24d5e7bb13dc44732ae151b7c33fe201acbb5af689d7f2d248dfb8c568 |
memory/2696-398-0x0000000000B80000-0x0000000000B88000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-09 09:03
Reported
2024-11-09 09:06
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
GCleaner
Gcleaner family
NullMixer
Nullmixer family
OnlyLogger
Onlylogger family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
SmokeLoader
Smokeloader family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a50b8fa_Thu12c85191.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292adcd500_Thu12dd12e2c.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-KCF6O.tmp\61f292aaee251_Thu12817405.tmp | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292b2a8973_Thu12d2978de30.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-8BKV6.tmp\61f292a4b3280_Thu12692268df32.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-KCF6O.tmp\61f292aaee251_Thu12817405.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-DGHAM.tmp\61f292aaee251_Thu12817405.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\QWE00000.gol\\\"" | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292ae24e70_Thu12a74e4137.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfhgpjbcoignfibliobpclhpfnadhofn\10.59.13_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Looks up geolocation information via web service
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292ad20a43_Thu120f4aad3d7.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3236 set thread context of 540 | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a688404_Thu122ae6bbac.exe | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a688404_Thu122ae6bbac.exe |
| PID 3940 set thread context of 1348 | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292af47cdd_Thu12168454a4a.exe | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292af47cdd_Thu12168454a4a.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292ae24e70_Thu12a74e4137.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\control.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a8a0a6c_Thu12fda79da.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292af47cdd_Thu12168454a4a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a688404_Thu122ae6bbac.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-KCF6O.tmp\61f292aaee251_Thu12817405.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292ac194f1_Thu1230653d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292af47cdd_Thu12168454a4a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292adcd500_Thu12dd12e2c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a4b3280_Thu12692268df32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-DGHAM.tmp\61f292aaee251_Thu12817405.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\waitfor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a688404_Thu122ae6bbac.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292aaee251_Thu12817405.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292b2a8973_Thu12d2978de30.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\find.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292b10868e_Thu12702ecb5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\11111.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\11111.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292ad20a43_Thu120f4aad3d7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a50b8fa_Thu12c85191.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292aaee251_Thu12817405.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-8BKV6.tmp\61f292a4b3280_Thu12692268df32.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292adcd500_Thu12dd12e2c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292ac194f1_Thu1230653d.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292ac194f1_Thu1230653d.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292ac194f1_Thu1230653d.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133756166417928637" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292adcd500_Thu12dd12e2c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292adcd500_Thu12dd12e2c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292adcd500_Thu12dd12e2c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292adcd500_Thu12dd12e2c.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292a3b1188_Thu12926eaf6b3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292a4b3280_Thu12692268df32.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292a50b8fa_Thu12c85191.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292a688404_Thu122ae6bbac.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292a8a0a6c_Thu12fda79da.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292aaee251_Thu12817405.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292ac194f1_Thu1230653d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292ad20a43_Thu120f4aad3d7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292adcd500_Thu12dd12e2c.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292ae24e70_Thu12a74e4137.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292ae71b3f_Thu1291f781.exe
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe
61f292a3b1188_Thu12926eaf6b3.exe
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a4b3280_Thu12692268df32.exe
61f292a4b3280_Thu12692268df32.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292af47cdd_Thu12168454a4a.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292b10868e_Thu12702ecb5.exe /mixtwo
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292ac194f1_Thu1230653d.exe
61f292ac194f1_Thu1230653d.exe
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292aaee251_Thu12817405.exe
61f292aaee251_Thu12817405.exe
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a50b8fa_Thu12c85191.exe
61f292a50b8fa_Thu12c85191.exe
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a688404_Thu122ae6bbac.exe
61f292a688404_Thu122ae6bbac.exe
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a8a0a6c_Thu12fda79da.exe
61f292a8a0a6c_Thu12fda79da.exe
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292ad20a43_Thu120f4aad3d7.exe
61f292ad20a43_Thu120f4aad3d7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292b2a8973_Thu12d2978de30.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292b465d58_Thu127ed1404d.exe
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292adcd500_Thu12dd12e2c.exe
61f292adcd500_Thu12dd12e2c.exe
C:\Users\Admin\AppData\Local\Temp\is-8BKV6.tmp\61f292a4b3280_Thu12692268df32.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8BKV6.tmp\61f292a4b3280_Thu12692268df32.tmp" /SL5="$7015A,140559,56832,C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a4b3280_Thu12692268df32.exe"
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292ae71b3f_Thu1291f781.exe
61f292ae71b3f_Thu1291f781.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3412 -ip 3412
C:\Users\Admin\AppData\Local\Temp\is-KCF6O.tmp\61f292aaee251_Thu12817405.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KCF6O.tmp\61f292aaee251_Thu12817405.tmp" /SL5="$8024C,870458,780800,C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292aaee251_Thu12817405.exe"
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292ae24e70_Thu12a74e4137.exe
61f292ae24e70_Thu12a74e4137.exe
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292b2a8973_Thu12d2978de30.exe
61f292b2a8973_Thu12d2978de30.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3372 -ip 3372
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292af47cdd_Thu12168454a4a.exe
61f292af47cdd_Thu12168454a4a.exe
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292b465d58_Thu127ed1404d.exe
61f292b465d58_Thu127ed1404d.exe
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292b10868e_Thu12702ecb5.exe
61f292b10868e_Thu12702ecb5.exe /mixtwo
C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Esistenza.wbk
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C timeout 19
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a688404_Thu122ae6bbac.exe
61f292a688404_Thu122ae6bbac.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 356
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292adcd500_Thu12dd12e2c.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292adcd500_Thu12dd12e2c.exe" -a
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292aaee251_Thu12817405.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292aaee251_Thu12817405.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292af47cdd_Thu12168454a4a.exe
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292af47cdd_Thu12168454a4a.exe
C:\Users\Admin\AppData\Local\Temp\is-DGHAM.tmp\61f292aaee251_Thu12817405.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DGHAM.tmp\61f292aaee251_Thu12817405.tmp" /SL5="$40286,870458,780800,C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292aaee251_Thu12817405.exe" /SILENT
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1464 -ip 1464
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\CZlKA.Q5
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 624
C:\Windows\SysWOW64\timeout.exe
timeout 19
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 916 -ip 916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 1776
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\CZlKA.Q5
C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1464 -ip 1464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 624
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292af47cdd_Thu12168454a4a.exe
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292af47cdd_Thu12168454a4a.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1464 -ip 1464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 648
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^tDPdzRbUMNXkpbEMSMKZXPerlnGmckXJGXqJvnomwNbPoElbkyeDIDcfALyUkXmAQhFkvUdzDkXpshUFgogfpxwrCLpKzhhtgXYVZZwdO$" Impaziente.wbk
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1464 -ip 1464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 784
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1464 -ip 1464
C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif
Sul.exe.pif J
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 728
C:\Windows\SysWOW64\waitfor.exe
waitfor /t 10 citDNEKXehVmhlzMlgdNbKGouCJxkZjiUQRiy
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif
C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif J
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffc76e3cc40,0x7ffc76e3cc4c,0x7ffc76e3cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1844,i,16156424909439088012,5606271996256808090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1840 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2000,i,16156424909439088012,5606271996256808090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2044 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2280,i,16156424909439088012,5606271996256808090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2476 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,16156424909439088012,5606271996256808090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,16156424909439088012,5606271996256808090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3352 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1464 -ip 1464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1464 -ip 1464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 788
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 856
C:\Windows\SysWOW64\rundll32.exe
rundll32
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4740,i,16156424909439088012,5606271996256808090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4748 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4916,i,16156424909439088012,5606271996256808090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4924 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4948,i,16156424909439088012,5606271996256808090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4964 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4956,i,16156424909439088012,5606271996256808090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5080 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5352,i,16156424909439088012,5606271996256808090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5364 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5068,i,16156424909439088012,5606271996256808090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5488 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5076,i,16156424909439088012,5606271996256808090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5056 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5412,i,16156424909439088012,5606271996256808090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5572 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4652,i,16156424909439088012,5606271996256808090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4920 /prefetch:8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3832 -ip 3832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 1264
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4984,i,16156424909439088012,5606271996256808090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4968 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5092,i,16156424909439088012,5606271996256808090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4968 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hornygl.xyz | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 52.203.72.196:443 | www.listincode.com | tcp |
| US | 8.8.8.8:53 | zenitsu.s3.pl-waw.scw.cloud | udp |
| PL | 151.115.10.3:80 | zenitsu.s3.pl-waw.scw.cloud | tcp |
| US | 8.8.8.8:53 | 161.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.10.115.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | inosuke.s3.pl-waw.scw.cloud | udp |
| PL | 151.115.10.3:80 | inosuke.s3.pl-waw.scw.cloud | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | presstheme.me | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 54.205.158.59:443 | www.listincode.com | tcp |
| US | 8.8.8.8:53 | signaturebusinesspark.com | udp |
| US | 8.8.8.8:53 | signaturebusinesspark.com | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | onlinehueplet.com | udp |
| DE | 92.246.89.93:80 | onlinehueplet.com | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | appwebstat.biz | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | KLGqdXSVxgZGfuYBAcEbdNW.KLGqdXSVxgZGfuYBAcEbdNW | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| N/A | 127.0.0.1:53191 | tcp | |
| N/A | 127.0.0.1:53193 | tcp | |
| RU | 92.255.57.115:11841 | tcp | |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | www.hhiuew33.com | udp |
| US | 8.8.8.8:53 | appwebstat.biz | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| GB | 142.250.178.14:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| GB | 216.58.213.1:443 | clients2.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | 234.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.187.234:443 | ogads-pa.googleapis.com | tcp |
| GB | 216.58.201.110:443 | apis.google.com | tcp |
| GB | 142.250.187.234:443 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | 1.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 172.217.16.238:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | 238.16.217.172.in-addr.arpa | udp |
| NL | 81.4.105.174:80 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| DE | 92.246.89.93:80 | onlinehueplet.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| RU | 92.255.57.115:11841 | tcp | |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 193.108.222.173.in-addr.arpa | udp |
| RU | 92.255.57.115:11841 | tcp | |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| RU | 92.255.57.115:11841 | tcp | |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| RU | 92.255.57.115:11841 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| RU | 92.255.57.115:11841 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| GB | 172.217.169.67:443 | beacons.gcp.gvt2.com | tcp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe
| MD5 | b14eef8f9059c67b05c710b51d150f82 |
| SHA1 | 645988e081d1948cae842614cc75875aec8cf68c |
| SHA256 | 3b9601b7d67b3e2541bf93f753248aae02ea9ba0fb46186d6d0ee97634052e0e |
| SHA512 | bdfcac2b5631b38a0555c1f0c70f3bec0d67955adf0d8f679d05a1218e2d9e5d0c7bf0a5d221235b96aec99e35d3521f9030bdab511bfbfeaa6a20f9b3c942e5 |
memory/3412-54-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/3412-61-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3412-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3412-74-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a4b3280_Thu12692268df32.exe
| MD5 | 5b14369c347439becacaa0883c07f17b |
| SHA1 | 126b0012934a2bf5aab025d931feb3b4315a2d9a |
| SHA256 | 8f362cedd16992cd2605b87129e491620b323f2a60e0cbb2f77d66a38f1e2307 |
| SHA512 | 4abd011ac7e4dba50cef3d166ca3c2c4148e737291f196e68c61f3a19e0e2b13bef5bb95fa53223cbc5ae514467309da6c92f1acfa194980624282d7c88c521b |
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292ad20a43_Thu120f4aad3d7.exe
| MD5 | 8b361d36500a8a4abd21c08235e6c0c8 |
| SHA1 | c52bb8ead2e3b7dfb45f8e1163a2ae05588d70ce |
| SHA256 | dc791b99f5e4e21d1022fe5cf80231da85fd716cf0132a25d1596b9680e45cf5 |
| SHA512 | 6ebdbd3c45d869bb8852e6662cd0f2f397322f3907377b60f6c70910a8a01d955b30b59ee93d76001688a465449bcbb061169e85a4e67b102a537440909cf10a |
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292adcd500_Thu12dd12e2c.exe
| MD5 | b0448525c5a00135bb5b658cc6745574 |
| SHA1 | a08d53ce43ad01d47564a7dcdb87383652ef29f5 |
| SHA256 | b53ec612c61b38e29a8500f8d495e81dfdedc6b277958f36acfee6b8ee50a859 |
| SHA512 | b52e28e22916964a3d4d46e8fd09ba1f5c4867bd812d3c9af278bbeaf0ccfd9573e2bfc836c63079bc5de419b2c362247f85c3c494dfc66baf5cbadc6dbf462d |
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292ac194f1_Thu1230653d.exe
| MD5 | af0de0482a6545057fb04ece77e0e83e |
| SHA1 | a5275870f175a76ae14d965211d02a5214adb5c2 |
| SHA256 | 605f47756284111370f163638d93e580830db4dd10b16a274735c052ea1f2c8a |
| SHA512 | 92b76a20957a3daafd588434cb6259213af9689a1dd75c97f61f16ceff95e1e79924431ad4f8a075b90535081a00b6ced7ffada6db8a843a4f8ecaa27ca1e96d |
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292aaee251_Thu12817405.exe
| MD5 | e65bf2d56fcaa18c1a8d0d481072dc62 |
| SHA1 | c7492c7e09b329bed044e9ee45e425e0817c22f4 |
| SHA256 | c24f98a0e80be8f215f9b93c9823497c1ea547ca9fdd3621ef6a96dfb1eaa895 |
| SHA512 | 39c3400315055b2c9fdb3d9d9d54f4a8c7120721aa0850c29d313824846cec7aae74b1f25569636d9eb81184f211e0bc391de02c212b6f0994a42096268414a9 |
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a8a0a6c_Thu12fda79da.exe
| MD5 | b8ecec542a07067a193637269973c2e8 |
| SHA1 | 97178479fd0fc608d6c0fbf243a0bb136d7b0ecb |
| SHA256 | fc6b5ec20b7f2c902e9413c71be5718eb58640d86189306fe4c592af70fe3b7e |
| SHA512 | 730d74a72c7af91b10f06ae98235792740bed2afc86eb8ddc15ecaf7c31ec757ac3803697644ac0f60c2e8e0fd875b94299763ac0fed74d392ac828b61689893 |
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a688404_Thu122ae6bbac.exe
| MD5 | a05b981f73e296c8edf29ea9f68b8355 |
| SHA1 | f959ea0a5569320682e194bd87ae3fbf0b382647 |
| SHA256 | 3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100 |
| SHA512 | d71c1655c13a4ea043caaa5533fe8b2b25f4146f5c750a801b4b19b3df514fedda7413dd9448be1b09eb6b532384d9439b1bb0628129413706224a051ea34ace |
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a50b8fa_Thu12c85191.exe
| MD5 | 4fda4b291bdc23439208635f8b4f10e5 |
| SHA1 | 6911fce737067d5bbeab05960ecd56d3a0fe0dfb |
| SHA256 | 79a77b41388477a3cb157995c0ad1757a8ced2b49fc968dc5d8c28806aaee480 |
| SHA512 | 5ca7652ea5c795dd613da2ef773e048efa240d4cb5b6970d91ddb2367eda27e879d735360625725881d4940b23b6e153cb148b630f183d21025b31b4675b17cb |
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe
| MD5 | fbd3940d1ad28166d8539eae23d44d5b |
| SHA1 | 55fff8a0aa435885fc86f7f33fec24558aa21ef5 |
| SHA256 | 21ceb2021197d8b5f73f8f264163e1f73e6a454ff0dffad24e87037f3a0b9ac7 |
| SHA512 | 26efcab71ea6ffd07c800a9ab014adc1813742d99923e17f02d92ffe5fccc8ad1efbf1e6124fd68fd1638e0d9c5f9a79b8c3faf2ae85c71ead6fb8940e26ad11 |
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292ae24e70_Thu12a74e4137.exe
| MD5 | cc722fd0bd387cf472350dc2dd7ddd1e |
| SHA1 | 49d288ddbb09265a586dd8d6629c130be7063afa |
| SHA256 | 588a87d450987dfb3a72361c012b36285a5b3087cc8c282b6f2de46ae95291f2 |
| SHA512 | 893375a8816bc333a9521b50d26b4018d1a3181b502dac73cef3357755651d833744a42bfd7f2daeb6e15d420600b91cdb910a0a1fb1a28d5012697a1f92733b |
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292ae71b3f_Thu1291f781.exe
| MD5 | ce54b9287c3e4b5733035d0be085d989 |
| SHA1 | 07a17e423bf89d9b056562d822a8f651aeb33c96 |
| SHA256 | e2beaf61ef8408e20b5dd05ffab6e1a62774088b3acdebd834f51d77f9824112 |
| SHA512 | c85680a63c9e852dfee438c9b8d47443f8b998ea1f8f573b3fcf1e31abc44415a1c18bac2bc6c5fb2caed0872a69fc9be758a510b9049c854fd48e31bf0815a0 |
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292af47cdd_Thu12168454a4a.exe
| MD5 | 2fd3235d23e379fcca10cf25661689c8 |
| SHA1 | ac4c74c6c95693a6d9d67caf55a6106eaa408959 |
| SHA256 | a88f3682d185f01cd91890951a27f04e925f10bd61b1ded566889c0e008c3ccc |
| SHA512 | e33873304eba441d8b5938ba1f28636c78ac751633ed209f8970d1aafcf193203941fc8ba59e151ea7d010b9d65476d486e07b4f045d0409222d6f8d99bcfbb0 |
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292b2a8973_Thu12d2978de30.exe
| MD5 | 9691ad5126152a385a01220ee47221c1 |
| SHA1 | 48465630edcdc71525c792c0b855ef0d321f6a5e |
| SHA256 | 34da41baf54a2522aa5b332f1678400f2fb271e12dcfad3870ef47d37ac4ba67 |
| SHA512 | b7b3ac05988ec34d586f7764bbe2bce43ca3c9361ce3626f041eefb635d8ab3af047009ce74cce50cdddb6dbec35b60139a50e9f2598e86cdf484c60e4be5949 |
memory/644-104-0x0000000000400000-0x00000000004C3000-memory.dmp
memory/1136-105-0x00000000029E0000-0x0000000002A16000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-R76C1.tmp\idp.dll
| MD5 | 8f995688085bced38ba7795f60a5e1d3 |
| SHA1 | 5b1ad67a149c05c50d6e388527af5c8a0af4343a |
| SHA256 | 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006 |
| SHA512 | 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35 |
memory/644-126-0x0000000000710000-0x0000000000728000-memory.dmp
memory/644-134-0x00000000023B0000-0x00000000023BA000-memory.dmp
memory/644-137-0x00000000004F0000-0x0000000000582000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-KCF6O.tmp\61f292aaee251_Thu12817405.tmp
| MD5 | 83b531c1515044f8241cd9627fbfbe86 |
| SHA1 | d2f7096e18531abb963fc9af7ecc543641570ac8 |
| SHA256 | 565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c |
| SHA512 | 9f7304ecb7573c0b8b4d7a2f49bcb9902499523b84502609f81b6f1b84faa1152a46ea13813987567ce574bd7b9d7b3f44b2b76389d8135487dc3c7f5e314f1b |
C:\Users\Admin\AppData\Local\Temp\is-Q153P.tmp\idp.dll
| MD5 | 55c310c0319260d798757557ab3bf636 |
| SHA1 | 0892eb7ed31d8bb20a56c6835990749011a2d8de |
| SHA256 | 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed |
| SHA512 | e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57 |
memory/3940-155-0x0000000000830000-0x00000000008BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292b10868e_Thu12702ecb5.exe
| MD5 | 6cda68905cfd314c1b5dcafd6adebc96 |
| SHA1 | c6e952b5190121ab0c082a2de4bc0caf06d1dcf0 |
| SHA256 | 927c40d5808645ff97bbf5fc4c1d517d37a801c81553dc54becd8a0770ee54b0 |
| SHA512 | 952074dffb293dd455751a44f18409adf4afa2c4c2f130dc2b6368791b78af06cf19bdbdc4278ccdb4ca3326db100fc695245543aa5e447927c4c095640d98c6 |
memory/1136-171-0x0000000005AF0000-0x0000000005B56000-memory.dmp
memory/540-180-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2060-182-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/540-175-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1136-173-0x0000000005B60000-0x0000000005EB4000-memory.dmp
memory/3940-172-0x00000000050F0000-0x000000000510E000-memory.dmp
memory/1136-170-0x0000000005A80000-0x0000000005AE6000-memory.dmp
memory/1136-169-0x00000000059E0000-0x0000000005A02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1pgs0tdt.3ez.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3940-158-0x0000000005110000-0x0000000005186000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292b465d58_Thu127ed1404d.exe
| MD5 | 79400b1fd740d9cb7ec7c2c2e9a7d618 |
| SHA1 | 8ab8d7dcd469853f61ca27b8afe2ab6e0f2a1bb3 |
| SHA256 | 556d5c93b2ceb585711ccce22e39e3327f388b893d76a3a7974967fe99a6fa7f |
| SHA512 | 3ed024b02d7410d5ddc7bb772a2b3e8a5516a16d1cb5fac9f5d925da84b376b67117daf238fb53c7707e6bb86a0198534ad1e79b6ebed979b505b3faf9ae55ac |
memory/644-135-0x0000000005580000-0x0000000005B24000-memory.dmp
memory/312-121-0x0000000000050000-0x0000000000058000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-8BKV6.tmp\61f292a4b3280_Thu12692268df32.tmp
| MD5 | ffcf263a020aa7794015af0edee5df0b |
| SHA1 | bce1eb5f0efb2c83f416b1782ea07c776666fdab |
| SHA256 | 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64 |
| SHA512 | 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a |
memory/644-112-0x00000000021F0000-0x000000000222E000-memory.dmp
memory/644-111-0x0000000000740000-0x0000000000741000-memory.dmp
memory/644-110-0x0000000000400000-0x00000000004C3000-memory.dmp
memory/1136-109-0x0000000005110000-0x0000000005738000-memory.dmp
memory/3832-103-0x00000000004D0000-0x00000000004F0000-memory.dmp
memory/2280-99-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/3996-89-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3412-73-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/3412-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3412-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3412-70-0x0000000064940000-0x0000000064959000-memory.dmp
memory/3412-68-0x000000006494A000-0x000000006494F000-memory.dmp
memory/3412-67-0x0000000000F30000-0x0000000000FBF000-memory.dmp
memory/3412-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3412-64-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3412-63-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3412-62-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3412-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/1928-188-0x0000000000400000-0x0000000000682000-memory.dmp
memory/2664-189-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2280-200-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/3996-201-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Esistenza.wbk
| MD5 | b2a2f85b4201446b23a250f68051b4dc |
| SHA1 | 8fc39fbfb341e55a6fda1ef3e0cfd25b2b8fdba5 |
| SHA256 | 910165a85877eca36cb0e43aac5a42b643627aa7de90676cbdefcbf32fba4ade |
| SHA512 | 188b1ec9f2be6994de6e74f2385b3e0849968324cca1787b237d4eef381c9ffadc2c34c3f3131026d0ec1f89da6563455fe3f3d315d7d4673d303c38b2d0d32c |
memory/644-191-0x0000000000710000-0x0000000000728000-memory.dmp
memory/3412-216-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3412-215-0x0000000064940000-0x0000000064959000-memory.dmp
memory/3372-217-0x0000000000400000-0x0000000000437000-memory.dmp
memory/3412-214-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3412-213-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/3412-211-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/3412-207-0x0000000000400000-0x000000000051C000-memory.dmp
memory/1136-226-0x0000000006080000-0x00000000060CC000-memory.dmp
memory/1136-225-0x0000000006040000-0x000000000605E000-memory.dmp
memory/4908-230-0x0000000002EE0000-0x0000000003EE0000-memory.dmp
memory/644-233-0x0000000000400000-0x00000000004C3000-memory.dmp
memory/644-231-0x00000000021F0000-0x000000000222E000-memory.dmp
memory/1136-246-0x0000000006610000-0x000000000662E000-memory.dmp
memory/1136-236-0x000000006E0C0000-0x000000006E10C000-memory.dmp
memory/1136-247-0x0000000007020000-0x00000000070C3000-memory.dmp
memory/1136-235-0x0000000006630000-0x0000000006662000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\11111.exe
| MD5 | 94989927a6611e1919f84e1871922b63 |
| SHA1 | b602e4c47c9c42c273b68a1ce85f0814c0e05deb |
| SHA256 | 6abf00e8457005606b0286fba4abc75bdb5d8d8267b17678d719122946db5c17 |
| SHA512 | ce69c1597f759efdb61ba441a5c16b587b77e3780e134c312dc832a502a1933b04f6b981e0e4b5c998c38d77b25763d2c2875cb790b142f44a416dcf75880b6e |
memory/5004-252-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1136-253-0x0000000007360000-0x000000000737A000-memory.dmp
memory/1136-251-0x00000000079A0000-0x000000000801A000-memory.dmp
memory/5004-256-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1136-257-0x00000000073E0000-0x00000000073EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Impaziente.wbk
| MD5 | 662676b6ae749090c43a0c5507b16131 |
| SHA1 | 0aec9044c592c79aa2a44f66b73ed0c5cb62fd68 |
| SHA256 | 4dd868c3015b92c1b8b520c0459c952090e08b4ba8d81d259e1b0630156dada4 |
| SHA512 | ec363e232c544f904286831f19bcc20ec0180da0e28bb2480eeccfaac7b4722e9ae5f050fec4fb7de18f6b35092e1296fd8e62022daa0b583eaba8fc4ea253f4 |
memory/1136-261-0x00000000075D0000-0x0000000007666000-memory.dmp
memory/1136-262-0x0000000007560000-0x0000000007571000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Riflettere.wbk
| MD5 | 4008d7f17a08efd3fbd18e4e1ba29e00 |
| SHA1 | 53e25946589981cb36b0e9fb5b26fc334d4f9424 |
| SHA256 | 752cf7d34bc7433f590cdf45e0bb3922ca7ba2220a7ec09df7f1f6c9644dee3b |
| SHA512 | 39e2bfad68403808924cece9c6ab43b0dc4aada62850a8c70b8e9481d825bcc90fa8a91688e3b559d4e5a517bc21931cef8037d585063885d5c948809d961978 |
memory/1136-267-0x00000000075A0000-0x00000000075AE000-memory.dmp
memory/1136-268-0x00000000075B0000-0x00000000075C4000-memory.dmp
memory/1136-269-0x0000000007690000-0x00000000076AA000-memory.dmp
memory/1136-270-0x0000000007680000-0x0000000007688000-memory.dmp
memory/1348-276-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1348-277-0x00000000059B0000-0x0000000005FC8000-memory.dmp
memory/1348-279-0x0000000005530000-0x000000000563A000-memory.dmp
memory/1348-278-0x0000000005400000-0x0000000005412000-memory.dmp
memory/1348-280-0x0000000005460000-0x000000000549C000-memory.dmp
memory/1348-281-0x00000000054C0000-0x000000000550C000-memory.dmp
memory/5092-283-0x0000000000400000-0x0000000000483000-memory.dmp
memory/5092-298-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1464-299-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2060-315-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/2452-316-0x0000000000400000-0x0000000000682000-memory.dmp
memory/1464-317-0x0000000000400000-0x000000000045C000-memory.dmp
memory/4908-318-0x0000000002EE0000-0x0000000003EE0000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 950ebe8e4f8d7ab158039fec67b726cd |
| SHA1 | 22b350a557bc5af35555a087e01da213fd34e6a9 |
| SHA256 | c9d0e4992609f9673849d2eb2fe333a1cd452d3875c35dd8380b2cacdc360022 |
| SHA512 | 936826be37923c95b718e17342840fa100a308527fd0f0ec28e250512e436739c845b27bc7b6acaa1dc487a99c998ef93518c79a5376686d685338f5ce972dd0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 88ced490f88048915a5b060e9d5efa61 |
| SHA1 | edacaeadb3f50c3d58b9c5ee0581dea04a54e25b |
| SHA256 | 54393570808c068bae58e39d07d31fab0b074bf78ed85c031aac1fd75a20f080 |
| SHA512 | 9ca3255991d32058c231e3915c1fbaeb4b9ff7a39acb009d28ff3f030d681df4ae15528f7af1f9d28a1e44704c8423886459a250cbbe382f7fb2fc7ede065ecf |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\21170385-dd10-4b23-bd62-c0ab072416ba.tmp
| MD5 | 4f285392e602df32a133b10eaf2ad18a |
| SHA1 | 5344aa5e6740825ca7222ad45cdcd6df07c8316c |
| SHA256 | 1493e6d3ef4ba244e58e8de805ef815937959f01c5480861b794dc63b4617a6c |
| SHA512 | 508bb98ea5e727a97e9bda438c39860fab02a32773a81f3738126be9cd85823685ac4ac85b3755eae847814004b624e92136c6eb275bfb45382fdd89609e2129 |
memory/4908-358-0x0000000002EE0000-0x0000000003EE0000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | dc6e3c91e4c0462370004b208badf212 |
| SHA1 | fab8c02c8941a033aa072a15291a7b4de296b771 |
| SHA256 | e93bfcf2e79df97258a9d64ef49a7b01fff23a2b55bd24ef68ed65711e003c37 |
| SHA512 | d04901ffbef9796544084d0744bbf9ef77d92aea0ea3ebaad204120d0de739a7a043ae1a22daf0b269d8f585b914181467abdb7bbd16e62a45fb8122dc12f099 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | 1586b9fadd7848b23fc93b546fad8939 |
| SHA1 | fe80286b8e7d1cc89f1f04b2511343b32ab15d44 |
| SHA256 | b90f589b627131ac64d8e17a10b595cb6c06f29b4f1a977d51106b659ea6eb0f |
| SHA512 | 95af1e143cb37db24eacbe33b3dc6065898765179c12bd0fcd0db557ca20032c2c0cbfb45458a6007936448a31ee05daf2383a70ed1fb039584ef3c801390c2e |
C:\Users\Admin\AppData\Local\Temp\scoped_dir2476_590880022\6aaf43cd-e82c-440a-a85f-6fec91ec5f93.tmp
| MD5 | da75bb05d10acc967eecaac040d3d733 |
| SHA1 | 95c08e067df713af8992db113f7e9aec84f17181 |
| SHA256 | 33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2 |
| SHA512 | 56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef |
memory/4908-385-0x0000000002EE0000-0x0000000003EE0000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 257f1b65f9649a9668953ae141e5cc41 |
| SHA1 | ff7ea2d20b097b727afee39758101645804411fe |
| SHA256 | 77b59f1dd7014a925d408ca5a1a71444bdf4c99b1748975be845d62dfedf7933 |
| SHA512 | a02f62555fbefa3b7bfa6cbda8b0e28d89c12f55111b5e480aa782346a5eecb02a4a769be40f4943dd9a717cd6ae6321750de2840932e44336c082bfaeb6145d |
C:\Users\Admin\AppData\Local\Temp\scoped_dir2476_590880022\CRX_INSTALL\_locales\en_CA\messages.json
| MD5 | 558659936250e03cc14b60ebf648aa09 |
| SHA1 | 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825 |
| SHA256 | 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b |
| SHA512 | 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 5bbbf3e45853c2d1714c84f935224968 |
| SHA1 | 92665987a4f20f769125b78285b64bd5127345b2 |
| SHA256 | e9fd0490ff92a3ce62f8a365d4c4a072087cc15c62c62332b470e57db7fdccc6 |
| SHA512 | 2aa97893ff90dafcd8964c335d2e7dbc657053eb53473238fea4a44818d6efe25cfae5b45ed881fff7fdd680ded510ab614faa0196566fc2c2a755dcb8ce2943 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | f11458940680fae51d80535f418a9faa |
| SHA1 | baa64bcc4fc8337dad6fdc00d81afe0a50a2e188 |
| SHA256 | 26b5a61bc8e545608b00751b238e7d961808ef6200c887562b89103e063abf8d |
| SHA512 | 37197ee8bcc4020cd72655dfd17f76918a24e957197a4d0359613a7c624b202390d30d9cd3bd66aaff3221cf51a9efe47d37ad8af7fe8de17c97325a0d9d5249 |
memory/4908-645-0x0000000002EE0000-0x0000000003EE0000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 0ed74164362af9c0f3ceda2ba795ca2e |
| SHA1 | f53450241b3d6660a815ffcef772e17b3bc17e5d |
| SHA256 | f76271f1ad1f5e7bd5d1a920986c6ab3a333c384448e90eb3d7bcdf6bca417b9 |
| SHA512 | 9cc949327f9193257146774125ad6a45fb054656b4e89b4afcd55a3d2bd367fc4352ce03224bc326ddf677687c99f464567187105bd544667342873f73c94ecf |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json
| MD5 | 07ffbe5f24ca348723ff8c6c488abfb8 |
| SHA1 | 6dc2851e39b2ee38f88cf5c35a90171dbea5b690 |
| SHA256 | 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c |
| SHA512 | 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json
| MD5 | 4ec1df2da46182103d2ffc3b92d20ca5 |
| SHA1 | fb9d1ba3710cf31a87165317c6edc110e98994ce |
| SHA256 | 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6 |
| SHA512 | 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 717da977515dadb8b68e981e13b018c8 |
| SHA1 | a2017259af728fe7976a31503abcd0bd7d090365 |
| SHA256 | 0900e61aa30ad2b6ede6584a10b36eaf91ff7967d7882d5ecbc8219e1201f0c1 |
| SHA512 | 87c12a3e874d5356c8905613eae80d4ef4a005f78cf7fc06c6630e8b31eef64f76254ca51722999893fb25bc2c47172482cd2a1b5bd6003ccbfabe4a50ff1f83 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | fd4d2eaff8290afadadc8e80e17a8fb3 |
| SHA1 | 935ac22275deae6c225a21d994281f75061bd849 |
| SHA256 | 2f068fdc74bae1b5040c70000c693ed0f53baa2d565703591a13ccf2ddf69564 |
| SHA512 | ad4bb5582e63bd589d8e36156e32a5b960c0e74ae7d6ba72b146ec988ee28e252d72ded7c9d7adbcf288017a780e0f84aed2dbbc71cb3e06ef3a5b94eff1dfa6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 5563053cf7221786039aeb1dc75a18b3 |
| SHA1 | 1c316aa01204558f9acb3a78f9d3199b4d654880 |
| SHA256 | 9a17f2e4c2d846256e06f4ea5a32f739c3d2550c0a04818a3c771c07191054c7 |
| SHA512 | 5f2e5f5773390fce8b88f9b97f9a88cebecc438b00ccbad86b72a067b5460da925c0b5630593e4e1357b30395193805ec1913fedd59ef347db5b8258e559ca47 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | 72aa0023b1e3821131f9dcc9a2a8f449 |
| SHA1 | ae07004b8fe84b06f05355920a15b9b0666f0105 |
| SHA256 | c946c44e7e2c344741b3e6a35c9b9015095c3bc4ed96b236b829d51de9853068 |
| SHA512 | 069a8ac68df424c4a685dde7b171f9e9d1b36063ea0a8e5d97e79f001449d1b5e98415e3532b422eb99c6d2bb0c0e2a759b5b4be66a8762932e8ea28ae3f1623 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f4b564ba6509904f26820269ba51c5b4 |
| SHA1 | b5f276cd62b2b5563aa53ce2c9a1f07ae65cb512 |
| SHA256 | f40c6bb84ac66a6281d328c163356291abc9320b5e7cae160d765d04df7b9c64 |
| SHA512 | 2ebea5cb44895df89f85ae1edf95e719b48f49cedac7356b9f768716004dc81670e6f037685c9f82b1455a9d52ee54962bf113540553606cda268b19b0bcd2b0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 81af45fd999a37b5851d8004b9cf9f2c |
| SHA1 | 31774575f9ae0330332ea3f1a7b8a215d75cdcaa |
| SHA256 | 5c2a3c097918bf7dfb61c71c89a7616bc167fb4ebcdb5b87882aa214d6b418fb |
| SHA512 | 7c189fb64416c67ab6ca1f5deee53207bded89c5b6358dc341e1dfe07ab79dcbe13ffcd9c3c903d1b17a5889fa7c7a8ce6da6ab86b531c59d11eba07a6f7f857 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 09:03
Reported
2024-11-09 09:06
Platform
win7-20240903-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
GCleaner
Gcleaner family
NullMixer
Nullmixer family
OnlyLogger
Onlylogger family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SmokeLoader
Smokeloader family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\QWE00000.gol\\\"" | C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ae24e70_Thu12a74e4137.exe | N/A |
Checks installed software on the system
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Looks up geolocation information via web service
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ad20a43_Thu120f4aad3d7.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 896 set thread context of 2896 | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a688404_Thu122ae6bbac.exe | C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a688404_Thu122ae6bbac.exe |
| PID 2024 set thread context of 1984 | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292af47cdd_Thu12168454a4a.exe | C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292af47cdd_Thu12168454a4a.exe |
| PID 2652 set thread context of 2008 | N/A | C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif | C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a688404_Thu122ae6bbac.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ac194f1_Thu1230653d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292af47cdd_Thu12168454a4a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ad20a43_Thu120f4aad3d7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292af47cdd_Thu12168454a4a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-V2EFM.tmp\61f292aaee251_Thu12817405.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a50b8fa_Thu12c85191.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-CK179.tmp\61f292aaee251_Thu12817405.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a4b3280_Thu12692268df32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292b10868e_Thu12702ecb5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292aaee251_Thu12817405.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\waitfor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\find.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\11111.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\control.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f78841e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a688404_Thu122ae6bbac.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-JNI23.tmp\61f292a4b3280_Thu12692268df32.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292adcd500_Thu12dd12e2c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292b2a8973_Thu12d2978de30.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\11111.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a8a0a6c_Thu12fda79da.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292aaee251_Thu12817405.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ae24e70_Thu12a74e4137.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292adcd500_Thu12dd12e2c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ad20a43_Thu120f4aad3d7.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\11111.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\11111.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-CK179.tmp\61f292aaee251_Thu12817405.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292adcd500_Thu12dd12e2c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292adcd500_Thu12dd12e2c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292adcd500_Thu12dd12e2c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292adcd500_Thu12dd12e2c.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e.exe
"C:\Users\Admin\AppData\Local\Temp\174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292a3b1188_Thu12926eaf6b3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292a4b3280_Thu12692268df32.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292a50b8fa_Thu12c85191.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292a688404_Thu122ae6bbac.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292a8a0a6c_Thu12fda79da.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292aaee251_Thu12817405.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292ac194f1_Thu1230653d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292ad20a43_Thu120f4aad3d7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292adcd500_Thu12dd12e2c.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292ae24e70_Thu12a74e4137.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292ae71b3f_Thu1291f781.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292af47cdd_Thu12168454a4a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292b10868e_Thu12702ecb5.exe /mixtwo
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292b2a8973_Thu12d2978de30.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292b465d58_Thu127ed1404d.exe
C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a688404_Thu122ae6bbac.exe
61f292a688404_Thu122ae6bbac.exe
C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a50b8fa_Thu12c85191.exe
61f292a50b8fa_Thu12c85191.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a8a0a6c_Thu12fda79da.exe
61f292a8a0a6c_Thu12fda79da.exe
C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ae71b3f_Thu1291f781.exe
61f292ae71b3f_Thu1291f781.exe
C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292b10868e_Thu12702ecb5.exe
61f292b10868e_Thu12702ecb5.exe /mixtwo
C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ac194f1_Thu1230653d.exe
61f292ac194f1_Thu1230653d.exe
C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a4b3280_Thu12692268df32.exe
61f292a4b3280_Thu12692268df32.exe
C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ae24e70_Thu12a74e4137.exe
61f292ae24e70_Thu12a74e4137.exe
C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ad20a43_Thu120f4aad3d7.exe
61f292ad20a43_Thu120f4aad3d7.exe
C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292af47cdd_Thu12168454a4a.exe
61f292af47cdd_Thu12168454a4a.exe
C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292adcd500_Thu12dd12e2c.exe
61f292adcd500_Thu12dd12e2c.exe
C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292aaee251_Thu12817405.exe
61f292aaee251_Thu12817405.exe
C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292b2a8973_Thu12d2978de30.exe
61f292b2a8973_Thu12d2978de30.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Esistenza.wbk
C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a688404_Thu122ae6bbac.exe
61f292a688404_Thu122ae6bbac.exe
C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe
61f292a3b1188_Thu12926eaf6b3.exe
C:\Users\Admin\AppData\Local\Temp\is-JNI23.tmp\61f292a4b3280_Thu12692268df32.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JNI23.tmp\61f292a4b3280_Thu12692268df32.tmp" /SL5="$901AE,140559,56832,C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a4b3280_Thu12692268df32.exe"
C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292b465d58_Thu127ed1404d.exe
61f292b465d58_Thu127ed1404d.exe
C:\Users\Admin\AppData\Local\Temp\is-V2EFM.tmp\61f292aaee251_Thu12817405.tmp
"C:\Users\Admin\AppData\Local\Temp\is-V2EFM.tmp\61f292aaee251_Thu12817405.tmp" /SL5="$301E2,870458,780800,C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292aaee251_Thu12817405.exe"
C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292adcd500_Thu12dd12e2c.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292adcd500_Thu12dd12e2c.exe" -a
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292aaee251_Thu12817405.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292aaee251_Thu12817405.exe" /SILENT
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
C:\Users\Admin\AppData\Local\Temp\is-CK179.tmp\61f292aaee251_Thu12817405.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CK179.tmp\61f292aaee251_Thu12817405.tmp" /SL5="$401E2,870458,780800,C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292aaee251_Thu12817405.exe" /SILENT
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C timeout 19
C:\Windows\SysWOW64\timeout.exe
timeout 19
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^tDPdzRbUMNXkpbEMSMKZXPerlnGmckXJGXqJvnomwNbPoElbkyeDIDcfALyUkXmAQhFkvUdzDkXpshUFgogfpxwrCLpKzhhtgXYVZZwdO$" Impaziente.wbk
C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif
Sul.exe.pif J
C:\Windows\SysWOW64\waitfor.exe
waitfor /t 10 citDNEKXehVmhlzMlgdNbKGouCJxkZjiUQRiy
C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif
C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif J
C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\CZlKA.Q5
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\CZlKA.Q5
C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292af47cdd_Thu12168454a4a.exe
C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292af47cdd_Thu12168454a4a.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 1480
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\SysWOW64\rundll32.exe
rundll32
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 484
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2016 -s 488
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\CZlKA.Q5
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\CZlKA.Q5
C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif
C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 1140
C:\Users\Admin\AppData\Local\Temp\f78841e.exe
"C:\Users\Admin\AppData\Local\Temp\f78841e.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 652
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hornygl.xyz | udp |
| US | 8.8.8.8:53 | appwebstat.biz | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| N/A | 127.0.0.1:49282 | tcp | |
| N/A | 127.0.0.1:49285 | tcp | |
| US | 8.8.8.8:53 | KLGqdXSVxgZGfuYBAcEbdNW.KLGqdXSVxgZGfuYBAcEbdNW | udp |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 52.203.72.196:443 | www.listincode.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 8.8.8.8:53 | zenitsu.s3.pl-waw.scw.cloud | udp |
| US | 8.8.8.8:53 | onlinehueplet.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| PL | 151.115.10.3:80 | zenitsu.s3.pl-waw.scw.cloud | tcp |
| DE | 92.246.89.93:80 | onlinehueplet.com | tcp |
| US | 8.8.8.8:53 | inosuke.s3.pl-waw.scw.cloud | udp |
| US | 8.8.8.8:53 | presstheme.me | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| PL | 151.115.10.4:80 | inosuke.s3.pl-waw.scw.cloud | tcp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | signaturebusinesspark.com | udp |
| US | 8.8.8.8:53 | signaturebusinesspark.com | udp |
| US | 54.205.158.59:443 | www.listincode.com | tcp |
| RU | 92.255.57.115:11841 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| NL | 81.4.105.174:80 | tcp | |
| US | 8.8.8.8:53 | www.hhiuew33.com | udp |
| DE | 92.246.89.93:80 | onlinehueplet.com | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| RU | 92.255.57.115:11841 | tcp | |
| US | 8.8.8.8:53 | dll1.stdcdn.com | udp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| CH | 80.67.82.104:80 | crl.microsoft.com | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| RU | 92.255.57.115:11841 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| FR | 77.132.68.187:8080 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| RU | 92.255.57.115:11841 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| FR | 77.132.68.187:8080 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| RU | 92.255.57.115:11841 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| RU | 92.255.57.115:11841 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
Files
\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a8a0a6c_Thu12fda79da.exe
| MD5 | b8ecec542a07067a193637269973c2e8 |
| SHA1 | 97178479fd0fc608d6c0fbf243a0bb136d7b0ecb |
| SHA256 | fc6b5ec20b7f2c902e9413c71be5718eb58640d86189306fe4c592af70fe3b7e |
| SHA512 | 730d74a72c7af91b10f06ae98235792740bed2afc86eb8ddc15ecaf7c31ec757ac3803697644ac0f60c2e8e0fd875b94299763ac0fed74d392ac828b61689893 |
memory/2912-131-0x0000000000400000-0x0000000000414000-memory.dmp
memory/108-127-0x0000000000CA0000-0x0000000000CA8000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a50b8fa_Thu12c85191.exe
| MD5 | 4fda4b291bdc23439208635f8b4f10e5 |
| SHA1 | 6911fce737067d5bbeab05960ecd56d3a0fe0dfb |
| SHA256 | 79a77b41388477a3cb157995c0ad1757a8ced2b49fc968dc5d8c28806aaee480 |
| SHA512 | 5ca7652ea5c795dd613da2ef773e048efa240d4cb5b6970d91ddb2367eda27e879d735360625725881d4940b23b6e153cb148b630f183d21025b31b4675b17cb |
\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a4b3280_Thu12692268df32.exe
| MD5 | 5b14369c347439becacaa0883c07f17b |
| SHA1 | 126b0012934a2bf5aab025d931feb3b4315a2d9a |
| SHA256 | 8f362cedd16992cd2605b87129e491620b323f2a60e0cbb2f77d66a38f1e2307 |
| SHA512 | 4abd011ac7e4dba50cef3d166ca3c2c4148e737291f196e68c61f3a19e0e2b13bef5bb95fa53223cbc5ae514467309da6c92f1acfa194980624282d7c88c521b |
C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ae71b3f_Thu1291f781.exe
| MD5 | ce54b9287c3e4b5733035d0be085d989 |
| SHA1 | 07a17e423bf89d9b056562d822a8f651aeb33c96 |
| SHA256 | e2beaf61ef8408e20b5dd05ffab6e1a62774088b3acdebd834f51d77f9824112 |
| SHA512 | c85680a63c9e852dfee438c9b8d47443f8b998ea1f8f573b3fcf1e31abc44415a1c18bac2bc6c5fb2caed0872a69fc9be758a510b9049c854fd48e31bf0815a0 |
\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ae24e70_Thu12a74e4137.exe
| MD5 | cc722fd0bd387cf472350dc2dd7ddd1e |
| SHA1 | 49d288ddbb09265a586dd8d6629c130be7063afa |
| SHA256 | 588a87d450987dfb3a72361c012b36285a5b3087cc8c282b6f2de46ae95291f2 |
| SHA512 | 893375a8816bc333a9521b50d26b4018d1a3181b502dac73cef3357755651d833744a42bfd7f2daeb6e15d420600b91cdb910a0a1fb1a28d5012697a1f92733b |
\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292b10868e_Thu12702ecb5.exe
| MD5 | 6cda68905cfd314c1b5dcafd6adebc96 |
| SHA1 | c6e952b5190121ab0c082a2de4bc0caf06d1dcf0 |
| SHA256 | 927c40d5808645ff97bbf5fc4c1d517d37a801c81553dc54becd8a0770ee54b0 |
| SHA512 | 952074dffb293dd455751a44f18409adf4afa2c4c2f130dc2b6368791b78af06cf19bdbdc4278ccdb4ca3326db100fc695245543aa5e447927c4c095640d98c6 |
C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292af47cdd_Thu12168454a4a.exe
| MD5 | 2fd3235d23e379fcca10cf25661689c8 |
| SHA1 | ac4c74c6c95693a6d9d67caf55a6106eaa408959 |
| SHA256 | a88f3682d185f01cd91890951a27f04e925f10bd61b1ded566889c0e008c3ccc |
| SHA512 | e33873304eba441d8b5938ba1f28636c78ac751633ed209f8970d1aafcf193203941fc8ba59e151ea7d010b9d65476d486e07b4f045d0409222d6f8d99bcfbb0 |
C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ad20a43_Thu120f4aad3d7.exe
| MD5 | 8b361d36500a8a4abd21c08235e6c0c8 |
| SHA1 | c52bb8ead2e3b7dfb45f8e1163a2ae05588d70ce |
| SHA256 | dc791b99f5e4e21d1022fe5cf80231da85fd716cf0132a25d1596b9680e45cf5 |
| SHA512 | 6ebdbd3c45d869bb8852e6662cd0f2f397322f3907377b60f6c70910a8a01d955b30b59ee93d76001688a465449bcbb061169e85a4e67b102a537440909cf10a |
\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a688404_Thu122ae6bbac.exe
| MD5 | a05b981f73e296c8edf29ea9f68b8355 |
| SHA1 | f959ea0a5569320682e194bd87ae3fbf0b382647 |
| SHA256 | 3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100 |
| SHA512 | d71c1655c13a4ea043caaa5533fe8b2b25f4146f5c750a801b4b19b3df514fedda7413dd9448be1b09eb6b532384d9439b1bb0628129413706224a051ea34ace |
\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ac194f1_Thu1230653d.exe
| MD5 | af0de0482a6545057fb04ece77e0e83e |
| SHA1 | a5275870f175a76ae14d965211d02a5214adb5c2 |
| SHA256 | 605f47756284111370f163638d93e580830db4dd10b16a274735c052ea1f2c8a |
| SHA512 | 92b76a20957a3daafd588434cb6259213af9689a1dd75c97f61f16ceff95e1e79924431ad4f8a075b90535081a00b6ced7ffada6db8a843a4f8ecaa27ca1e96d |
C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292b465d58_Thu127ed1404d.exe
| MD5 | 79400b1fd740d9cb7ec7c2c2e9a7d618 |
| SHA1 | 8ab8d7dcd469853f61ca27b8afe2ab6e0f2a1bb3 |
| SHA256 | 556d5c93b2ceb585711ccce22e39e3327f388b893d76a3a7974967fe99a6fa7f |
| SHA512 | 3ed024b02d7410d5ddc7bb772a2b3e8a5516a16d1cb5fac9f5d925da84b376b67117daf238fb53c7707e6bb86a0198534ad1e79b6ebed979b505b3faf9ae55ac |
memory/2024-136-0x0000000000070000-0x00000000000FA000-memory.dmp
memory/2052-135-0x0000000000A20000-0x0000000000A40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292adcd500_Thu12dd12e2c.exe
| MD5 | b0448525c5a00135bb5b658cc6745574 |
| SHA1 | a08d53ce43ad01d47564a7dcdb87383652ef29f5 |
| SHA256 | b53ec612c61b38e29a8500f8d495e81dfdedc6b277958f36acfee6b8ee50a859 |
| SHA512 | b52e28e22916964a3d4d46e8fd09ba1f5c4867bd812d3c9af278bbeaf0ccfd9573e2bfc836c63079bc5de419b2c362247f85c3c494dfc66baf5cbadc6dbf462d |
C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292b2a8973_Thu12d2978de30.exe
| MD5 | 9691ad5126152a385a01220ee47221c1 |
| SHA1 | 48465630edcdc71525c792c0b855ef0d321f6a5e |
| SHA256 | 34da41baf54a2522aa5b332f1678400f2fb271e12dcfad3870ef47d37ac4ba67 |
| SHA512 | b7b3ac05988ec34d586f7764bbe2bce43ca3c9361ce3626f041eefb635d8ab3af047009ce74cce50cdddb6dbec35b60139a50e9f2598e86cdf484c60e4be5949 |
C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe
| MD5 | fbd3940d1ad28166d8539eae23d44d5b |
| SHA1 | 55fff8a0aa435885fc86f7f33fec24558aa21ef5 |
| SHA256 | 21ceb2021197d8b5f73f8f264163e1f73e6a454ff0dffad24e87037f3a0b9ac7 |
| SHA512 | 26efcab71ea6ffd07c800a9ab014adc1813742d99923e17f02d92ffe5fccc8ad1efbf1e6124fd68fd1638e0d9c5f9a79b8c3faf2ae85c71ead6fb8940e26ad11 |
C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292aaee251_Thu12817405.exe
| MD5 | e65bf2d56fcaa18c1a8d0d481072dc62 |
| SHA1 | c7492c7e09b329bed044e9ee45e425e0817c22f4 |
| SHA256 | c24f98a0e80be8f215f9b93c9823497c1ea547ca9fdd3621ef6a96dfb1eaa895 |
| SHA512 | 39c3400315055b2c9fdb3d9d9d54f4a8c7120721aa0850c29d313824846cec7aae74b1f25569636d9eb81184f211e0bc391de02c212b6f0994a42096268414a9 |
memory/2612-89-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2612-88-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2612-87-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2612-85-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2612-84-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2612-83-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2612-82-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2612-81-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2612-86-0x000000006FE40000-0x000000006FFC6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe
| MD5 | b14eef8f9059c67b05c710b51d150f82 |
| SHA1 | 645988e081d1948cae842614cc75875aec8cf68c |
| SHA256 | 3b9601b7d67b3e2541bf93f753248aae02ea9ba0fb46186d6d0ee97634052e0e |
| SHA512 | bdfcac2b5631b38a0555c1f0c70f3bec0d67955adf0d8f679d05a1218e2d9e5d0c7bf0a5d221235b96aec99e35d3521f9030bdab511bfbfeaa6a20f9b3c942e5 |
memory/2612-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSC4973BB6\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
\Users\Admin\AppData\Local\Temp\7zSC4973BB6\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/2612-72-0x000000006B440000-0x000000006B4CF000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSC4973BB6\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/2612-69-0x000000006B280000-0x000000006B2A6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSC4973BB6\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
\Users\Admin\AppData\Local\Temp\7zSC4973BB6\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | d3e22d7fcc478eaf4b9e03a8a5038c12 |
| SHA1 | bfa29d4c2535b479102cd37c4a7f4245961daeb3 |
| SHA256 | 6d7f35c19fef11f48a274dcf38e942635e6946eca4ecd3c39dd38de8e0cbf656 |
| SHA512 | 83bc2bd9f2b5fe85a5eabdb6aab5c6ba64ac590b005780cee51d7c01f565a416b674fa9ff1b439325f9e50604fe130c3911c43c50da0254f0309beca742a1956 |
memory/1404-143-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/2896-157-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2896-156-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2132-142-0x0000000000330000-0x00000000003F3000-memory.dmp
memory/2132-141-0x0000000000400000-0x00000000004C3000-memory.dmp
memory/2132-155-0x00000000005D0000-0x000000000060E000-memory.dmp
memory/1412-140-0x00000000027F0000-0x00000000028B3000-memory.dmp
memory/1412-139-0x00000000027F0000-0x00000000028B3000-memory.dmp
memory/2132-154-0x0000000000350000-0x0000000000351000-memory.dmp
memory/2132-153-0x0000000000400000-0x00000000004C3000-memory.dmp
memory/2132-158-0x00000000003D0000-0x00000000003E8000-memory.dmp
memory/1228-167-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2896-173-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2132-174-0x00000000000F0000-0x00000000000FA000-memory.dmp
memory/2060-188-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/1404-191-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/2020-190-0x0000000000400000-0x0000000000682000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-CK179.tmp\61f292aaee251_Thu12817405.tmp
| MD5 | 83b531c1515044f8241cd9627fbfbe86 |
| SHA1 | d2f7096e18531abb963fc9af7ecc543641570ac8 |
| SHA256 | 565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c |
| SHA512 | 9f7304ecb7573c0b8b4d7a2f49bcb9902499523b84502609f81b6f1b84faa1152a46ea13813987567ce574bd7b9d7b3f44b2b76389d8135487dc3c7f5e314f1b |
C:\Users\Admin\AppData\Local\Temp\is-Q2MR7.tmp\idp.dll
| MD5 | 55c310c0319260d798757557ab3bf636 |
| SHA1 | 0892eb7ed31d8bb20a56c6835990749011a2d8de |
| SHA256 | 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed |
| SHA512 | e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57 |
memory/2616-207-0x0000000002860000-0x0000000003860000-memory.dmp
memory/2612-213-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2612-210-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2612-217-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2612-216-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2612-215-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2612-208-0x0000000000400000-0x000000000051C000-memory.dmp
memory/2912-225-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1476-224-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1984-236-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1984-238-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1984-245-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1984-244-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1984-242-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1984-240-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1984-246-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1984-248-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\11111.exe
| MD5 | 94989927a6611e1919f84e1871922b63 |
| SHA1 | b602e4c47c9c42c273b68a1ce85f0814c0e05deb |
| SHA256 | 6abf00e8457005606b0286fba4abc75bdb5d8d8267b17678d719122946db5c17 |
| SHA512 | ce69c1597f759efdb61ba441a5c16b587b77e3780e134c312dc832a502a1933b04f6b981e0e4b5c998c38d77b25763d2c2875cb790b142f44a416dcf75880b6e |
memory/2440-255-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2132-256-0x00000000003D0000-0x00000000003E8000-memory.dmp
memory/2132-257-0x00000000005D0000-0x000000000060E000-memory.dmp
memory/2132-258-0x0000000000400000-0x00000000004C3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabC810.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/2676-267-0x0000000000400000-0x000000000045C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\11111.exe
| MD5 | d0527733abcc5c58735e11d43061b431 |
| SHA1 | 28de9d191826192721e325787b8a50a84328cffd |
| SHA256 | b4ef7ee228c1500f7bb3686361b1a246954efe04cf14d218b5ee709bc0d88b45 |
| SHA512 | 7704b215fade38c9a4aa2395263f3d4d9392b318b5644146464d233006a6de86f53a5f6e47cd909c0d968e3ef4db397f52e28ca4d6a1b2e88e1c40a1dbde3fb5 |
memory/1824-277-0x0000000000880000-0x0000000000903000-memory.dmp
memory/1824-276-0x0000000000880000-0x0000000000903000-memory.dmp
memory/1824-275-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2060-278-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/2376-279-0x0000000000400000-0x0000000000682000-memory.dmp
memory/2616-280-0x000000002D910000-0x000000002D9BF000-memory.dmp
memory/2616-281-0x000000002D9C0000-0x000000002DA5C000-memory.dmp
memory/2616-283-0x000000002D9C0000-0x000000002DA5C000-memory.dmp
memory/1824-292-0x0000000000880000-0x0000000000903000-memory.dmp
memory/1824-291-0x0000000000880000-0x0000000000903000-memory.dmp
memory/1824-290-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1824-297-0x0000000000400000-0x0000000000483000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\f78841e.exe
| MD5 | 620bda3df817bff8deb38758d1dc668c |
| SHA1 | 9933523941851b42047f2b7a1324eb8daa8fb1ff |
| SHA256 | b74d7ff45768a1ee6f267e895de3e46cca505edf205563ef3f7db827f38363b3 |
| SHA512 | bc9e932860f63090bab251057bc1fd6875c410c2358321eaa74fccc117561b91e4ce6b24d5e7bb13dc44732ae151b7c33fe201acbb5af689d7f2d248dfb8c568 |
memory/816-382-0x0000000000330000-0x0000000000338000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 09:03
Reported
2024-11-09 09:06
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
GCleaner
Gcleaner family
NullMixer
Nullmixer family
OnlyLogger
Onlylogger family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
SmokeLoader
Smokeloader family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a50b8fa_Thu12c85191.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-4GV7C.tmp\61f292aaee251_Thu12817405.tmp | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292b2a8973_Thu12d2978de30.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292adcd500_Thu12dd12e2c.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-3JG61.tmp\61f292a4b3280_Thu12692268df32.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-4GV7C.tmp\61f292aaee251_Thu12817405.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-U1CEV.tmp\61f292aaee251_Thu12817405.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\QWE00000.gol\\\"" | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ae24e70_Thu12a74e4137.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfhgpjbcoignfibliobpclhpfnadhofn\10.59.13_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Looks up geolocation information via web service
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ad20a43_Thu120f4aad3d7.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3392 set thread context of 8 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a688404_Thu122ae6bbac.exe | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a688404_Thu122ae6bbac.exe |
| PID 4528 set thread context of 456 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292af47cdd_Thu12168454a4a.exe | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292af47cdd_Thu12168454a4a.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292b2a8973_Thu12d2978de30.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a50b8fa_Thu12c85191.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a4b3280_Thu12692268df32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\waitfor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-4GV7C.tmp\61f292aaee251_Thu12817405.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\11111.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-3JG61.tmp\61f292a4b3280_Thu12692268df32.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292aaee251_Thu12817405.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-U1CEV.tmp\61f292aaee251_Thu12817405.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292af47cdd_Thu12168454a4a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\11111.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292aaee251_Thu12817405.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292b10868e_Thu12702ecb5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292af47cdd_Thu12168454a4a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a688404_Thu122ae6bbac.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292adcd500_Thu12dd12e2c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ae24e70_Thu12a74e4137.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ad20a43_Thu120f4aad3d7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292adcd500_Thu12dd12e2c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a8a0a6c_Thu12fda79da.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ac194f1_Thu1230653d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\find.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\control.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ac194f1_Thu1230653d.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ac194f1_Thu1230653d.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ac194f1_Thu1230653d.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133756166420771177" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292adcd500_Thu12dd12e2c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292adcd500_Thu12dd12e2c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292adcd500_Thu12dd12e2c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292adcd500_Thu12dd12e2c.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e.exe
"C:\Users\Admin\AppData\Local\Temp\174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292a3b1188_Thu12926eaf6b3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292a4b3280_Thu12692268df32.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292a50b8fa_Thu12c85191.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292a688404_Thu122ae6bbac.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292a8a0a6c_Thu12fda79da.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292aaee251_Thu12817405.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292ac194f1_Thu1230653d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292ad20a43_Thu120f4aad3d7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292adcd500_Thu12dd12e2c.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292ae24e70_Thu12a74e4137.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292ae71b3f_Thu1291f781.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292af47cdd_Thu12168454a4a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292b10868e_Thu12702ecb5.exe /mixtwo
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292b2a8973_Thu12d2978de30.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61f292b465d58_Thu127ed1404d.exe
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ae24e70_Thu12a74e4137.exe
61f292ae24e70_Thu12a74e4137.exe
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a8a0a6c_Thu12fda79da.exe
61f292a8a0a6c_Thu12fda79da.exe
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe
61f292a3b1188_Thu12926eaf6b3.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a688404_Thu122ae6bbac.exe
61f292a688404_Thu122ae6bbac.exe
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a4b3280_Thu12692268df32.exe
61f292a4b3280_Thu12692268df32.exe
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ac194f1_Thu1230653d.exe
61f292ac194f1_Thu1230653d.exe
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ad20a43_Thu120f4aad3d7.exe
61f292ad20a43_Thu120f4aad3d7.exe
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292adcd500_Thu12dd12e2c.exe
61f292adcd500_Thu12dd12e2c.exe
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a50b8fa_Thu12c85191.exe
61f292a50b8fa_Thu12c85191.exe
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292b465d58_Thu127ed1404d.exe
61f292b465d58_Thu127ed1404d.exe
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292b2a8973_Thu12d2978de30.exe
61f292b2a8973_Thu12d2978de30.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 492 -ip 492
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292aaee251_Thu12817405.exe
61f292aaee251_Thu12817405.exe
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ae71b3f_Thu1291f781.exe
61f292ae71b3f_Thu1291f781.exe
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292af47cdd_Thu12168454a4a.exe
61f292af47cdd_Thu12168454a4a.exe
C:\Users\Admin\AppData\Local\Temp\is-3JG61.tmp\61f292a4b3280_Thu12692268df32.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3JG61.tmp\61f292a4b3280_Thu12692268df32.tmp" /SL5="$602D4,140559,56832,C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a4b3280_Thu12692268df32.exe"
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292b10868e_Thu12702ecb5.exe
61f292b10868e_Thu12702ecb5.exe /mixtwo
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 492 -s 612
C:\Users\Admin\AppData\Local\Temp\is-4GV7C.tmp\61f292aaee251_Thu12817405.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4GV7C.tmp\61f292aaee251_Thu12817405.tmp" /SL5="$7029A,870458,780800,C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292aaee251_Thu12817405.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Esistenza.wbk
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292af47cdd_Thu12168454a4a.exe
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292af47cdd_Thu12168454a4a.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2648 -ip 2648
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a688404_Thu122ae6bbac.exe
61f292a688404_Thu122ae6bbac.exe
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292adcd500_Thu12dd12e2c.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292adcd500_Thu12dd12e2c.exe" -a
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C timeout 19
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4368 -ip 4368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 624
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292aaee251_Thu12817405.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292aaee251_Thu12817405.exe" /SILENT
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Users\Admin\AppData\Local\Temp\is-U1CEV.tmp\61f292aaee251_Thu12817405.tmp
"C:\Users\Admin\AppData\Local\Temp\is-U1CEV.tmp\61f292aaee251_Thu12817405.tmp" /SL5="$A01C6,870458,780800,C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292aaee251_Thu12817405.exe" /SILENT
C:\Windows\SysWOW64\timeout.exe
timeout 19
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4704 -ip 4704
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 1860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4368 -ip 4368
C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 624
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\CZlKA.Q5
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4368 -ip 4368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 752
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\CZlKA.Q5
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4368 -ip 4368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 780
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^tDPdzRbUMNXkpbEMSMKZXPerlnGmckXJGXqJvnomwNbPoElbkyeDIDcfALyUkXmAQhFkvUdzDkXpshUFgogfpxwrCLpKzhhtgXYVZZwdO$" Impaziente.wbk
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4368 -ip 4368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 832
C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif
Sul.exe.pif J
C:\Windows\SysWOW64\waitfor.exe
waitfor /t 10 citDNEKXehVmhlzMlgdNbKGouCJxkZjiUQRiy
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4368 -ip 4368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 840
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif
C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif J
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 04027fb0f481940795e2c30bcb6b4d6a yqOnbuLyc02ioy+ZBia7tQ.0.1.0.0.0
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff96fb3cc40,0x7ff96fb3cc4c,0x7ff96fb3cc58
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4368 -ip 4368
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,4872267081243524556,13007038579805581382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1904 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2144,i,4872267081243524556,13007038579805581382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2136 /prefetch:3
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 844
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,4872267081243524556,13007038579805581382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2432 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,4872267081243524556,13007038579805581382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3148 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2824,i,4872267081243524556,13007038579805581382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3180 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4188,i,4872267081243524556,13007038579805581382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4504 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4676,i,4872267081243524556,13007038579805581382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4528 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3132,i,4872267081243524556,13007038579805581382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4804 /prefetch:8
C:\Windows\SysWOW64\rundll32.exe
rundll32
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4996,i,4872267081243524556,13007038579805581382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3688 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5412,i,4872267081243524556,13007038579805581382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5424 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5420,i,4872267081243524556,13007038579805581382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5448 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5416,i,4872267081243524556,13007038579805581382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4472 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4880,i,4872267081243524556,13007038579805581382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4704 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5096,i,4872267081243524556,13007038579805581382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5008 /prefetch:8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2596 -ip 2596
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 1280
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4832,i,4872267081243524556,13007038579805581382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4728 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5380,i,4872267081243524556,13007038579805581382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5256 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hornygl.xyz | udp |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 52.203.72.196:443 | www.listincode.com | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 46.2.26.104.in-addr.arpa | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | zenitsu.s3.pl-waw.scw.cloud | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| PL | 151.115.10.3:80 | zenitsu.s3.pl-waw.scw.cloud | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | inosuke.s3.pl-waw.scw.cloud | udp |
| US | 8.8.8.8:53 | presstheme.me | udp |
| PL | 151.115.10.3:80 | inosuke.s3.pl-waw.scw.cloud | tcp |
| US | 8.8.8.8:53 | 3.10.115.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | signaturebusinesspark.com | udp |
| US | 8.8.8.8:53 | signaturebusinesspark.com | udp |
| US | 54.205.158.59:443 | www.listincode.com | tcp |
| US | 8.8.8.8:53 | onlinehueplet.com | udp |
| RU | 92.255.57.115:11841 | tcp | |
| DE | 92.246.89.93:80 | onlinehueplet.com | tcp |
| US | 8.8.8.8:53 | appwebstat.biz | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | KLGqdXSVxgZGfuYBAcEbdNW.KLGqdXSVxgZGfuYBAcEbdNW | udp |
| N/A | 127.0.0.1:61586 | tcp | |
| N/A | 127.0.0.1:61591 | tcp | |
| US | 8.8.8.8:53 | www.hhiuew33.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | appwebstat.biz | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 42.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 172.217.169.10:443 | ogads-pa.googleapis.com | tcp |
| GB | 216.58.201.110:443 | apis.google.com | tcp |
| GB | 172.217.169.10:443 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | 10.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 172.217.16.238:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | 238.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| GB | 142.250.178.14:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| GB | 216.58.213.1:443 | clients2.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | 14.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| NL | 81.4.105.174:80 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| DE | 92.246.89.93:80 | onlinehueplet.com | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| RU | 92.255.57.115:11841 | tcp | |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| RU | 92.255.57.115:11841 | tcp | |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| RU | 92.255.57.115:11841 | tcp | |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| RU | 92.255.57.115:11841 | tcp | |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| RU | 92.255.57.115:11841 | tcp | |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | d3e22d7fcc478eaf4b9e03a8a5038c12 |
| SHA1 | bfa29d4c2535b479102cd37c4a7f4245961daeb3 |
| SHA256 | 6d7f35c19fef11f48a274dcf38e942635e6946eca4ecd3c39dd38de8e0cbf656 |
| SHA512 | 83bc2bd9f2b5fe85a5eabdb6aab5c6ba64ac590b005780cee51d7c01f565a416b674fa9ff1b439325f9e50604fe130c3911c43c50da0254f0309beca742a1956 |
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe
| MD5 | b14eef8f9059c67b05c710b51d150f82 |
| SHA1 | 645988e081d1948cae842614cc75875aec8cf68c |
| SHA256 | 3b9601b7d67b3e2541bf93f753248aae02ea9ba0fb46186d6d0ee97634052e0e |
| SHA512 | bdfcac2b5631b38a0555c1f0c70f3bec0d67955adf0d8f679d05a1218e2d9e5d0c7bf0a5d221235b96aec99e35d3521f9030bdab511bfbfeaa6a20f9b3c942e5 |
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/492-80-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292b10868e_Thu12702ecb5.exe
| MD5 | 6cda68905cfd314c1b5dcafd6adebc96 |
| SHA1 | c6e952b5190121ab0c082a2de4bc0caf06d1dcf0 |
| SHA256 | 927c40d5808645ff97bbf5fc4c1d517d37a801c81553dc54becd8a0770ee54b0 |
| SHA512 | 952074dffb293dd455751a44f18409adf4afa2c4c2f130dc2b6368791b78af06cf19bdbdc4278ccdb4ca3326db100fc695245543aa5e447927c4c095640d98c6 |
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ae24e70_Thu12a74e4137.exe
| MD5 | cc722fd0bd387cf472350dc2dd7ddd1e |
| SHA1 | 49d288ddbb09265a586dd8d6629c130be7063afa |
| SHA256 | 588a87d450987dfb3a72361c012b36285a5b3087cc8c282b6f2de46ae95291f2 |
| SHA512 | 893375a8816bc333a9521b50d26b4018d1a3181b502dac73cef3357755651d833744a42bfd7f2daeb6e15d420600b91cdb910a0a1fb1a28d5012697a1f92733b |
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a8a0a6c_Thu12fda79da.exe
| MD5 | b8ecec542a07067a193637269973c2e8 |
| SHA1 | 97178479fd0fc608d6c0fbf243a0bb136d7b0ecb |
| SHA256 | fc6b5ec20b7f2c902e9413c71be5718eb58640d86189306fe4c592af70fe3b7e |
| SHA512 | 730d74a72c7af91b10f06ae98235792740bed2afc86eb8ddc15ecaf7c31ec757ac3803697644ac0f60c2e8e0fd875b94299763ac0fed74d392ac828b61689893 |
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ac194f1_Thu1230653d.exe
| MD5 | af0de0482a6545057fb04ece77e0e83e |
| SHA1 | a5275870f175a76ae14d965211d02a5214adb5c2 |
| SHA256 | 605f47756284111370f163638d93e580830db4dd10b16a274735c052ea1f2c8a |
| SHA512 | 92b76a20957a3daafd588434cb6259213af9689a1dd75c97f61f16ceff95e1e79924431ad4f8a075b90535081a00b6ced7ffada6db8a843a4f8ecaa27ca1e96d |
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a50b8fa_Thu12c85191.exe
| MD5 | 4fda4b291bdc23439208635f8b4f10e5 |
| SHA1 | 6911fce737067d5bbeab05960ecd56d3a0fe0dfb |
| SHA256 | 79a77b41388477a3cb157995c0ad1757a8ced2b49fc968dc5d8c28806aaee480 |
| SHA512 | 5ca7652ea5c795dd613da2ef773e048efa240d4cb5b6970d91ddb2367eda27e879d735360625725881d4940b23b6e153cb148b630f183d21025b31b4675b17cb |
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292b2a8973_Thu12d2978de30.exe
| MD5 | 9691ad5126152a385a01220ee47221c1 |
| SHA1 | 48465630edcdc71525c792c0b855ef0d321f6a5e |
| SHA256 | 34da41baf54a2522aa5b332f1678400f2fb271e12dcfad3870ef47d37ac4ba67 |
| SHA512 | b7b3ac05988ec34d586f7764bbe2bce43ca3c9361ce3626f041eefb635d8ab3af047009ce74cce50cdddb6dbec35b60139a50e9f2598e86cdf484c60e4be5949 |
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292aaee251_Thu12817405.exe
| MD5 | e65bf2d56fcaa18c1a8d0d481072dc62 |
| SHA1 | c7492c7e09b329bed044e9ee45e425e0817c22f4 |
| SHA256 | c24f98a0e80be8f215f9b93c9823497c1ea547ca9fdd3621ef6a96dfb1eaa895 |
| SHA512 | 39c3400315055b2c9fdb3d9d9d54f4a8c7120721aa0850c29d313824846cec7aae74b1f25569636d9eb81184f211e0bc391de02c212b6f0994a42096268414a9 |
memory/4528-124-0x0000000000CA0000-0x0000000000D2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-3JG61.tmp\61f292a4b3280_Thu12692268df32.tmp
| MD5 | ffcf263a020aa7794015af0edee5df0b |
| SHA1 | bce1eb5f0efb2c83f416b1782ea07c776666fdab |
| SHA256 | 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64 |
| SHA512 | 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a |
memory/3416-131-0x00000000021F0000-0x0000000002208000-memory.dmp
memory/3452-148-0x0000000005320000-0x0000000005356000-memory.dmp
memory/3452-158-0x0000000005990000-0x0000000005FB8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-4GV7C.tmp\61f292aaee251_Thu12817405.tmp
| MD5 | 83b531c1515044f8241cd9627fbfbe86 |
| SHA1 | d2f7096e18531abb963fc9af7ecc543641570ac8 |
| SHA256 | 565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c |
| SHA512 | 9f7304ecb7573c0b8b4d7a2f49bcb9902499523b84502609f81b6f1b84faa1152a46ea13813987567ce574bd7b9d7b3f44b2b76389d8135487dc3c7f5e314f1b |
memory/3416-159-0x00000000004D0000-0x0000000000562000-memory.dmp
memory/4528-155-0x0000000005560000-0x000000000557E000-memory.dmp
memory/8-172-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292adcd500_Thu12dd12e2c.exe
| MD5 | b0448525c5a00135bb5b658cc6745574 |
| SHA1 | a08d53ce43ad01d47564a7dcdb87383652ef29f5 |
| SHA256 | b53ec612c61b38e29a8500f8d495e81dfdedc6b277958f36acfee6b8ee50a859 |
| SHA512 | b52e28e22916964a3d4d46e8fd09ba1f5c4867bd812d3c9af278bbeaf0ccfd9573e2bfc836c63079bc5de419b2c362247f85c3c494dfc66baf5cbadc6dbf462d |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hn3x0rbx.3px.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3452-185-0x0000000006290000-0x00000000062F6000-memory.dmp
memory/3452-180-0x00000000060F0000-0x0000000006112000-memory.dmp
memory/3452-186-0x0000000006370000-0x00000000063D6000-memory.dmp
memory/3452-188-0x00000000064B0000-0x0000000006804000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a688404_Thu122ae6bbac.exe
| MD5 | a05b981f73e296c8edf29ea9f68b8355 |
| SHA1 | f959ea0a5569320682e194bd87ae3fbf0b382647 |
| SHA256 | 3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100 |
| SHA512 | d71c1655c13a4ea043caaa5533fe8b2b25f4146f5c750a801b4b19b3df514fedda7413dd9448be1b09eb6b532384d9439b1bb0628129413706224a051ea34ace |
C:\Users\Admin\AppData\Local\Temp\is-G23JP.tmp\idp.dll
| MD5 | 55c310c0319260d798757557ab3bf636 |
| SHA1 | 0892eb7ed31d8bb20a56c6835990749011a2d8de |
| SHA256 | 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed |
| SHA512 | e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57 |
memory/8-169-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3416-154-0x0000000005520000-0x0000000005AC4000-memory.dmp
memory/3416-201-0x00000000021F0000-0x0000000002208000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Esistenza.wbk
| MD5 | b2a2f85b4201446b23a250f68051b4dc |
| SHA1 | 8fc39fbfb341e55a6fda1ef3e0cfd25b2b8fdba5 |
| SHA256 | 910165a85877eca36cb0e43aac5a42b643627aa7de90676cbdefcbf32fba4ade |
| SHA512 | 188b1ec9f2be6994de6e74f2385b3e0849968324cca1787b237d4eef381c9ffadc2c34c3f3131026d0ec1f89da6563455fe3f3d315d7d4673d303c38b2d0d32c |
memory/492-214-0x0000000064940000-0x0000000064959000-memory.dmp
memory/3972-218-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/2648-220-0x0000000000400000-0x0000000000437000-memory.dmp
memory/492-216-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/492-215-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4236-219-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/3452-235-0x00000000068B0000-0x00000000068FC000-memory.dmp
memory/456-240-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\61f292af47cdd_Thu12168454a4a.exe.log
| MD5 | e5352797047ad2c91b83e933b24fbc4f |
| SHA1 | 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772 |
| SHA256 | b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c |
| SHA512 | dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827 |
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292af47cdd_Thu12168454a4a.exe
| MD5 | 2fd3235d23e379fcca10cf25661689c8 |
| SHA1 | ac4c74c6c95693a6d9d67caf55a6106eaa408959 |
| SHA256 | a88f3682d185f01cd91890951a27f04e925f10bd61b1ded566889c0e008c3ccc |
| SHA512 | e33873304eba441d8b5938ba1f28636c78ac751633ed209f8970d1aafcf193203941fc8ba59e151ea7d010b9d65476d486e07b4f045d0409222d6f8d99bcfbb0 |
memory/3452-234-0x0000000006890000-0x00000000068AE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\11111.exe
| MD5 | 94989927a6611e1919f84e1871922b63 |
| SHA1 | b602e4c47c9c42c273b68a1ce85f0814c0e05deb |
| SHA256 | 6abf00e8457005606b0286fba4abc75bdb5d8d8267b17678d719122946db5c17 |
| SHA512 | ce69c1597f759efdb61ba441a5c16b587b77e3780e134c312dc832a502a1933b04f6b981e0e4b5c998c38d77b25763d2c2875cb790b142f44a416dcf75880b6e |
memory/4860-245-0x0000000000400000-0x0000000000480000-memory.dmp
memory/456-250-0x0000000005180000-0x0000000005192000-memory.dmp
memory/456-251-0x00000000052B0000-0x00000000053BA000-memory.dmp
memory/456-249-0x00000000056F0000-0x0000000005D08000-memory.dmp
memory/456-252-0x00000000051E0000-0x000000000521C000-memory.dmp
memory/1060-228-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3416-227-0x0000000000400000-0x00000000004C3000-memory.dmp
memory/3416-225-0x0000000000880000-0x00000000008BE000-memory.dmp
memory/492-209-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/492-206-0x0000000000400000-0x000000000051C000-memory.dmp
memory/2808-204-0x0000000000400000-0x0000000000682000-memory.dmp
memory/492-213-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/948-194-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/3416-147-0x0000000002F70000-0x0000000002F7A000-memory.dmp
memory/4528-146-0x0000000005580000-0x00000000055F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-RJIC8.tmp\idp.dll
| MD5 | 8f995688085bced38ba7795f60a5e1d3 |
| SHA1 | 5b1ad67a149c05c50d6e388527af5c8a0af4343a |
| SHA256 | 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006 |
| SHA512 | 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35 |
memory/3972-121-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/1572-122-0x0000000000F20000-0x0000000000F28000-memory.dmp
memory/2596-120-0x00000000006F0000-0x0000000000710000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ae71b3f_Thu1291f781.exe
| MD5 | ce54b9287c3e4b5733035d0be085d989 |
| SHA1 | 07a17e423bf89d9b056562d822a8f651aeb33c96 |
| SHA256 | e2beaf61ef8408e20b5dd05ffab6e1a62774088b3acdebd834f51d77f9824112 |
| SHA512 | c85680a63c9e852dfee438c9b8d47443f8b998ea1f8f573b3fcf1e31abc44415a1c18bac2bc6c5fb2caed0872a69fc9be758a510b9049c854fd48e31bf0815a0 |
memory/3416-127-0x0000000000880000-0x00000000008BE000-memory.dmp
memory/3416-126-0x0000000002270000-0x0000000002271000-memory.dmp
memory/3416-125-0x0000000000400000-0x00000000004C3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292b465d58_Thu127ed1404d.exe
| MD5 | 79400b1fd740d9cb7ec7c2c2e9a7d618 |
| SHA1 | 8ab8d7dcd469853f61ca27b8afe2ab6e0f2a1bb3 |
| SHA256 | 556d5c93b2ceb585711ccce22e39e3327f388b893d76a3a7974967fe99a6fa7f |
| SHA512 | 3ed024b02d7410d5ddc7bb772a2b3e8a5516a16d1cb5fac9f5d925da84b376b67117daf238fb53c7707e6bb86a0198534ad1e79b6ebed979b505b3faf9ae55ac |
memory/3416-113-0x0000000000400000-0x00000000004C3000-memory.dmp
memory/1060-109-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ad20a43_Thu120f4aad3d7.exe
| MD5 | 8b361d36500a8a4abd21c08235e6c0c8 |
| SHA1 | c52bb8ead2e3b7dfb45f8e1163a2ae05588d70ce |
| SHA256 | dc791b99f5e4e21d1022fe5cf80231da85fd716cf0132a25d1596b9680e45cf5 |
| SHA512 | 6ebdbd3c45d869bb8852e6662cd0f2f397322f3907377b60f6c70910a8a01d955b30b59ee93d76001688a465449bcbb061169e85a4e67b102a537440909cf10a |
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a4b3280_Thu12692268df32.exe
| MD5 | 5b14369c347439becacaa0883c07f17b |
| SHA1 | 126b0012934a2bf5aab025d931feb3b4315a2d9a |
| SHA256 | 8f362cedd16992cd2605b87129e491620b323f2a60e0cbb2f77d66a38f1e2307 |
| SHA512 | 4abd011ac7e4dba50cef3d166ca3c2c4148e737291f196e68c61f3a19e0e2b13bef5bb95fa53223cbc5ae514467309da6c92f1acfa194980624282d7c88c521b |
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe
| MD5 | fbd3940d1ad28166d8539eae23d44d5b |
| SHA1 | 55fff8a0aa435885fc86f7f33fec24558aa21ef5 |
| SHA256 | 21ceb2021197d8b5f73f8f264163e1f73e6a454ff0dffad24e87037f3a0b9ac7 |
| SHA512 | 26efcab71ea6ffd07c800a9ab014adc1813742d99923e17f02d92ffe5fccc8ad1efbf1e6124fd68fd1638e0d9c5f9a79b8c3faf2ae85c71ead6fb8940e26ad11 |
memory/3452-269-0x0000000007A50000-0x0000000007A6E000-memory.dmp
memory/3452-270-0x0000000007A80000-0x0000000007B23000-memory.dmp
memory/4736-257-0x0000000002650000-0x0000000003650000-memory.dmp
memory/3452-258-0x0000000006E60000-0x0000000006E92000-memory.dmp
memory/3452-259-0x000000006F3E0000-0x000000006F42C000-memory.dmp
memory/492-86-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Impaziente.wbk
| MD5 | 662676b6ae749090c43a0c5507b16131 |
| SHA1 | 0aec9044c592c79aa2a44f66b73ed0c5cb62fd68 |
| SHA256 | 4dd868c3015b92c1b8b520c0459c952090e08b4ba8d81d259e1b0630156dada4 |
| SHA512 | ec363e232c544f904286831f19bcc20ec0180da0e28bb2480eeccfaac7b4722e9ae5f050fec4fb7de18f6b35092e1296fd8e62022daa0b583eaba8fc4ea253f4 |
memory/492-85-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/492-84-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/492-83-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/492-82-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3452-273-0x0000000007BC0000-0x0000000007BDA000-memory.dmp
memory/3452-272-0x0000000008200000-0x000000000887A000-memory.dmp
memory/492-81-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/492-79-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/492-78-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/492-77-0x0000000064940000-0x0000000064959000-memory.dmp
memory/3452-275-0x0000000007C40000-0x0000000007C4A000-memory.dmp
memory/492-76-0x000000006494A000-0x000000006494F000-memory.dmp
memory/492-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/492-74-0x00000000007A0000-0x000000000082F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Riflettere.wbk
| MD5 | 4008d7f17a08efd3fbd18e4e1ba29e00 |
| SHA1 | 53e25946589981cb36b0e9fb5b26fc334d4f9424 |
| SHA256 | 752cf7d34bc7433f590cdf45e0bb3922ca7ba2220a7ec09df7f1f6c9644dee3b |
| SHA512 | 39e2bfad68403808924cece9c6ab43b0dc4aada62850a8c70b8e9481d825bcc90fa8a91688e3b559d4e5a517bc21931cef8037d585063885d5c948809d961978 |
memory/3452-279-0x0000000007E30000-0x0000000007EC6000-memory.dmp
memory/3452-282-0x0000000007DC0000-0x0000000007DD1000-memory.dmp
memory/492-73-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/492-66-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/3452-283-0x0000000007DF0000-0x0000000007DFE000-memory.dmp
memory/3452-284-0x0000000007E00000-0x0000000007E14000-memory.dmp
memory/3452-286-0x0000000007EF0000-0x0000000007F0A000-memory.dmp
memory/3452-287-0x0000000007EE0000-0x0000000007EE8000-memory.dmp
memory/1668-291-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1668-297-0x0000000000400000-0x0000000000483000-memory.dmp
memory/4368-298-0x0000000000400000-0x000000000045C000-memory.dmp
memory/948-319-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/220-320-0x0000000000400000-0x0000000000682000-memory.dmp
memory/4368-325-0x0000000000400000-0x000000000045C000-memory.dmp
memory/4736-332-0x0000000002650000-0x0000000003650000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 7bc798965e9c6e9d55a783976e3d34fa |
| SHA1 | 6cb7fdff7679a9359238d79e577f666c8ccb3b32 |
| SHA256 | 1ca89720a6e20c356150a5a9feed44df6aa9f9508d22c804f810cea4c984a403 |
| SHA512 | 23ffca4d7cab02c9d7d31a2f6179b4a5b171c360c75a62a39fd3e46eed00151d3d42d6664a2999da817fc14e1d80a9587f9d68e591b6d95182153572748bd7a0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\af21aefe-9635-4fe7-ba2c-e44cbefc13a4.tmp
| MD5 | 78402cd12e3310c867a29cc291912f2c |
| SHA1 | 5b10967db1a7d36ab7b54f0ba0a9a04bf0ee68b7 |
| SHA256 | 0f0335782cdb6dc3b3d3a87b4f72a751234df02094db3a2ebe0d57729ea87657 |
| SHA512 | 0e5142a45f3225229581704adde58ad057ef553c31bd9b0ff858c9b10da8d0805a1d55042dd2d584bef8737af375575588f6eb38ac94893a7dd78c3f905af0c4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | c9e42eaeacf3f5f47c5bac270d6f1fd0 |
| SHA1 | cb9339649b048e526cd648e69590403f4cfe7cb8 |
| SHA256 | 74e9fe16bec804a2ef5cf1bf844712a334ee942f55126af0e3694f20203aabf2 |
| SHA512 | 3752d22f3c8c568dbde3ffa0904e34754aab30ebd88556de683f371a2e6c61504b7de2a4bc542829d7c44bb1719cb5e9c411ab75a16c56f1f79caa3935e097bb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | a31b520999574d594add58c4fe06335f |
| SHA1 | 906bee80677eb21bef0f7f3d82c048dfe7529076 |
| SHA256 | 9345765716eba391b3199082b202e1eb5664a643af9799a954078a82f9cfe7fb |
| SHA512 | 211c55fc7cda6e7f96941efabf0e67a922766ecb2cf3f6c4b58d82031eed0692395e0a4bea722aacbdae5a33d11d169ffb945ad08fbac73942aa5e090f41882d |
memory/4736-372-0x0000000002650000-0x0000000003650000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 267956d72762740c13784b89288b5487 |
| SHA1 | 0d75407c76c5343126b6795c8eb707cb059aef69 |
| SHA256 | f9de4db5f863d4d465b754cb9163f08170821b1f93a0924a9745546381e3c195 |
| SHA512 | 1938113c161732a355a33f857f62eca05da6914eb8c15a7377e1d01a6cf93bd8fb0bd8986f7450356fcbae0554b43e3304a49c14c13d75ae77ae88a378e9e9eb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 467713059e07eeb6af7234de2f48d6d1 |
| SHA1 | c65ccb04123b1a138e51715800378f364b141f3f |
| SHA256 | 9b3aeb0b261c3e367cc9ecb2879a4a08a613e8970f30144ac27928cc5f4cf22f |
| SHA512 | 07c7463bd5d7478aac9022dd3c8ccfa77b62025649a3ec24bb980152c7daa3a76c767b12257bfaac61baf9dd2e4357d1ac4d8157cad6ec0a880e86c0f22d164d |
memory/4736-397-0x0000000002650000-0x0000000003650000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | c7d3ef729df3802894a9be0674f7bef1 |
| SHA1 | 8d3b2d73cb8592c9f2ea5e78aa89c339b3b5509b |
| SHA256 | 06139d90e0a1abcbc32cc8c1ab57bd940f8a85a39311f7b8511a31a8a9d87b17 |
| SHA512 | 7ad5aa7a79cb11c6aaddbb1efa5c43c9e91a097f9df873a31839ebcf665779134c6a5809ba7053f6832248afdbe00182df447f634c6d34d8f829d38deeeead01 |
C:\Users\Admin\AppData\Local\Temp\scoped_dir1704_500290361\b352d79f-b0df-497e-b18a-ebb714513420.tmp
| MD5 | da75bb05d10acc967eecaac040d3d733 |
| SHA1 | 95c08e067df713af8992db113f7e9aec84f17181 |
| SHA256 | 33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2 |
| SHA512 | 56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | daa2133343dbb78c76288e9e14e6a661 |
| SHA1 | 9605c9d690a3886978ab38cf687e84f4bec21d1c |
| SHA256 | fdb0828e264dd382b2f94009c82e7f742b710cf21819beb79e3d6090f7836c39 |
| SHA512 | 3a4e0faa35ceec313f87f234ce93e25ebd8f8d152de276b172b89cbccbec86cc74922e63a5fdf4a94a443263cb132b7459ff1e1b303a44953afe365478a15440 |
C:\Users\Admin\AppData\Local\Temp\scoped_dir1704_500290361\CRX_INSTALL\_locales\en_CA\messages.json
| MD5 | 558659936250e03cc14b60ebf648aa09 |
| SHA1 | 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825 |
| SHA256 | 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b |
| SHA512 | 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727 |
memory/4736-640-0x0000000002650000-0x0000000003650000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | b35124ecdea56eb27b1d2b0ab5b07860 |
| SHA1 | 631d285b9571f4e7e592d227f0a4b3aeacdfd347 |
| SHA256 | 2c9051c1e8638d75043989fd5a014209df57ef6498424a43bbf21ce76f5ef864 |
| SHA512 | effc8d819cf125339dee533c77c962234e6856a41624613e39a833585c94088c85bf64e8746ae403a0c154691d6078b20bf701b446a02e7051a61b189b452fcb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json
| MD5 | 4ec1df2da46182103d2ffc3b92d20ca5 |
| SHA1 | fb9d1ba3710cf31a87165317c6edc110e98994ce |
| SHA256 | 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6 |
| SHA512 | 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en\messages.json
| MD5 | 07ffbe5f24ca348723ff8c6c488abfb8 |
| SHA1 | 6dc2851e39b2ee38f88cf5c35a90171dbea5b690 |
| SHA256 | 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c |
| SHA512 | 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 36cf361719ff8abe9b651b31298a2758 |
| SHA1 | 0e6f3992177b24a5dce38e9a8ea1f3ff1d449dd3 |
| SHA256 | 4839214518bdb44c4d833374b8da5f3dab858cd246adc9c1e9d717347865782d |
| SHA512 | 91db3d45daf1077ea5eba047a2d40de2a368228f85d09c78f69d6fbacbe400240005565083ac32ae239b965550707613d5e2cb4df9cdcaed28b9e1f7bea1ea4c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | a8784e18376fc7d276ab54e0c7ae4bf0 |
| SHA1 | f238f59c8b8d602cc6578cebdad75902db8c790e |
| SHA256 | d18df5304b6574b86e83d0fc0b8487fd8994be77ca46c1e887eb506b6098ae30 |
| SHA512 | f55e9704d736c2a3874aae843caa031c72f678894cb353f8861609b3ba5db874a89d0ee88433624247bb0cc47ebbe18e920e8df72ea1dd1368a57c44c861175b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | b27c1c944f451cc765ef256487d8e7ed |
| SHA1 | ca46ce0fdc0031a273800c2c28ebc6550ced9d0a |
| SHA256 | 5f00d41579db48431fc1bfa01d31111d66329c8cdac6e36553eeb1390e911669 |
| SHA512 | 30f942a7c0a89178b8f57fa0e42d867b844121408f84c47d0df401384015a915cc92196c71c001dba207fbb37a3c91b7ca50ccce8609dd2fb08e976a969adb98 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 1626e991d60ea680d05d0eb387a23cca |
| SHA1 | 431ca4870e49cd3cccd1e31bd60a2854d56773ad |
| SHA256 | 4becc7585afc10aa6ecc57636130e84fe64b55772c0144bba515bed4ed8d3fa0 |
| SHA512 | ae5215bde7e92376e5e751c44b8c38e94ed3350ac622a12c9a23e4305ddbda5c439bdb75b52303128f7745da727ed9d0905394ff1d3708e49d088143fd80833f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | ca5179d9fc0d9a43a91c0283ec5cb0f8 |
| SHA1 | 1bea38e3b8d20a9a94c180a9df26b2cd0dd8115d |
| SHA256 | 4a24c0004bc4bde4b98d1593d162ace4a2795935e84ca13b0c1005ee219741f4 |
| SHA512 | 8cf2ec1371d68b53a27f6320aa170aafbafad8950d6944884788f739dfb073d0772b096984206e99b3a2bf13e3f66e1cfd6f6e02b9bf3d52e8303fc09c7992d0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 5accc2c103602af5978c5bc6a2d27e76 |
| SHA1 | 0d0559bae729d52425266ff2fe4a93f453227b30 |
| SHA256 | dcebae2f4255aef13efea1cb922872699471aa04624f683a2e1eee9dbd863274 |
| SHA512 | 742835e72258662c2e877526f89a58dba66dbe0d0af75afdd41464138ad85300697b610f15481fba03d85ff272a41e80342db1527ad611b26a2131211115a70e |