Malware Analysis Report

2024-11-13 16:53

Sample ID 241109-kz78qa1hmk
Target 2fc7d93dc85c813ecf2157ef43e53845ad46343b17ec0648f55101a8330005d6
SHA256 2fc7d93dc85c813ecf2157ef43e53845ad46343b17ec0648f55101a8330005d6
Tags
fabookie gcleaner nullmixer onlylogger redline smokeloader socelars media262231 pub3 aspackv2 backdoor discovery dropper execution infostealer loader persistence spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2fc7d93dc85c813ecf2157ef43e53845ad46343b17ec0648f55101a8330005d6

Threat Level: Known bad

The file 2fc7d93dc85c813ecf2157ef43e53845ad46343b17ec0648f55101a8330005d6 was found to be: Known bad.

Malicious Activity Summary

fabookie gcleaner nullmixer onlylogger redline smokeloader socelars media262231 pub3 aspackv2 backdoor discovery dropper execution infostealer loader persistence spyware stealer trojan upx

Socelars

GCleaner

Fabookie

Smokeloader family

RedLine

RedLine payload

Redline family

Socelars payload

Socelars family

NullMixer

Detect Fabookie payload

Nullmixer family

SmokeLoader

Gcleaner family

Onlylogger family

Fabookie family

OnlyLogger

OnlyLogger payload

Detected Nirsoft tools

NirSoft WebBrowserPassView

Blocklisted process makes network request

Loads dropped DLL

ASPack v2.12-2.42

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Checks installed software on the system

Command and Scripting Interpreter: PowerShell

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Drops Chrome extension

Looks up geolocation information via web service

Adds Run key to start application

Enumerates processes with tasklist

Suspicious use of NtSetInformationThreadHideFromDebugger

UPX packed file

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Program crash

Browser Information Discovery

Enumerates system info in registry

Checks SCSI registry key(s)

Kills process with taskkill

Suspicious behavior: GetForegroundWindowSpam

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 09:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-09 09:03

Reported

2024-11-09 09:06

Platform

win7-20240903-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a50b8fa_Thu12c85191.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a8a0a6c_Thu12fda79da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ae71b3f_Thu1291f781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292adcd500_Thu12dd12e2c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ad20a43_Thu120f4aad3d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ac194f1_Thu1230653d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a4b3280_Thu12692268df32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a688404_Thu122ae6bbac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292aaee251_Thu12817405.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292b10868e_Thu12702ecb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a688404_Thu122ae6bbac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HIOL3.tmp\61f292aaee251_Thu12817405.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-0PM59.tmp\61f292a4b3280_Thu12692268df32.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292b465d58_Thu127ed1404d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ae24e70_Thu12a74e4137.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292af47cdd_Thu12168454a4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292b2a8973_Thu12d2978de30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292aaee251_Thu12817405.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292adcd500_Thu12dd12e2c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-2F27F.tmp\61f292aaee251_Thu12817405.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292af47cdd_Thu12168454a4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292af47cdd_Thu12168454a4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292af47cdd_Thu12168454a4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f78d430.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a50b8fa_Thu12c85191.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a50b8fa_Thu12c85191.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ad20a43_Thu120f4aad3d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ad20a43_Thu120f4aad3d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ac194f1_Thu1230653d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ac194f1_Thu1230653d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a4b3280_Thu12692268df32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a4b3280_Thu12692268df32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292aaee251_Thu12817405.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292aaee251_Thu12817405.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a688404_Thu122ae6bbac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a688404_Thu122ae6bbac.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292b10868e_Thu12702ecb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292b10868e_Thu12702ecb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a688404_Thu122ae6bbac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292aaee251_Thu12817405.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a4b3280_Thu12692268df32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a8a0a6c_Thu12fda79da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a8a0a6c_Thu12fda79da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292adcd500_Thu12dd12e2c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292adcd500_Thu12dd12e2c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a688404_Thu122ae6bbac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a688404_Thu122ae6bbac.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-0PM59.tmp\61f292a4b3280_Thu12692268df32.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-0PM59.tmp\61f292a4b3280_Thu12692268df32.tmp N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ae24e70_Thu12a74e4137.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ae24e70_Thu12a74e4137.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-0PM59.tmp\61f292a4b3280_Thu12692268df32.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HIOL3.tmp\61f292aaee251_Thu12817405.tmp N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\QWE00000.gol\\\"" C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ae24e70_Thu12a74e4137.exe N/A

Checks installed software on the system

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ad20a43_Thu120f4aad3d7.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ae24e70_Thu12a74e4137.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a688404_Thu122ae6bbac.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-0PM59.tmp\61f292a4b3280_Thu12692268df32.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292adcd500_Thu12dd12e2c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292b2a8973_Thu12d2978de30.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292af47cdd_Thu12168454a4a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292af47cdd_Thu12168454a4a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a4b3280_Thu12692268df32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f78d430.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\find.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a688404_Thu122ae6bbac.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292aaee251_Thu12817405.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a8a0a6c_Thu12fda79da.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-2F27F.tmp\61f292aaee251_Thu12817405.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\control.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a50b8fa_Thu12c85191.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-HIOL3.tmp\61f292aaee251_Thu12817405.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292adcd500_Thu12dd12e2c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\waitfor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ad20a43_Thu120f4aad3d7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292b10868e_Thu12702ecb5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ac194f1_Thu1230653d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292aaee251_Thu12817405.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-2F27F.tmp\61f292aaee251_Thu12817405.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ae71b3f_Thu1291f781.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292af47cdd_Thu12168454a4a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ad20a43_Thu120f4aad3d7.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a50b8fa_Thu12c85191.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2112 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe
PID 2112 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe
PID 2112 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe
PID 2112 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe
PID 2112 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe
PID 2112 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe
PID 2112 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe
PID 2528 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 2348 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a50b8fa_Thu12c85191.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292a3b1188_Thu12926eaf6b3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292a4b3280_Thu12692268df32.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292a50b8fa_Thu12c85191.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292a688404_Thu122ae6bbac.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292a8a0a6c_Thu12fda79da.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292aaee251_Thu12817405.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292ac194f1_Thu1230653d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292ad20a43_Thu120f4aad3d7.exe

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a50b8fa_Thu12c85191.exe

61f292a50b8fa_Thu12c85191.exe

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe

61f292a3b1188_Thu12926eaf6b3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292adcd500_Thu12dd12e2c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292ae24e70_Thu12a74e4137.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292ae71b3f_Thu1291f781.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292af47cdd_Thu12168454a4a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292b10868e_Thu12702ecb5.exe /mixtwo

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292b2a8973_Thu12d2978de30.exe

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a8a0a6c_Thu12fda79da.exe

61f292a8a0a6c_Thu12fda79da.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292b465d58_Thu127ed1404d.exe

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ae71b3f_Thu1291f781.exe

61f292ae71b3f_Thu1291f781.exe

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ac194f1_Thu1230653d.exe

61f292ac194f1_Thu1230653d.exe

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292adcd500_Thu12dd12e2c.exe

61f292adcd500_Thu12dd12e2c.exe

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a4b3280_Thu12692268df32.exe

61f292a4b3280_Thu12692268df32.exe

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ad20a43_Thu120f4aad3d7.exe

61f292ad20a43_Thu120f4aad3d7.exe

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a688404_Thu122ae6bbac.exe

61f292a688404_Thu122ae6bbac.exe

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292aaee251_Thu12817405.exe

61f292aaee251_Thu12817405.exe

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292b10868e_Thu12702ecb5.exe

61f292b10868e_Thu12702ecb5.exe /mixtwo

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a688404_Thu122ae6bbac.exe

61f292a688404_Thu122ae6bbac.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Users\Admin\AppData\Local\Temp\is-HIOL3.tmp\61f292aaee251_Thu12817405.tmp

"C:\Users\Admin\AppData\Local\Temp\is-HIOL3.tmp\61f292aaee251_Thu12817405.tmp" /SL5="$8015A,870458,780800,C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292aaee251_Thu12817405.exe"

C:\Users\Admin\AppData\Local\Temp\is-0PM59.tmp\61f292a4b3280_Thu12692268df32.tmp

"C:\Users\Admin\AppData\Local\Temp\is-0PM59.tmp\61f292a4b3280_Thu12692268df32.tmp" /SL5="$70158,140559,56832,C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a4b3280_Thu12692268df32.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C timeout 19

C:\Windows\SysWOW64\timeout.exe

timeout 19

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292b465d58_Thu127ed1404d.exe

61f292b465d58_Thu127ed1404d.exe

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ae24e70_Thu12a74e4137.exe

61f292ae24e70_Thu12a74e4137.exe

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292af47cdd_Thu12168454a4a.exe

61f292af47cdd_Thu12168454a4a.exe

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292b2a8973_Thu12d2978de30.exe

61f292b2a8973_Thu12d2978de30.exe

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292adcd500_Thu12dd12e2c.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292adcd500_Thu12dd12e2c.exe" -a

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292aaee251_Thu12817405.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292aaee251_Thu12817405.exe" /SILENT

C:\Windows\SysWOW64\cmd.exe

cmd /c cmd < Esistenza.wbk

C:\Users\Admin\AppData\Local\Temp\is-2F27F.tmp\61f292aaee251_Thu12817405.tmp

"C:\Users\Admin\AppData\Local\Temp\is-2F27F.tmp\61f292aaee251_Thu12817405.tmp" /SL5="$501EA,870458,780800,C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292aaee251_Thu12817405.exe" /SILENT

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "imagename eq BullGuardCore.exe"

C:\Windows\SysWOW64\find.exe

find /I /N "bullguardcore.exe"

C:\Windows\SysWOW64\control.exe

"C:\Windows\System32\control.exe" .\CZlKA.Q5

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\CZlKA.Q5

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 480

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^tDPdzRbUMNXkpbEMSMKZXPerlnGmckXJGXqJvnomwNbPoElbkyeDIDcfALyUkXmAQhFkvUdzDkXpshUFgogfpxwrCLpKzhhtgXYVZZwdO$" Impaziente.wbk

C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif

Sul.exe.pif J

C:\Windows\SysWOW64\waitfor.exe

waitfor /t 10 citDNEKXehVmhlzMlgdNbKGouCJxkZjiUQRiy

C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif

C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif J

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 332 -s 1424

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292af47cdd_Thu12168454a4a.exe

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292af47cdd_Thu12168454a4a.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292af47cdd_Thu12168454a4a.exe

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292af47cdd_Thu12168454a4a.exe

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292af47cdd_Thu12168454a4a.exe

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292af47cdd_Thu12168454a4a.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Windows\SysWOW64\rundll32.exe

rundll32

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 484

C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif

C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1640 -s 488

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\CZlKA.Q5

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\CZlKA.Q5

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 1148

C:\Users\Admin\AppData\Local\Temp\f78d430.exe

"C:\Users\Admin\AppData\Local\Temp\f78d430.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 652

Network

Country Destination Domain Proto
US 8.8.8.8:53 hornygl.xyz udp
US 8.8.8.8:53 www.listincode.com udp
US 8.8.8.8:53 appwebstat.biz udp
N/A 127.0.0.1:49303 tcp
N/A 127.0.0.1:49305 tcp
US 52.203.72.196:443 www.listincode.com tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 zenitsu.s3.pl-waw.scw.cloud udp
US 104.26.2.46:443 iplogger.org tcp
PL 151.115.10.3:80 zenitsu.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 inosuke.s3.pl-waw.scw.cloud udp
PL 151.115.10.3:80 inosuke.s3.pl-waw.scw.cloud tcp
US 54.205.158.59:443 www.listincode.com tcp
US 8.8.8.8:53 onlinehueplet.com udp
US 8.8.8.8:53 c.pki.goog udp
DE 92.246.89.93:80 onlinehueplet.com tcp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 signaturebusinesspark.com udp
US 8.8.8.8:53 KLGqdXSVxgZGfuYBAcEbdNW.KLGqdXSVxgZGfuYBAcEbdNW udp
US 8.8.8.8:53 signaturebusinesspark.com udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 ip-api.com udp
US 104.26.2.46:443 iplogger.org tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 presstheme.me udp
US 104.26.2.46:443 iplogger.org tcp
RU 92.255.57.115:11841 tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
NL 81.4.105.174:80 tcp
US 8.8.8.8:53 www.hhiuew33.com udp
US 8.8.8.8:53 dll1.stdcdn.com udp
DE 92.246.89.93:80 onlinehueplet.com tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 crl.microsoft.com udp
CH 80.67.82.89:80 crl.microsoft.com tcp
US 104.26.2.46:443 iplogger.org tcp
RU 92.255.57.115:11841 tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
RU 92.255.57.115:11841 tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
FR 77.132.68.187:8080 tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
RU 92.255.57.115:11841 tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
FR 77.132.68.187:8080 tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
RU 92.255.57.115:11841 tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
RU 92.255.57.115:11841 tcp
US 104.26.2.46:443 iplogger.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe

MD5 b14eef8f9059c67b05c710b51d150f82
SHA1 645988e081d1948cae842614cc75875aec8cf68c
SHA256 3b9601b7d67b3e2541bf93f753248aae02ea9ba0fb46186d6d0ee97634052e0e
SHA512 bdfcac2b5631b38a0555c1f0c70f3bec0d67955adf0d8f679d05a1218e2d9e5d0c7bf0a5d221235b96aec99e35d3521f9030bdab511bfbfeaa6a20f9b3c942e5

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/2528-58-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2528-63-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS0480EDC6\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2528-71-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2528-70-0x000000006494A000-0x000000006494F000-memory.dmp

memory/2528-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a50b8fa_Thu12c85191.exe

MD5 4fda4b291bdc23439208635f8b4f10e5
SHA1 6911fce737067d5bbeab05960ecd56d3a0fe0dfb
SHA256 79a77b41388477a3cb157995c0ad1757a8ced2b49fc968dc5d8c28806aaee480
SHA512 5ca7652ea5c795dd613da2ef773e048efa240d4cb5b6970d91ddb2367eda27e879d735360625725881d4940b23b6e153cb148b630f183d21025b31b4675b17cb

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe

MD5 fbd3940d1ad28166d8539eae23d44d5b
SHA1 55fff8a0aa435885fc86f7f33fec24558aa21ef5
SHA256 21ceb2021197d8b5f73f8f264163e1f73e6a454ff0dffad24e87037f3a0b9ac7
SHA512 26efcab71ea6ffd07c800a9ab014adc1813742d99923e17f02d92ffe5fccc8ad1efbf1e6124fd68fd1638e0d9c5f9a79b8c3faf2ae85c71ead6fb8940e26ad11

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a688404_Thu122ae6bbac.exe

MD5 a05b981f73e296c8edf29ea9f68b8355
SHA1 f959ea0a5569320682e194bd87ae3fbf0b382647
SHA256 3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100
SHA512 d71c1655c13a4ea043caaa5533fe8b2b25f4146f5c750a801b4b19b3df514fedda7413dd9448be1b09eb6b532384d9439b1bb0628129413706224a051ea34ace

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a4b3280_Thu12692268df32.exe

MD5 5b14369c347439becacaa0883c07f17b
SHA1 126b0012934a2bf5aab025d931feb3b4315a2d9a
SHA256 8f362cedd16992cd2605b87129e491620b323f2a60e0cbb2f77d66a38f1e2307
SHA512 4abd011ac7e4dba50cef3d166ca3c2c4148e737291f196e68c61f3a19e0e2b13bef5bb95fa53223cbc5ae514467309da6c92f1acfa194980624282d7c88c521b

memory/2528-80-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2528-79-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2528-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2528-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2528-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2528-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2528-74-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2528-73-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2528-72-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a8a0a6c_Thu12fda79da.exe

MD5 b8ecec542a07067a193637269973c2e8
SHA1 97178479fd0fc608d6c0fbf243a0bb136d7b0ecb
SHA256 fc6b5ec20b7f2c902e9413c71be5718eb58640d86189306fe4c592af70fe3b7e
SHA512 730d74a72c7af91b10f06ae98235792740bed2afc86eb8ddc15ecaf7c31ec757ac3803697644ac0f60c2e8e0fd875b94299763ac0fed74d392ac828b61689893

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ac194f1_Thu1230653d.exe

MD5 af0de0482a6545057fb04ece77e0e83e
SHA1 a5275870f175a76ae14d965211d02a5214adb5c2
SHA256 605f47756284111370f163638d93e580830db4dd10b16a274735c052ea1f2c8a
SHA512 92b76a20957a3daafd588434cb6259213af9689a1dd75c97f61f16ceff95e1e79924431ad4f8a075b90535081a00b6ced7ffada6db8a843a4f8ecaa27ca1e96d

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292aaee251_Thu12817405.exe

MD5 e65bf2d56fcaa18c1a8d0d481072dc62
SHA1 c7492c7e09b329bed044e9ee45e425e0817c22f4
SHA256 c24f98a0e80be8f215f9b93c9823497c1ea547ca9fdd3621ef6a96dfb1eaa895
SHA512 39c3400315055b2c9fdb3d9d9d54f4a8c7120721aa0850c29d313824846cec7aae74b1f25569636d9eb81184f211e0bc391de02c212b6f0994a42096268414a9

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ad20a43_Thu120f4aad3d7.exe

MD5 8b361d36500a8a4abd21c08235e6c0c8
SHA1 c52bb8ead2e3b7dfb45f8e1163a2ae05588d70ce
SHA256 dc791b99f5e4e21d1022fe5cf80231da85fd716cf0132a25d1596b9680e45cf5
SHA512 6ebdbd3c45d869bb8852e6662cd0f2f397322f3907377b60f6c70910a8a01d955b30b59ee93d76001688a465449bcbb061169e85a4e67b102a537440909cf10a

memory/1572-126-0x00000000004D0000-0x0000000000593000-memory.dmp

memory/1572-125-0x0000000000400000-0x00000000004C3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292b465d58_Thu127ed1404d.exe

MD5 79400b1fd740d9cb7ec7c2c2e9a7d618
SHA1 8ab8d7dcd469853f61ca27b8afe2ab6e0f2a1bb3
SHA256 556d5c93b2ceb585711ccce22e39e3327f388b893d76a3a7974967fe99a6fa7f
SHA512 3ed024b02d7410d5ddc7bb772a2b3e8a5516a16d1cb5fac9f5d925da84b376b67117daf238fb53c7707e6bb86a0198534ad1e79b6ebed979b505b3faf9ae55ac

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292af47cdd_Thu12168454a4a.exe

MD5 2fd3235d23e379fcca10cf25661689c8
SHA1 ac4c74c6c95693a6d9d67caf55a6106eaa408959
SHA256 a88f3682d185f01cd91890951a27f04e925f10bd61b1ded566889c0e008c3ccc
SHA512 e33873304eba441d8b5938ba1f28636c78ac751633ed209f8970d1aafcf193203941fc8ba59e151ea7d010b9d65476d486e07b4f045d0409222d6f8d99bcfbb0

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ae24e70_Thu12a74e4137.exe

MD5 cc722fd0bd387cf472350dc2dd7ddd1e
SHA1 49d288ddbb09265a586dd8d6629c130be7063afa
SHA256 588a87d450987dfb3a72361c012b36285a5b3087cc8c282b6f2de46ae95291f2
SHA512 893375a8816bc333a9521b50d26b4018d1a3181b502dac73cef3357755651d833744a42bfd7f2daeb6e15d420600b91cdb910a0a1fb1a28d5012697a1f92733b

memory/1836-121-0x0000000000400000-0x00000000004C3000-memory.dmp

memory/2872-130-0x00000000001B0000-0x00000000001B8000-memory.dmp

memory/1836-116-0x0000000000400000-0x00000000004C3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292adcd500_Thu12dd12e2c.exe

MD5 b0448525c5a00135bb5b658cc6745574
SHA1 a08d53ce43ad01d47564a7dcdb87383652ef29f5
SHA256 b53ec612c61b38e29a8500f8d495e81dfdedc6b277958f36acfee6b8ee50a859
SHA512 b52e28e22916964a3d4d46e8fd09ba1f5c4867bd812d3c9af278bbeaf0ccfd9573e2bfc836c63079bc5de419b2c362247f85c3c494dfc66baf5cbadc6dbf462d

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ae71b3f_Thu1291f781.exe

MD5 ce54b9287c3e4b5733035d0be085d989
SHA1 07a17e423bf89d9b056562d822a8f651aeb33c96
SHA256 e2beaf61ef8408e20b5dd05ffab6e1a62774088b3acdebd834f51d77f9824112
SHA512 c85680a63c9e852dfee438c9b8d47443f8b998ea1f8f573b3fcf1e31abc44415a1c18bac2bc6c5fb2caed0872a69fc9be758a510b9049c854fd48e31bf0815a0

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292b2a8973_Thu12d2978de30.exe

MD5 9691ad5126152a385a01220ee47221c1
SHA1 48465630edcdc71525c792c0b855ef0d321f6a5e
SHA256 34da41baf54a2522aa5b332f1678400f2fb271e12dcfad3870ef47d37ac4ba67
SHA512 b7b3ac05988ec34d586f7764bbe2bce43ca3c9361ce3626f041eefb635d8ab3af047009ce74cce50cdddb6dbec35b60139a50e9f2598e86cdf484c60e4be5949

C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292b10868e_Thu12702ecb5.exe

MD5 6cda68905cfd314c1b5dcafd6adebc96
SHA1 c6e952b5190121ab0c082a2de4bc0caf06d1dcf0
SHA256 927c40d5808645ff97bbf5fc4c1d517d37a801c81553dc54becd8a0770ee54b0
SHA512 952074dffb293dd455751a44f18409adf4afa2c4c2f130dc2b6368791b78af06cf19bdbdc4278ccdb4ca3326db100fc695245543aa5e447927c4c095640d98c6

memory/1572-135-0x00000000003C0000-0x00000000003D8000-memory.dmp

memory/1572-134-0x0000000000350000-0x000000000038E000-memory.dmp

memory/1572-133-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/1572-132-0x0000000000400000-0x00000000004C3000-memory.dmp

memory/2092-145-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1972-148-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2164-146-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2092-144-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2348-151-0x00000000011A0000-0x00000000011C0000-memory.dmp

memory/1572-155-0x0000000000250000-0x000000000025A000-memory.dmp

memory/1420-159-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2092-162-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1208-176-0x0000000000400000-0x0000000000682000-memory.dmp

memory/2956-179-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/1584-178-0x00000000000C0000-0x000000000014A000-memory.dmp

memory/2164-177-0x0000000000400000-0x00000000004CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-2F27F.tmp\61f292aaee251_Thu12817405.tmp

MD5 83b531c1515044f8241cd9627fbfbe86
SHA1 d2f7096e18531abb963fc9af7ecc543641570ac8
SHA256 565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c
SHA512 9f7304ecb7573c0b8b4d7a2f49bcb9902499523b84502609f81b6f1b84faa1152a46ea13813987567ce574bd7b9d7b3f44b2b76389d8135487dc3c7f5e314f1b

C:\Users\Admin\AppData\Local\Temp\is-9FU41.tmp\idp.dll

MD5 55c310c0319260d798757557ab3bf636
SHA1 0892eb7ed31d8bb20a56c6835990749011a2d8de
SHA256 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512 e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

memory/1972-202-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2448-201-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2636-224-0x0000000002870000-0x0000000003870000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabFFC2.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2528-233-0x0000000064940000-0x0000000064959000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\11111.exe

MD5 94989927a6611e1919f84e1871922b63
SHA1 b602e4c47c9c42c273b68a1ce85f0814c0e05deb
SHA256 6abf00e8457005606b0286fba4abc75bdb5d8d8267b17678d719122946db5c17
SHA512 ce69c1597f759efdb61ba441a5c16b587b77e3780e134c312dc832a502a1933b04f6b981e0e4b5c998c38d77b25763d2c2875cb790b142f44a416dcf75880b6e

memory/1696-244-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1836-241-0x0000000000400000-0x00000000004C3000-memory.dmp

memory/1696-240-0x0000000000240000-0x00000000002C0000-memory.dmp

memory/1696-239-0x0000000000240000-0x00000000002C0000-memory.dmp

memory/1696-238-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1836-248-0x0000000000400000-0x00000000004C3000-memory.dmp

memory/1572-249-0x0000000000400000-0x00000000004C3000-memory.dmp

memory/1572-250-0x0000000000350000-0x000000000038E000-memory.dmp

memory/1572-251-0x00000000003C0000-0x00000000003D8000-memory.dmp

memory/1572-253-0x0000000000400000-0x00000000004C3000-memory.dmp

memory/2528-260-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2528-259-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2528-258-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2528-257-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2528-255-0x0000000000400000-0x000000000051C000-memory.dmp

memory/1604-265-0x0000000000400000-0x000000000045C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\11111.exe

MD5 d0527733abcc5c58735e11d43061b431
SHA1 28de9d191826192721e325787b8a50a84328cffd
SHA256 b4ef7ee228c1500f7bb3686361b1a246954efe04cf14d218b5ee709bc0d88b45
SHA512 7704b215fade38c9a4aa2395263f3d4d9392b318b5644146464d233006a6de86f53a5f6e47cd909c0d968e3ef4db397f52e28ca4d6a1b2e88e1c40a1dbde3fb5

memory/2696-266-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2696-268-0x0000000000240000-0x00000000002C3000-memory.dmp

memory/2696-267-0x0000000000240000-0x00000000002C3000-memory.dmp

memory/2956-269-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2828-270-0x0000000000400000-0x0000000000682000-memory.dmp

memory/2528-280-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2528-279-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2528-278-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2528-277-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2528-275-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2528-271-0x0000000000400000-0x000000000051C000-memory.dmp

memory/1632-290-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1632-289-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1632-287-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1632-285-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1632-283-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1632-281-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1632-293-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2696-304-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2696-306-0x0000000000240000-0x00000000002C3000-memory.dmp

memory/2696-305-0x0000000000240000-0x00000000002C3000-memory.dmp

memory/2696-309-0x0000000000400000-0x0000000000483000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f78d430.exe

MD5 620bda3df817bff8deb38758d1dc668c
SHA1 9933523941851b42047f2b7a1324eb8daa8fb1ff
SHA256 b74d7ff45768a1ee6f267e895de3e46cca505edf205563ef3f7db827f38363b3
SHA512 bc9e932860f63090bab251057bc1fd6875c410c2358321eaa74fccc117561b91e4ce6b24d5e7bb13dc44732ae151b7c33fe201acbb5af689d7f2d248dfb8c568

memory/2696-398-0x0000000000B80000-0x0000000000B88000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-09 09:03

Reported

2024-11-09 09:06

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a50b8fa_Thu12c85191.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292adcd500_Thu12dd12e2c.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-KCF6O.tmp\61f292aaee251_Thu12817405.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292b2a8973_Thu12d2978de30.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a4b3280_Thu12692268df32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292ac194f1_Thu1230653d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292aaee251_Thu12817405.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a50b8fa_Thu12c85191.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a688404_Thu122ae6bbac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a8a0a6c_Thu12fda79da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292ad20a43_Thu120f4aad3d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292adcd500_Thu12dd12e2c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8BKV6.tmp\61f292a4b3280_Thu12692268df32.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292ae71b3f_Thu1291f781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292ae24e70_Thu12a74e4137.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-KCF6O.tmp\61f292aaee251_Thu12817405.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292b2a8973_Thu12d2978de30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292af47cdd_Thu12168454a4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292b10868e_Thu12702ecb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292b465d58_Thu127ed1404d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292adcd500_Thu12dd12e2c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a688404_Thu122ae6bbac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292aaee251_Thu12817405.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DGHAM.tmp\61f292aaee251_Thu12817405.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292af47cdd_Thu12168454a4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292af47cdd_Thu12168454a4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\QWE00000.gol\\\"" C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292ae24e70_Thu12a74e4137.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfhgpjbcoignfibliobpclhpfnadhofn\10.59.13_0\manifest.json C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292ad20a43_Thu120f4aad3d7.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292ae24e70_Thu12a74e4137.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\control.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a8a0a6c_Thu12fda79da.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292af47cdd_Thu12168454a4a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a688404_Thu122ae6bbac.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-KCF6O.tmp\61f292aaee251_Thu12817405.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292ac194f1_Thu1230653d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292af47cdd_Thu12168454a4a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292adcd500_Thu12dd12e2c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a4b3280_Thu12692268df32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-DGHAM.tmp\61f292aaee251_Thu12817405.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\waitfor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a688404_Thu122ae6bbac.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292aaee251_Thu12817405.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292b2a8973_Thu12d2978de30.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\find.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292b10868e_Thu12702ecb5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292ad20a43_Thu120f4aad3d7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a50b8fa_Thu12c85191.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292aaee251_Thu12817405.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-8BKV6.tmp\61f292a4b3280_Thu12692268df32.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292adcd500_Thu12dd12e2c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292ac194f1_Thu1230653d.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292ac194f1_Thu1230653d.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292ac194f1_Thu1230653d.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133756166417928637" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292ae71b3f_Thu1291f781.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292ad20a43_Thu120f4aad3d7.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292af47cdd_Thu12168454a4a.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a50b8fa_Thu12c85191.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2140 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe
PID 2140 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe
PID 2140 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe
PID 3412 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\taskkill.exe
PID 3412 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\taskkill.exe
PID 3412 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\taskkill.exe
PID 3412 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif
PID 3412 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif
PID 3412 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif
PID 3412 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4808 wrote to memory of 4724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe
PID 4808 wrote to memory of 4724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe
PID 4808 wrote to memory of 4724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe
PID 1940 wrote to memory of 3996 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a4b3280_Thu12692268df32.exe
PID 1940 wrote to memory of 3996 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a4b3280_Thu12692268df32.exe
PID 1940 wrote to memory of 3996 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a4b3280_Thu12692268df32.exe
PID 3412 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 3372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WerFault.exe
PID 4772 wrote to memory of 3372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WerFault.exe
PID 4772 wrote to memory of 3372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WerFault.exe
PID 884 wrote to memory of 2280 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292aaee251_Thu12817405.exe
PID 884 wrote to memory of 2280 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292aaee251_Thu12817405.exe
PID 884 wrote to memory of 2280 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292aaee251_Thu12817405.exe
PID 2324 wrote to memory of 3832 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a50b8fa_Thu12c85191.exe
PID 2324 wrote to memory of 3832 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a50b8fa_Thu12c85191.exe
PID 2324 wrote to memory of 3832 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a50b8fa_Thu12c85191.exe
PID 1832 wrote to memory of 3236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292a3b1188_Thu12926eaf6b3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292a4b3280_Thu12692268df32.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292a50b8fa_Thu12c85191.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292a688404_Thu122ae6bbac.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292a8a0a6c_Thu12fda79da.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292aaee251_Thu12817405.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292ac194f1_Thu1230653d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292ad20a43_Thu120f4aad3d7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292adcd500_Thu12dd12e2c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292ae24e70_Thu12a74e4137.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292ae71b3f_Thu1291f781.exe

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe

61f292a3b1188_Thu12926eaf6b3.exe

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a4b3280_Thu12692268df32.exe

61f292a4b3280_Thu12692268df32.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292af47cdd_Thu12168454a4a.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292b10868e_Thu12702ecb5.exe /mixtwo

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292ac194f1_Thu1230653d.exe

61f292ac194f1_Thu1230653d.exe

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292aaee251_Thu12817405.exe

61f292aaee251_Thu12817405.exe

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a50b8fa_Thu12c85191.exe

61f292a50b8fa_Thu12c85191.exe

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a688404_Thu122ae6bbac.exe

61f292a688404_Thu122ae6bbac.exe

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a8a0a6c_Thu12fda79da.exe

61f292a8a0a6c_Thu12fda79da.exe

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292ad20a43_Thu120f4aad3d7.exe

61f292ad20a43_Thu120f4aad3d7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292b2a8973_Thu12d2978de30.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292b465d58_Thu127ed1404d.exe

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292adcd500_Thu12dd12e2c.exe

61f292adcd500_Thu12dd12e2c.exe

C:\Users\Admin\AppData\Local\Temp\is-8BKV6.tmp\61f292a4b3280_Thu12692268df32.tmp

"C:\Users\Admin\AppData\Local\Temp\is-8BKV6.tmp\61f292a4b3280_Thu12692268df32.tmp" /SL5="$7015A,140559,56832,C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a4b3280_Thu12692268df32.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292ae71b3f_Thu1291f781.exe

61f292ae71b3f_Thu1291f781.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3412 -ip 3412

C:\Users\Admin\AppData\Local\Temp\is-KCF6O.tmp\61f292aaee251_Thu12817405.tmp

"C:\Users\Admin\AppData\Local\Temp\is-KCF6O.tmp\61f292aaee251_Thu12817405.tmp" /SL5="$8024C,870458,780800,C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292aaee251_Thu12817405.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292ae24e70_Thu12a74e4137.exe

61f292ae24e70_Thu12a74e4137.exe

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292b2a8973_Thu12d2978de30.exe

61f292b2a8973_Thu12d2978de30.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3372 -ip 3372

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292af47cdd_Thu12168454a4a.exe

61f292af47cdd_Thu12168454a4a.exe

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292b465d58_Thu127ed1404d.exe

61f292b465d58_Thu127ed1404d.exe

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292b10868e_Thu12702ecb5.exe

61f292b10868e_Thu12702ecb5.exe /mixtwo

C:\Windows\SysWOW64\cmd.exe

cmd /c cmd < Esistenza.wbk

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C timeout 19

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a688404_Thu122ae6bbac.exe

61f292a688404_Thu122ae6bbac.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 356

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292adcd500_Thu12dd12e2c.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292adcd500_Thu12dd12e2c.exe" -a

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292aaee251_Thu12817405.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292aaee251_Thu12817405.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292af47cdd_Thu12168454a4a.exe

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292af47cdd_Thu12168454a4a.exe

C:\Users\Admin\AppData\Local\Temp\is-DGHAM.tmp\61f292aaee251_Thu12817405.tmp

"C:\Users\Admin\AppData\Local\Temp\is-DGHAM.tmp\61f292aaee251_Thu12817405.tmp" /SL5="$40286,870458,780800,C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292aaee251_Thu12817405.exe" /SILENT

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1464 -ip 1464

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Windows\SysWOW64\control.exe

"C:\Windows\System32\control.exe" .\CZlKA.Q5

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 624

C:\Windows\SysWOW64\timeout.exe

timeout 19

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "imagename eq BullGuardCore.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 916 -ip 916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 1776

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\CZlKA.Q5

C:\Windows\SysWOW64\find.exe

find /I /N "bullguardcore.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1464 -ip 1464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 624

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292af47cdd_Thu12168454a4a.exe

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292af47cdd_Thu12168454a4a.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1464 -ip 1464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 648

C:\Users\Admin\AppData\Local\Temp\11111.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^tDPdzRbUMNXkpbEMSMKZXPerlnGmckXJGXqJvnomwNbPoElbkyeDIDcfALyUkXmAQhFkvUdzDkXpshUFgogfpxwrCLpKzhhtgXYVZZwdO$" Impaziente.wbk

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1464 -ip 1464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1464 -ip 1464

C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif

Sul.exe.pif J

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 728

C:\Windows\SysWOW64\waitfor.exe

waitfor /t 10 citDNEKXehVmhlzMlgdNbKGouCJxkZjiUQRiy

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif

C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif J

C:\Users\Admin\AppData\Local\Temp\11111.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffc76e3cc40,0x7ffc76e3cc4c,0x7ffc76e3cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1844,i,16156424909439088012,5606271996256808090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1840 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2000,i,16156424909439088012,5606271996256808090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2044 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2280,i,16156424909439088012,5606271996256808090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2476 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,16156424909439088012,5606271996256808090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,16156424909439088012,5606271996256808090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3352 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1464 -ip 1464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1464 -ip 1464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 856

C:\Windows\SysWOW64\rundll32.exe

rundll32

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4740,i,16156424909439088012,5606271996256808090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4748 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4916,i,16156424909439088012,5606271996256808090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4924 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4948,i,16156424909439088012,5606271996256808090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4964 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4956,i,16156424909439088012,5606271996256808090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5080 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5352,i,16156424909439088012,5606271996256808090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5364 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5068,i,16156424909439088012,5606271996256808090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5488 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5076,i,16156424909439088012,5606271996256808090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5056 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5412,i,16156424909439088012,5606271996256808090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5572 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4652,i,16156424909439088012,5606271996256808090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4920 /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3832 -ip 3832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 1264

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4984,i,16156424909439088012,5606271996256808090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4968 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5092,i,16156424909439088012,5606271996256808090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4968 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 hornygl.xyz udp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 www.listincode.com udp
US 172.67.74.161:443 iplogger.org tcp
US 52.203.72.196:443 www.listincode.com tcp
US 8.8.8.8:53 zenitsu.s3.pl-waw.scw.cloud udp
PL 151.115.10.3:80 zenitsu.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 161.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 3.10.115.151.in-addr.arpa udp
US 8.8.8.8:53 inosuke.s3.pl-waw.scw.cloud udp
PL 151.115.10.3:80 inosuke.s3.pl-waw.scw.cloud tcp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 presstheme.me udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 208.95.112.1:80 ip-api.com tcp
US 54.205.158.59:443 www.listincode.com tcp
US 8.8.8.8:53 signaturebusinesspark.com udp
US 8.8.8.8:53 signaturebusinesspark.com udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 onlinehueplet.com udp
DE 92.246.89.93:80 onlinehueplet.com tcp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 appwebstat.biz udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 KLGqdXSVxgZGfuYBAcEbdNW.KLGqdXSVxgZGfuYBAcEbdNW udp
US 8.8.8.8:53 v.xyzgamev.com udp
N/A 127.0.0.1:53191 tcp
N/A 127.0.0.1:53193 tcp
RU 92.255.57.115:11841 tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 www.hhiuew33.com udp
US 8.8.8.8:53 appwebstat.biz udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.178.14:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 216.58.213.1:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.187.234:443 ogads-pa.googleapis.com tcp
GB 216.58.201.110:443 apis.google.com tcp
GB 142.250.187.234:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 1.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.16.238:443 play.google.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
NL 81.4.105.174:80 tcp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
DE 92.246.89.93:80 onlinehueplet.com tcp
N/A 224.0.0.251:5353 udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
RU 92.255.57.115:11841 tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 193.108.222.173.in-addr.arpa udp
RU 92.255.57.115:11841 tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 172.67.74.161:443 iplogger.org tcp
RU 92.255.57.115:11841 tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
RU 92.255.57.115:11841 tcp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
RU 92.255.57.115:11841 tcp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
GB 172.217.169.67:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\setup_install.exe

MD5 b14eef8f9059c67b05c710b51d150f82
SHA1 645988e081d1948cae842614cc75875aec8cf68c
SHA256 3b9601b7d67b3e2541bf93f753248aae02ea9ba0fb46186d6d0ee97634052e0e
SHA512 bdfcac2b5631b38a0555c1f0c70f3bec0d67955adf0d8f679d05a1218e2d9e5d0c7bf0a5d221235b96aec99e35d3521f9030bdab511bfbfeaa6a20f9b3c942e5

memory/3412-54-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/3412-61-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3412-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3412-74-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a4b3280_Thu12692268df32.exe

MD5 5b14369c347439becacaa0883c07f17b
SHA1 126b0012934a2bf5aab025d931feb3b4315a2d9a
SHA256 8f362cedd16992cd2605b87129e491620b323f2a60e0cbb2f77d66a38f1e2307
SHA512 4abd011ac7e4dba50cef3d166ca3c2c4148e737291f196e68c61f3a19e0e2b13bef5bb95fa53223cbc5ae514467309da6c92f1acfa194980624282d7c88c521b

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292ad20a43_Thu120f4aad3d7.exe

MD5 8b361d36500a8a4abd21c08235e6c0c8
SHA1 c52bb8ead2e3b7dfb45f8e1163a2ae05588d70ce
SHA256 dc791b99f5e4e21d1022fe5cf80231da85fd716cf0132a25d1596b9680e45cf5
SHA512 6ebdbd3c45d869bb8852e6662cd0f2f397322f3907377b60f6c70910a8a01d955b30b59ee93d76001688a465449bcbb061169e85a4e67b102a537440909cf10a

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292adcd500_Thu12dd12e2c.exe

MD5 b0448525c5a00135bb5b658cc6745574
SHA1 a08d53ce43ad01d47564a7dcdb87383652ef29f5
SHA256 b53ec612c61b38e29a8500f8d495e81dfdedc6b277958f36acfee6b8ee50a859
SHA512 b52e28e22916964a3d4d46e8fd09ba1f5c4867bd812d3c9af278bbeaf0ccfd9573e2bfc836c63079bc5de419b2c362247f85c3c494dfc66baf5cbadc6dbf462d

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292ac194f1_Thu1230653d.exe

MD5 af0de0482a6545057fb04ece77e0e83e
SHA1 a5275870f175a76ae14d965211d02a5214adb5c2
SHA256 605f47756284111370f163638d93e580830db4dd10b16a274735c052ea1f2c8a
SHA512 92b76a20957a3daafd588434cb6259213af9689a1dd75c97f61f16ceff95e1e79924431ad4f8a075b90535081a00b6ced7ffada6db8a843a4f8ecaa27ca1e96d

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292aaee251_Thu12817405.exe

MD5 e65bf2d56fcaa18c1a8d0d481072dc62
SHA1 c7492c7e09b329bed044e9ee45e425e0817c22f4
SHA256 c24f98a0e80be8f215f9b93c9823497c1ea547ca9fdd3621ef6a96dfb1eaa895
SHA512 39c3400315055b2c9fdb3d9d9d54f4a8c7120721aa0850c29d313824846cec7aae74b1f25569636d9eb81184f211e0bc391de02c212b6f0994a42096268414a9

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a8a0a6c_Thu12fda79da.exe

MD5 b8ecec542a07067a193637269973c2e8
SHA1 97178479fd0fc608d6c0fbf243a0bb136d7b0ecb
SHA256 fc6b5ec20b7f2c902e9413c71be5718eb58640d86189306fe4c592af70fe3b7e
SHA512 730d74a72c7af91b10f06ae98235792740bed2afc86eb8ddc15ecaf7c31ec757ac3803697644ac0f60c2e8e0fd875b94299763ac0fed74d392ac828b61689893

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a688404_Thu122ae6bbac.exe

MD5 a05b981f73e296c8edf29ea9f68b8355
SHA1 f959ea0a5569320682e194bd87ae3fbf0b382647
SHA256 3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100
SHA512 d71c1655c13a4ea043caaa5533fe8b2b25f4146f5c750a801b4b19b3df514fedda7413dd9448be1b09eb6b532384d9439b1bb0628129413706224a051ea34ace

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a50b8fa_Thu12c85191.exe

MD5 4fda4b291bdc23439208635f8b4f10e5
SHA1 6911fce737067d5bbeab05960ecd56d3a0fe0dfb
SHA256 79a77b41388477a3cb157995c0ad1757a8ced2b49fc968dc5d8c28806aaee480
SHA512 5ca7652ea5c795dd613da2ef773e048efa240d4cb5b6970d91ddb2367eda27e879d735360625725881d4940b23b6e153cb148b630f183d21025b31b4675b17cb

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292a3b1188_Thu12926eaf6b3.exe

MD5 fbd3940d1ad28166d8539eae23d44d5b
SHA1 55fff8a0aa435885fc86f7f33fec24558aa21ef5
SHA256 21ceb2021197d8b5f73f8f264163e1f73e6a454ff0dffad24e87037f3a0b9ac7
SHA512 26efcab71ea6ffd07c800a9ab014adc1813742d99923e17f02d92ffe5fccc8ad1efbf1e6124fd68fd1638e0d9c5f9a79b8c3faf2ae85c71ead6fb8940e26ad11

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292ae24e70_Thu12a74e4137.exe

MD5 cc722fd0bd387cf472350dc2dd7ddd1e
SHA1 49d288ddbb09265a586dd8d6629c130be7063afa
SHA256 588a87d450987dfb3a72361c012b36285a5b3087cc8c282b6f2de46ae95291f2
SHA512 893375a8816bc333a9521b50d26b4018d1a3181b502dac73cef3357755651d833744a42bfd7f2daeb6e15d420600b91cdb910a0a1fb1a28d5012697a1f92733b

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292ae71b3f_Thu1291f781.exe

MD5 ce54b9287c3e4b5733035d0be085d989
SHA1 07a17e423bf89d9b056562d822a8f651aeb33c96
SHA256 e2beaf61ef8408e20b5dd05ffab6e1a62774088b3acdebd834f51d77f9824112
SHA512 c85680a63c9e852dfee438c9b8d47443f8b998ea1f8f573b3fcf1e31abc44415a1c18bac2bc6c5fb2caed0872a69fc9be758a510b9049c854fd48e31bf0815a0

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292af47cdd_Thu12168454a4a.exe

MD5 2fd3235d23e379fcca10cf25661689c8
SHA1 ac4c74c6c95693a6d9d67caf55a6106eaa408959
SHA256 a88f3682d185f01cd91890951a27f04e925f10bd61b1ded566889c0e008c3ccc
SHA512 e33873304eba441d8b5938ba1f28636c78ac751633ed209f8970d1aafcf193203941fc8ba59e151ea7d010b9d65476d486e07b4f045d0409222d6f8d99bcfbb0

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292b2a8973_Thu12d2978de30.exe

MD5 9691ad5126152a385a01220ee47221c1
SHA1 48465630edcdc71525c792c0b855ef0d321f6a5e
SHA256 34da41baf54a2522aa5b332f1678400f2fb271e12dcfad3870ef47d37ac4ba67
SHA512 b7b3ac05988ec34d586f7764bbe2bce43ca3c9361ce3626f041eefb635d8ab3af047009ce74cce50cdddb6dbec35b60139a50e9f2598e86cdf484c60e4be5949

memory/644-104-0x0000000000400000-0x00000000004C3000-memory.dmp

memory/1136-105-0x00000000029E0000-0x0000000002A16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-R76C1.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/644-126-0x0000000000710000-0x0000000000728000-memory.dmp

memory/644-134-0x00000000023B0000-0x00000000023BA000-memory.dmp

memory/644-137-0x00000000004F0000-0x0000000000582000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-KCF6O.tmp\61f292aaee251_Thu12817405.tmp

MD5 83b531c1515044f8241cd9627fbfbe86
SHA1 d2f7096e18531abb963fc9af7ecc543641570ac8
SHA256 565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c
SHA512 9f7304ecb7573c0b8b4d7a2f49bcb9902499523b84502609f81b6f1b84faa1152a46ea13813987567ce574bd7b9d7b3f44b2b76389d8135487dc3c7f5e314f1b

C:\Users\Admin\AppData\Local\Temp\is-Q153P.tmp\idp.dll

MD5 55c310c0319260d798757557ab3bf636
SHA1 0892eb7ed31d8bb20a56c6835990749011a2d8de
SHA256 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512 e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

memory/3940-155-0x0000000000830000-0x00000000008BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292b10868e_Thu12702ecb5.exe

MD5 6cda68905cfd314c1b5dcafd6adebc96
SHA1 c6e952b5190121ab0c082a2de4bc0caf06d1dcf0
SHA256 927c40d5808645ff97bbf5fc4c1d517d37a801c81553dc54becd8a0770ee54b0
SHA512 952074dffb293dd455751a44f18409adf4afa2c4c2f130dc2b6368791b78af06cf19bdbdc4278ccdb4ca3326db100fc695245543aa5e447927c4c095640d98c6

memory/1136-171-0x0000000005AF0000-0x0000000005B56000-memory.dmp

memory/540-180-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2060-182-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/540-175-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1136-173-0x0000000005B60000-0x0000000005EB4000-memory.dmp

memory/3940-172-0x00000000050F0000-0x000000000510E000-memory.dmp

memory/1136-170-0x0000000005A80000-0x0000000005AE6000-memory.dmp

memory/1136-169-0x00000000059E0000-0x0000000005A02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1pgs0tdt.3ez.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3940-158-0x0000000005110000-0x0000000005186000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\61f292b465d58_Thu127ed1404d.exe

MD5 79400b1fd740d9cb7ec7c2c2e9a7d618
SHA1 8ab8d7dcd469853f61ca27b8afe2ab6e0f2a1bb3
SHA256 556d5c93b2ceb585711ccce22e39e3327f388b893d76a3a7974967fe99a6fa7f
SHA512 3ed024b02d7410d5ddc7bb772a2b3e8a5516a16d1cb5fac9f5d925da84b376b67117daf238fb53c7707e6bb86a0198534ad1e79b6ebed979b505b3faf9ae55ac

memory/644-135-0x0000000005580000-0x0000000005B24000-memory.dmp

memory/312-121-0x0000000000050000-0x0000000000058000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-8BKV6.tmp\61f292a4b3280_Thu12692268df32.tmp

MD5 ffcf263a020aa7794015af0edee5df0b
SHA1 bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA256 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA512 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

memory/644-112-0x00000000021F0000-0x000000000222E000-memory.dmp

memory/644-111-0x0000000000740000-0x0000000000741000-memory.dmp

memory/644-110-0x0000000000400000-0x00000000004C3000-memory.dmp

memory/1136-109-0x0000000005110000-0x0000000005738000-memory.dmp

memory/3832-103-0x00000000004D0000-0x00000000004F0000-memory.dmp

memory/2280-99-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/3996-89-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3412-73-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3412-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3412-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3412-70-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3412-68-0x000000006494A000-0x000000006494F000-memory.dmp

memory/3412-67-0x0000000000F30000-0x0000000000FBF000-memory.dmp

memory/3412-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3412-64-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3412-63-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3412-62-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3412-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zSC58676B7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/1928-188-0x0000000000400000-0x0000000000682000-memory.dmp

memory/2664-189-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2280-200-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/3996-201-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Esistenza.wbk

MD5 b2a2f85b4201446b23a250f68051b4dc
SHA1 8fc39fbfb341e55a6fda1ef3e0cfd25b2b8fdba5
SHA256 910165a85877eca36cb0e43aac5a42b643627aa7de90676cbdefcbf32fba4ade
SHA512 188b1ec9f2be6994de6e74f2385b3e0849968324cca1787b237d4eef381c9ffadc2c34c3f3131026d0ec1f89da6563455fe3f3d315d7d4673d303c38b2d0d32c

memory/644-191-0x0000000000710000-0x0000000000728000-memory.dmp

memory/3412-216-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3412-215-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3372-217-0x0000000000400000-0x0000000000437000-memory.dmp

memory/3412-214-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3412-213-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3412-211-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/3412-207-0x0000000000400000-0x000000000051C000-memory.dmp

memory/1136-226-0x0000000006080000-0x00000000060CC000-memory.dmp

memory/1136-225-0x0000000006040000-0x000000000605E000-memory.dmp

memory/4908-230-0x0000000002EE0000-0x0000000003EE0000-memory.dmp

memory/644-233-0x0000000000400000-0x00000000004C3000-memory.dmp

memory/644-231-0x00000000021F0000-0x000000000222E000-memory.dmp

memory/1136-246-0x0000000006610000-0x000000000662E000-memory.dmp

memory/1136-236-0x000000006E0C0000-0x000000006E10C000-memory.dmp

memory/1136-247-0x0000000007020000-0x00000000070C3000-memory.dmp

memory/1136-235-0x0000000006630000-0x0000000006662000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\11111.exe

MD5 94989927a6611e1919f84e1871922b63
SHA1 b602e4c47c9c42c273b68a1ce85f0814c0e05deb
SHA256 6abf00e8457005606b0286fba4abc75bdb5d8d8267b17678d719122946db5c17
SHA512 ce69c1597f759efdb61ba441a5c16b587b77e3780e134c312dc832a502a1933b04f6b981e0e4b5c998c38d77b25763d2c2875cb790b142f44a416dcf75880b6e

memory/5004-252-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1136-253-0x0000000007360000-0x000000000737A000-memory.dmp

memory/1136-251-0x00000000079A0000-0x000000000801A000-memory.dmp

memory/5004-256-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1136-257-0x00000000073E0000-0x00000000073EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Impaziente.wbk

MD5 662676b6ae749090c43a0c5507b16131
SHA1 0aec9044c592c79aa2a44f66b73ed0c5cb62fd68
SHA256 4dd868c3015b92c1b8b520c0459c952090e08b4ba8d81d259e1b0630156dada4
SHA512 ec363e232c544f904286831f19bcc20ec0180da0e28bb2480eeccfaac7b4722e9ae5f050fec4fb7de18f6b35092e1296fd8e62022daa0b583eaba8fc4ea253f4

memory/1136-261-0x00000000075D0000-0x0000000007666000-memory.dmp

memory/1136-262-0x0000000007560000-0x0000000007571000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Riflettere.wbk

MD5 4008d7f17a08efd3fbd18e4e1ba29e00
SHA1 53e25946589981cb36b0e9fb5b26fc334d4f9424
SHA256 752cf7d34bc7433f590cdf45e0bb3922ca7ba2220a7ec09df7f1f6c9644dee3b
SHA512 39e2bfad68403808924cece9c6ab43b0dc4aada62850a8c70b8e9481d825bcc90fa8a91688e3b559d4e5a517bc21931cef8037d585063885d5c948809d961978

memory/1136-267-0x00000000075A0000-0x00000000075AE000-memory.dmp

memory/1136-268-0x00000000075B0000-0x00000000075C4000-memory.dmp

memory/1136-269-0x0000000007690000-0x00000000076AA000-memory.dmp

memory/1136-270-0x0000000007680000-0x0000000007688000-memory.dmp

memory/1348-276-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1348-277-0x00000000059B0000-0x0000000005FC8000-memory.dmp

memory/1348-279-0x0000000005530000-0x000000000563A000-memory.dmp

memory/1348-278-0x0000000005400000-0x0000000005412000-memory.dmp

memory/1348-280-0x0000000005460000-0x000000000549C000-memory.dmp

memory/1348-281-0x00000000054C0000-0x000000000550C000-memory.dmp

memory/5092-283-0x0000000000400000-0x0000000000483000-memory.dmp

memory/5092-298-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1464-299-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2060-315-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2452-316-0x0000000000400000-0x0000000000682000-memory.dmp

memory/1464-317-0x0000000000400000-0x000000000045C000-memory.dmp

memory/4908-318-0x0000000002EE0000-0x0000000003EE0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 950ebe8e4f8d7ab158039fec67b726cd
SHA1 22b350a557bc5af35555a087e01da213fd34e6a9
SHA256 c9d0e4992609f9673849d2eb2fe333a1cd452d3875c35dd8380b2cacdc360022
SHA512 936826be37923c95b718e17342840fa100a308527fd0f0ec28e250512e436739c845b27bc7b6acaa1dc487a99c998ef93518c79a5376686d685338f5ce972dd0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 88ced490f88048915a5b060e9d5efa61
SHA1 edacaeadb3f50c3d58b9c5ee0581dea04a54e25b
SHA256 54393570808c068bae58e39d07d31fab0b074bf78ed85c031aac1fd75a20f080
SHA512 9ca3255991d32058c231e3915c1fbaeb4b9ff7a39acb009d28ff3f030d681df4ae15528f7af1f9d28a1e44704c8423886459a250cbbe382f7fb2fc7ede065ecf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\21170385-dd10-4b23-bd62-c0ab072416ba.tmp

MD5 4f285392e602df32a133b10eaf2ad18a
SHA1 5344aa5e6740825ca7222ad45cdcd6df07c8316c
SHA256 1493e6d3ef4ba244e58e8de805ef815937959f01c5480861b794dc63b4617a6c
SHA512 508bb98ea5e727a97e9bda438c39860fab02a32773a81f3738126be9cd85823685ac4ac85b3755eae847814004b624e92136c6eb275bfb45382fdd89609e2129

memory/4908-358-0x0000000002EE0000-0x0000000003EE0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 dc6e3c91e4c0462370004b208badf212
SHA1 fab8c02c8941a033aa072a15291a7b4de296b771
SHA256 e93bfcf2e79df97258a9d64ef49a7b01fff23a2b55bd24ef68ed65711e003c37
SHA512 d04901ffbef9796544084d0744bbf9ef77d92aea0ea3ebaad204120d0de739a7a043ae1a22daf0b269d8f585b914181467abdb7bbd16e62a45fb8122dc12f099

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 1586b9fadd7848b23fc93b546fad8939
SHA1 fe80286b8e7d1cc89f1f04b2511343b32ab15d44
SHA256 b90f589b627131ac64d8e17a10b595cb6c06f29b4f1a977d51106b659ea6eb0f
SHA512 95af1e143cb37db24eacbe33b3dc6065898765179c12bd0fcd0db557ca20032c2c0cbfb45458a6007936448a31ee05daf2383a70ed1fb039584ef3c801390c2e

C:\Users\Admin\AppData\Local\Temp\scoped_dir2476_590880022\6aaf43cd-e82c-440a-a85f-6fec91ec5f93.tmp

MD5 da75bb05d10acc967eecaac040d3d733
SHA1 95c08e067df713af8992db113f7e9aec84f17181
SHA256 33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
SHA512 56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

memory/4908-385-0x0000000002EE0000-0x0000000003EE0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 257f1b65f9649a9668953ae141e5cc41
SHA1 ff7ea2d20b097b727afee39758101645804411fe
SHA256 77b59f1dd7014a925d408ca5a1a71444bdf4c99b1748975be845d62dfedf7933
SHA512 a02f62555fbefa3b7bfa6cbda8b0e28d89c12f55111b5e480aa782346a5eecb02a4a769be40f4943dd9a717cd6ae6321750de2840932e44336c082bfaeb6145d

C:\Users\Admin\AppData\Local\Temp\scoped_dir2476_590880022\CRX_INSTALL\_locales\en_CA\messages.json

MD5 558659936250e03cc14b60ebf648aa09
SHA1 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA256 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA512 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 5bbbf3e45853c2d1714c84f935224968
SHA1 92665987a4f20f769125b78285b64bd5127345b2
SHA256 e9fd0490ff92a3ce62f8a365d4c4a072087cc15c62c62332b470e57db7fdccc6
SHA512 2aa97893ff90dafcd8964c335d2e7dbc657053eb53473238fea4a44818d6efe25cfae5b45ed881fff7fdd680ded510ab614faa0196566fc2c2a755dcb8ce2943

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 f11458940680fae51d80535f418a9faa
SHA1 baa64bcc4fc8337dad6fdc00d81afe0a50a2e188
SHA256 26b5a61bc8e545608b00751b238e7d961808ef6200c887562b89103e063abf8d
SHA512 37197ee8bcc4020cd72655dfd17f76918a24e957197a4d0359613a7c624b202390d30d9cd3bd66aaff3221cf51a9efe47d37ad8af7fe8de17c97325a0d9d5249

memory/4908-645-0x0000000002EE0000-0x0000000003EE0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 0ed74164362af9c0f3ceda2ba795ca2e
SHA1 f53450241b3d6660a815ffcef772e17b3bc17e5d
SHA256 f76271f1ad1f5e7bd5d1a920986c6ab3a333c384448e90eb3d7bcdf6bca417b9
SHA512 9cc949327f9193257146774125ad6a45fb054656b4e89b4afcd55a3d2bd367fc4352ce03224bc326ddf677687c99f464567187105bd544667342873f73c94ecf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

MD5 07ffbe5f24ca348723ff8c6c488abfb8
SHA1 6dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA256 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA512 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

MD5 4ec1df2da46182103d2ffc3b92d20ca5
SHA1 fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA256 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 717da977515dadb8b68e981e13b018c8
SHA1 a2017259af728fe7976a31503abcd0bd7d090365
SHA256 0900e61aa30ad2b6ede6584a10b36eaf91ff7967d7882d5ecbc8219e1201f0c1
SHA512 87c12a3e874d5356c8905613eae80d4ef4a005f78cf7fc06c6630e8b31eef64f76254ca51722999893fb25bc2c47172482cd2a1b5bd6003ccbfabe4a50ff1f83

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 fd4d2eaff8290afadadc8e80e17a8fb3
SHA1 935ac22275deae6c225a21d994281f75061bd849
SHA256 2f068fdc74bae1b5040c70000c693ed0f53baa2d565703591a13ccf2ddf69564
SHA512 ad4bb5582e63bd589d8e36156e32a5b960c0e74ae7d6ba72b146ec988ee28e252d72ded7c9d7adbcf288017a780e0f84aed2dbbc71cb3e06ef3a5b94eff1dfa6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 5563053cf7221786039aeb1dc75a18b3
SHA1 1c316aa01204558f9acb3a78f9d3199b4d654880
SHA256 9a17f2e4c2d846256e06f4ea5a32f739c3d2550c0a04818a3c771c07191054c7
SHA512 5f2e5f5773390fce8b88f9b97f9a88cebecc438b00ccbad86b72a067b5460da925c0b5630593e4e1357b30395193805ec1913fedd59ef347db5b8258e559ca47

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 72aa0023b1e3821131f9dcc9a2a8f449
SHA1 ae07004b8fe84b06f05355920a15b9b0666f0105
SHA256 c946c44e7e2c344741b3e6a35c9b9015095c3bc4ed96b236b829d51de9853068
SHA512 069a8ac68df424c4a685dde7b171f9e9d1b36063ea0a8e5d97e79f001449d1b5e98415e3532b422eb99c6d2bb0c0e2a759b5b4be66a8762932e8ea28ae3f1623

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f4b564ba6509904f26820269ba51c5b4
SHA1 b5f276cd62b2b5563aa53ce2c9a1f07ae65cb512
SHA256 f40c6bb84ac66a6281d328c163356291abc9320b5e7cae160d765d04df7b9c64
SHA512 2ebea5cb44895df89f85ae1edf95e719b48f49cedac7356b9f768716004dc81670e6f037685c9f82b1455a9d52ee54962bf113540553606cda268b19b0bcd2b0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 81af45fd999a37b5851d8004b9cf9f2c
SHA1 31774575f9ae0330332ea3f1a7b8a215d75cdcaa
SHA256 5c2a3c097918bf7dfb61c71c89a7616bc167fb4ebcdb5b87882aa214d6b418fb
SHA512 7c189fb64416c67ab6ca1f5deee53207bded89c5b6358dc341e1dfe07ab79dcbe13ffcd9c3c903d1b17a5889fa7c7a8ce6da6ab86b531c59d11eba07a6f7f857

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 09:03

Reported

2024-11-09 09:06

Platform

win7-20240903-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a688404_Thu122ae6bbac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ae71b3f_Thu1291f781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ac194f1_Thu1230653d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a50b8fa_Thu12c85191.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a8a0a6c_Thu12fda79da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ae24e70_Thu12a74e4137.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292b10868e_Thu12702ecb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292af47cdd_Thu12168454a4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a4b3280_Thu12692268df32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ad20a43_Thu120f4aad3d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292aaee251_Thu12817405.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292adcd500_Thu12dd12e2c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292b2a8973_Thu12d2978de30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a688404_Thu122ae6bbac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292b465d58_Thu127ed1404d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-V2EFM.tmp\61f292aaee251_Thu12817405.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JNI23.tmp\61f292a4b3280_Thu12692268df32.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292adcd500_Thu12dd12e2c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292aaee251_Thu12817405.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CK179.tmp\61f292aaee251_Thu12817405.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292af47cdd_Thu12168454a4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f78841e.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a688404_Thu122ae6bbac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a688404_Thu122ae6bbac.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ac194f1_Thu1230653d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ac194f1_Thu1230653d.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a50b8fa_Thu12c85191.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a50b8fa_Thu12c85191.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a8a0a6c_Thu12fda79da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a8a0a6c_Thu12fda79da.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ae24e70_Thu12a74e4137.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ae24e70_Thu12a74e4137.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292b10868e_Thu12702ecb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292b10868e_Thu12702ecb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292af47cdd_Thu12168454a4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292af47cdd_Thu12168454a4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a4b3280_Thu12692268df32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a4b3280_Thu12692268df32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ad20a43_Thu120f4aad3d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ad20a43_Thu120f4aad3d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292aaee251_Thu12817405.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292aaee251_Thu12817405.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a688404_Thu122ae6bbac.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a4b3280_Thu12692268df32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292aaee251_Thu12817405.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292b2a8973_Thu12d2978de30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292b2a8973_Thu12d2978de30.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\QWE00000.gol\\\"" C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ae24e70_Thu12a74e4137.exe N/A

Checks installed software on the system

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ad20a43_Thu120f4aad3d7.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a688404_Thu122ae6bbac.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ac194f1_Thu1230653d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292af47cdd_Thu12168454a4a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ad20a43_Thu120f4aad3d7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292af47cdd_Thu12168454a4a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-V2EFM.tmp\61f292aaee251_Thu12817405.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a50b8fa_Thu12c85191.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-CK179.tmp\61f292aaee251_Thu12817405.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a4b3280_Thu12692268df32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292b10868e_Thu12702ecb5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292aaee251_Thu12817405.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\waitfor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\find.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\control.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f78841e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a688404_Thu122ae6bbac.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-JNI23.tmp\61f292a4b3280_Thu12692268df32.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292adcd500_Thu12dd12e2c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292b2a8973_Thu12d2978de30.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a8a0a6c_Thu12fda79da.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292aaee251_Thu12817405.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ae24e70_Thu12a74e4137.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292adcd500_Thu12dd12e2c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CK179.tmp\61f292aaee251_Thu12817405.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ae71b3f_Thu1291f781.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292af47cdd_Thu12168454a4a.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ad20a43_Thu120f4aad3d7.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a50b8fa_Thu12c85191.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 840 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 840 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 840 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 840 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 840 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 840 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 840 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2380 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe
PID 2380 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe
PID 2380 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe
PID 2380 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe
PID 2380 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe
PID 2380 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe
PID 2380 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe
PID 2612 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e.exe

"C:\Users\Admin\AppData\Local\Temp\174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292a3b1188_Thu12926eaf6b3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292a4b3280_Thu12692268df32.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292a50b8fa_Thu12c85191.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292a688404_Thu122ae6bbac.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292a8a0a6c_Thu12fda79da.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292aaee251_Thu12817405.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292ac194f1_Thu1230653d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292ad20a43_Thu120f4aad3d7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292adcd500_Thu12dd12e2c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292ae24e70_Thu12a74e4137.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292ae71b3f_Thu1291f781.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292af47cdd_Thu12168454a4a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292b10868e_Thu12702ecb5.exe /mixtwo

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292b2a8973_Thu12d2978de30.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292b465d58_Thu127ed1404d.exe

C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a688404_Thu122ae6bbac.exe

61f292a688404_Thu122ae6bbac.exe

C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a50b8fa_Thu12c85191.exe

61f292a50b8fa_Thu12c85191.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a8a0a6c_Thu12fda79da.exe

61f292a8a0a6c_Thu12fda79da.exe

C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ae71b3f_Thu1291f781.exe

61f292ae71b3f_Thu1291f781.exe

C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292b10868e_Thu12702ecb5.exe

61f292b10868e_Thu12702ecb5.exe /mixtwo

C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ac194f1_Thu1230653d.exe

61f292ac194f1_Thu1230653d.exe

C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a4b3280_Thu12692268df32.exe

61f292a4b3280_Thu12692268df32.exe

C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ae24e70_Thu12a74e4137.exe

61f292ae24e70_Thu12a74e4137.exe

C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ad20a43_Thu120f4aad3d7.exe

61f292ad20a43_Thu120f4aad3d7.exe

C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292af47cdd_Thu12168454a4a.exe

61f292af47cdd_Thu12168454a4a.exe

C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292adcd500_Thu12dd12e2c.exe

61f292adcd500_Thu12dd12e2c.exe

C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292aaee251_Thu12817405.exe

61f292aaee251_Thu12817405.exe

C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292b2a8973_Thu12d2978de30.exe

61f292b2a8973_Thu12d2978de30.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c cmd < Esistenza.wbk

C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a688404_Thu122ae6bbac.exe

61f292a688404_Thu122ae6bbac.exe

C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe

61f292a3b1188_Thu12926eaf6b3.exe

C:\Users\Admin\AppData\Local\Temp\is-JNI23.tmp\61f292a4b3280_Thu12692268df32.tmp

"C:\Users\Admin\AppData\Local\Temp\is-JNI23.tmp\61f292a4b3280_Thu12692268df32.tmp" /SL5="$901AE,140559,56832,C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a4b3280_Thu12692268df32.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292b465d58_Thu127ed1404d.exe

61f292b465d58_Thu127ed1404d.exe

C:\Users\Admin\AppData\Local\Temp\is-V2EFM.tmp\61f292aaee251_Thu12817405.tmp

"C:\Users\Admin\AppData\Local\Temp\is-V2EFM.tmp\61f292aaee251_Thu12817405.tmp" /SL5="$301E2,870458,780800,C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292aaee251_Thu12817405.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292adcd500_Thu12dd12e2c.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292adcd500_Thu12dd12e2c.exe" -a

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292aaee251_Thu12817405.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292aaee251_Thu12817405.exe" /SILENT

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "imagename eq BullGuardCore.exe"

C:\Windows\SysWOW64\find.exe

find /I /N "bullguardcore.exe"

C:\Users\Admin\AppData\Local\Temp\is-CK179.tmp\61f292aaee251_Thu12817405.tmp

"C:\Users\Admin\AppData\Local\Temp\is-CK179.tmp\61f292aaee251_Thu12817405.tmp" /SL5="$401E2,870458,780800,C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292aaee251_Thu12817405.exe" /SILENT

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C timeout 19

C:\Windows\SysWOW64\timeout.exe

timeout 19

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^tDPdzRbUMNXkpbEMSMKZXPerlnGmckXJGXqJvnomwNbPoElbkyeDIDcfALyUkXmAQhFkvUdzDkXpshUFgogfpxwrCLpKzhhtgXYVZZwdO$" Impaziente.wbk

C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif

Sul.exe.pif J

C:\Windows\SysWOW64\waitfor.exe

waitfor /t 10 citDNEKXehVmhlzMlgdNbKGouCJxkZjiUQRiy

C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif

C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif J

C:\Windows\SysWOW64\control.exe

"C:\Windows\System32\control.exe" .\CZlKA.Q5

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\CZlKA.Q5

C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292af47cdd_Thu12168454a4a.exe

C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292af47cdd_Thu12168454a4a.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 1480

C:\Users\Admin\AppData\Local\Temp\11111.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Windows\SysWOW64\rundll32.exe

rundll32

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 484

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2016 -s 488

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\CZlKA.Q5

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\CZlKA.Q5

C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif

C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 1140

C:\Users\Admin\AppData\Local\Temp\f78841e.exe

"C:\Users\Admin\AppData\Local\Temp\f78841e.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 652

Network

Country Destination Domain Proto
US 8.8.8.8:53 hornygl.xyz udp
US 8.8.8.8:53 appwebstat.biz udp
US 8.8.8.8:53 v.xyzgamev.com udp
N/A 127.0.0.1:49282 tcp
N/A 127.0.0.1:49285 tcp
US 8.8.8.8:53 KLGqdXSVxgZGfuYBAcEbdNW.KLGqdXSVxgZGfuYBAcEbdNW udp
US 8.8.8.8:53 www.listincode.com udp
US 52.203.72.196:443 www.listincode.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 zenitsu.s3.pl-waw.scw.cloud udp
US 8.8.8.8:53 onlinehueplet.com udp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
PL 151.115.10.3:80 zenitsu.s3.pl-waw.scw.cloud tcp
DE 92.246.89.93:80 onlinehueplet.com tcp
US 8.8.8.8:53 inosuke.s3.pl-waw.scw.cloud udp
US 8.8.8.8:53 presstheme.me udp
US 8.8.8.8:53 c.pki.goog udp
PL 151.115.10.4:80 inosuke.s3.pl-waw.scw.cloud tcp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 signaturebusinesspark.com udp
US 8.8.8.8:53 signaturebusinesspark.com udp
US 54.205.158.59:443 www.listincode.com tcp
RU 92.255.57.115:11841 tcp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
NL 81.4.105.174:80 tcp
US 8.8.8.8:53 www.hhiuew33.com udp
DE 92.246.89.93:80 onlinehueplet.com tcp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
RU 92.255.57.115:11841 tcp
US 8.8.8.8:53 dll1.stdcdn.com udp
US 8.8.8.8:53 crl.microsoft.com udp
CH 80.67.82.104:80 crl.microsoft.com tcp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
RU 92.255.57.115:11841 tcp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
FR 77.132.68.187:8080 tcp
US 172.67.74.161:443 iplogger.org tcp
RU 92.255.57.115:11841 tcp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
FR 77.132.68.187:8080 tcp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
RU 92.255.57.115:11841 tcp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
RU 92.255.57.115:11841 tcp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp

Files

\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a8a0a6c_Thu12fda79da.exe

MD5 b8ecec542a07067a193637269973c2e8
SHA1 97178479fd0fc608d6c0fbf243a0bb136d7b0ecb
SHA256 fc6b5ec20b7f2c902e9413c71be5718eb58640d86189306fe4c592af70fe3b7e
SHA512 730d74a72c7af91b10f06ae98235792740bed2afc86eb8ddc15ecaf7c31ec757ac3803697644ac0f60c2e8e0fd875b94299763ac0fed74d392ac828b61689893

memory/2912-131-0x0000000000400000-0x0000000000414000-memory.dmp

memory/108-127-0x0000000000CA0000-0x0000000000CA8000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a50b8fa_Thu12c85191.exe

MD5 4fda4b291bdc23439208635f8b4f10e5
SHA1 6911fce737067d5bbeab05960ecd56d3a0fe0dfb
SHA256 79a77b41388477a3cb157995c0ad1757a8ced2b49fc968dc5d8c28806aaee480
SHA512 5ca7652ea5c795dd613da2ef773e048efa240d4cb5b6970d91ddb2367eda27e879d735360625725881d4940b23b6e153cb148b630f183d21025b31b4675b17cb

\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a4b3280_Thu12692268df32.exe

MD5 5b14369c347439becacaa0883c07f17b
SHA1 126b0012934a2bf5aab025d931feb3b4315a2d9a
SHA256 8f362cedd16992cd2605b87129e491620b323f2a60e0cbb2f77d66a38f1e2307
SHA512 4abd011ac7e4dba50cef3d166ca3c2c4148e737291f196e68c61f3a19e0e2b13bef5bb95fa53223cbc5ae514467309da6c92f1acfa194980624282d7c88c521b

C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ae71b3f_Thu1291f781.exe

MD5 ce54b9287c3e4b5733035d0be085d989
SHA1 07a17e423bf89d9b056562d822a8f651aeb33c96
SHA256 e2beaf61ef8408e20b5dd05ffab6e1a62774088b3acdebd834f51d77f9824112
SHA512 c85680a63c9e852dfee438c9b8d47443f8b998ea1f8f573b3fcf1e31abc44415a1c18bac2bc6c5fb2caed0872a69fc9be758a510b9049c854fd48e31bf0815a0

\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ae24e70_Thu12a74e4137.exe

MD5 cc722fd0bd387cf472350dc2dd7ddd1e
SHA1 49d288ddbb09265a586dd8d6629c130be7063afa
SHA256 588a87d450987dfb3a72361c012b36285a5b3087cc8c282b6f2de46ae95291f2
SHA512 893375a8816bc333a9521b50d26b4018d1a3181b502dac73cef3357755651d833744a42bfd7f2daeb6e15d420600b91cdb910a0a1fb1a28d5012697a1f92733b

\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292b10868e_Thu12702ecb5.exe

MD5 6cda68905cfd314c1b5dcafd6adebc96
SHA1 c6e952b5190121ab0c082a2de4bc0caf06d1dcf0
SHA256 927c40d5808645ff97bbf5fc4c1d517d37a801c81553dc54becd8a0770ee54b0
SHA512 952074dffb293dd455751a44f18409adf4afa2c4c2f130dc2b6368791b78af06cf19bdbdc4278ccdb4ca3326db100fc695245543aa5e447927c4c095640d98c6

C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292af47cdd_Thu12168454a4a.exe

MD5 2fd3235d23e379fcca10cf25661689c8
SHA1 ac4c74c6c95693a6d9d67caf55a6106eaa408959
SHA256 a88f3682d185f01cd91890951a27f04e925f10bd61b1ded566889c0e008c3ccc
SHA512 e33873304eba441d8b5938ba1f28636c78ac751633ed209f8970d1aafcf193203941fc8ba59e151ea7d010b9d65476d486e07b4f045d0409222d6f8d99bcfbb0

C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ad20a43_Thu120f4aad3d7.exe

MD5 8b361d36500a8a4abd21c08235e6c0c8
SHA1 c52bb8ead2e3b7dfb45f8e1163a2ae05588d70ce
SHA256 dc791b99f5e4e21d1022fe5cf80231da85fd716cf0132a25d1596b9680e45cf5
SHA512 6ebdbd3c45d869bb8852e6662cd0f2f397322f3907377b60f6c70910a8a01d955b30b59ee93d76001688a465449bcbb061169e85a4e67b102a537440909cf10a

\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a688404_Thu122ae6bbac.exe

MD5 a05b981f73e296c8edf29ea9f68b8355
SHA1 f959ea0a5569320682e194bd87ae3fbf0b382647
SHA256 3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100
SHA512 d71c1655c13a4ea043caaa5533fe8b2b25f4146f5c750a801b4b19b3df514fedda7413dd9448be1b09eb6b532384d9439b1bb0628129413706224a051ea34ace

\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292ac194f1_Thu1230653d.exe

MD5 af0de0482a6545057fb04ece77e0e83e
SHA1 a5275870f175a76ae14d965211d02a5214adb5c2
SHA256 605f47756284111370f163638d93e580830db4dd10b16a274735c052ea1f2c8a
SHA512 92b76a20957a3daafd588434cb6259213af9689a1dd75c97f61f16ceff95e1e79924431ad4f8a075b90535081a00b6ced7ffada6db8a843a4f8ecaa27ca1e96d

C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292b465d58_Thu127ed1404d.exe

MD5 79400b1fd740d9cb7ec7c2c2e9a7d618
SHA1 8ab8d7dcd469853f61ca27b8afe2ab6e0f2a1bb3
SHA256 556d5c93b2ceb585711ccce22e39e3327f388b893d76a3a7974967fe99a6fa7f
SHA512 3ed024b02d7410d5ddc7bb772a2b3e8a5516a16d1cb5fac9f5d925da84b376b67117daf238fb53c7707e6bb86a0198534ad1e79b6ebed979b505b3faf9ae55ac

memory/2024-136-0x0000000000070000-0x00000000000FA000-memory.dmp

memory/2052-135-0x0000000000A20000-0x0000000000A40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292adcd500_Thu12dd12e2c.exe

MD5 b0448525c5a00135bb5b658cc6745574
SHA1 a08d53ce43ad01d47564a7dcdb87383652ef29f5
SHA256 b53ec612c61b38e29a8500f8d495e81dfdedc6b277958f36acfee6b8ee50a859
SHA512 b52e28e22916964a3d4d46e8fd09ba1f5c4867bd812d3c9af278bbeaf0ccfd9573e2bfc836c63079bc5de419b2c362247f85c3c494dfc66baf5cbadc6dbf462d

C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292b2a8973_Thu12d2978de30.exe

MD5 9691ad5126152a385a01220ee47221c1
SHA1 48465630edcdc71525c792c0b855ef0d321f6a5e
SHA256 34da41baf54a2522aa5b332f1678400f2fb271e12dcfad3870ef47d37ac4ba67
SHA512 b7b3ac05988ec34d586f7764bbe2bce43ca3c9361ce3626f041eefb635d8ab3af047009ce74cce50cdddb6dbec35b60139a50e9f2598e86cdf484c60e4be5949

C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292a3b1188_Thu12926eaf6b3.exe

MD5 fbd3940d1ad28166d8539eae23d44d5b
SHA1 55fff8a0aa435885fc86f7f33fec24558aa21ef5
SHA256 21ceb2021197d8b5f73f8f264163e1f73e6a454ff0dffad24e87037f3a0b9ac7
SHA512 26efcab71ea6ffd07c800a9ab014adc1813742d99923e17f02d92ffe5fccc8ad1efbf1e6124fd68fd1638e0d9c5f9a79b8c3faf2ae85c71ead6fb8940e26ad11

C:\Users\Admin\AppData\Local\Temp\7zSC4973BB6\61f292aaee251_Thu12817405.exe

MD5 e65bf2d56fcaa18c1a8d0d481072dc62
SHA1 c7492c7e09b329bed044e9ee45e425e0817c22f4
SHA256 c24f98a0e80be8f215f9b93c9823497c1ea547ca9fdd3621ef6a96dfb1eaa895
SHA512 39c3400315055b2c9fdb3d9d9d54f4a8c7120721aa0850c29d313824846cec7aae74b1f25569636d9eb81184f211e0bc391de02c212b6f0994a42096268414a9

memory/2612-89-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2612-88-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2612-87-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2612-85-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2612-84-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2612-83-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2612-82-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2612-81-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2612-86-0x000000006FE40000-0x000000006FFC6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC4973BB6\setup_install.exe

MD5 b14eef8f9059c67b05c710b51d150f82
SHA1 645988e081d1948cae842614cc75875aec8cf68c
SHA256 3b9601b7d67b3e2541bf93f753248aae02ea9ba0fb46186d6d0ee97634052e0e
SHA512 bdfcac2b5631b38a0555c1f0c70f3bec0d67955adf0d8f679d05a1218e2d9e5d0c7bf0a5d221235b96aec99e35d3521f9030bdab511bfbfeaa6a20f9b3c942e5

memory/2612-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC4973BB6\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

\Users\Admin\AppData\Local\Temp\7zSC4973BB6\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2612-72-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC4973BB6\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/2612-69-0x000000006B280000-0x000000006B2A6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC4973BB6\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

\Users\Admin\AppData\Local\Temp\7zSC4973BB6\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 d3e22d7fcc478eaf4b9e03a8a5038c12
SHA1 bfa29d4c2535b479102cd37c4a7f4245961daeb3
SHA256 6d7f35c19fef11f48a274dcf38e942635e6946eca4ecd3c39dd38de8e0cbf656
SHA512 83bc2bd9f2b5fe85a5eabdb6aab5c6ba64ac590b005780cee51d7c01f565a416b674fa9ff1b439325f9e50604fe130c3911c43c50da0254f0309beca742a1956

memory/1404-143-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2896-157-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2896-156-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2132-142-0x0000000000330000-0x00000000003F3000-memory.dmp

memory/2132-141-0x0000000000400000-0x00000000004C3000-memory.dmp

memory/2132-155-0x00000000005D0000-0x000000000060E000-memory.dmp

memory/1412-140-0x00000000027F0000-0x00000000028B3000-memory.dmp

memory/1412-139-0x00000000027F0000-0x00000000028B3000-memory.dmp

memory/2132-154-0x0000000000350000-0x0000000000351000-memory.dmp

memory/2132-153-0x0000000000400000-0x00000000004C3000-memory.dmp

memory/2132-158-0x00000000003D0000-0x00000000003E8000-memory.dmp

memory/1228-167-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2896-173-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2132-174-0x00000000000F0000-0x00000000000FA000-memory.dmp

memory/2060-188-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/1404-191-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2020-190-0x0000000000400000-0x0000000000682000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-CK179.tmp\61f292aaee251_Thu12817405.tmp

MD5 83b531c1515044f8241cd9627fbfbe86
SHA1 d2f7096e18531abb963fc9af7ecc543641570ac8
SHA256 565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c
SHA512 9f7304ecb7573c0b8b4d7a2f49bcb9902499523b84502609f81b6f1b84faa1152a46ea13813987567ce574bd7b9d7b3f44b2b76389d8135487dc3c7f5e314f1b

C:\Users\Admin\AppData\Local\Temp\is-Q2MR7.tmp\idp.dll

MD5 55c310c0319260d798757557ab3bf636
SHA1 0892eb7ed31d8bb20a56c6835990749011a2d8de
SHA256 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512 e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

memory/2616-207-0x0000000002860000-0x0000000003860000-memory.dmp

memory/2612-213-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2612-210-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2612-217-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2612-216-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2612-215-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2612-208-0x0000000000400000-0x000000000051C000-memory.dmp

memory/2912-225-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1476-224-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1984-236-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1984-238-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1984-245-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1984-244-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1984-242-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1984-240-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1984-246-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1984-248-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\11111.exe

MD5 94989927a6611e1919f84e1871922b63
SHA1 b602e4c47c9c42c273b68a1ce85f0814c0e05deb
SHA256 6abf00e8457005606b0286fba4abc75bdb5d8d8267b17678d719122946db5c17
SHA512 ce69c1597f759efdb61ba441a5c16b587b77e3780e134c312dc832a502a1933b04f6b981e0e4b5c998c38d77b25763d2c2875cb790b142f44a416dcf75880b6e

memory/2440-255-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2132-256-0x00000000003D0000-0x00000000003E8000-memory.dmp

memory/2132-257-0x00000000005D0000-0x000000000060E000-memory.dmp

memory/2132-258-0x0000000000400000-0x00000000004C3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabC810.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2676-267-0x0000000000400000-0x000000000045C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\11111.exe

MD5 d0527733abcc5c58735e11d43061b431
SHA1 28de9d191826192721e325787b8a50a84328cffd
SHA256 b4ef7ee228c1500f7bb3686361b1a246954efe04cf14d218b5ee709bc0d88b45
SHA512 7704b215fade38c9a4aa2395263f3d4d9392b318b5644146464d233006a6de86f53a5f6e47cd909c0d968e3ef4db397f52e28ca4d6a1b2e88e1c40a1dbde3fb5

memory/1824-277-0x0000000000880000-0x0000000000903000-memory.dmp

memory/1824-276-0x0000000000880000-0x0000000000903000-memory.dmp

memory/1824-275-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2060-278-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2376-279-0x0000000000400000-0x0000000000682000-memory.dmp

memory/2616-280-0x000000002D910000-0x000000002D9BF000-memory.dmp

memory/2616-281-0x000000002D9C0000-0x000000002DA5C000-memory.dmp

memory/2616-283-0x000000002D9C0000-0x000000002DA5C000-memory.dmp

memory/1824-292-0x0000000000880000-0x0000000000903000-memory.dmp

memory/1824-291-0x0000000000880000-0x0000000000903000-memory.dmp

memory/1824-290-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1824-297-0x0000000000400000-0x0000000000483000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f78841e.exe

MD5 620bda3df817bff8deb38758d1dc668c
SHA1 9933523941851b42047f2b7a1324eb8daa8fb1ff
SHA256 b74d7ff45768a1ee6f267e895de3e46cca505edf205563ef3f7db827f38363b3
SHA512 bc9e932860f63090bab251057bc1fd6875c410c2358321eaa74fccc117561b91e4ce6b24d5e7bb13dc44732ae151b7c33fe201acbb5af689d7f2d248dfb8c568

memory/816-382-0x0000000000330000-0x0000000000338000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 09:03

Reported

2024-11-09 09:06

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a50b8fa_Thu12c85191.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-4GV7C.tmp\61f292aaee251_Thu12817405.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292b2a8973_Thu12d2978de30.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292adcd500_Thu12dd12e2c.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ae24e70_Thu12a74e4137.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a8a0a6c_Thu12fda79da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a688404_Thu122ae6bbac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a4b3280_Thu12692268df32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ac194f1_Thu1230653d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ad20a43_Thu120f4aad3d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292adcd500_Thu12dd12e2c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a50b8fa_Thu12c85191.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292b465d58_Thu127ed1404d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292b2a8973_Thu12d2978de30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292aaee251_Thu12817405.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ae71b3f_Thu1291f781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292af47cdd_Thu12168454a4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3JG61.tmp\61f292a4b3280_Thu12692268df32.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292b10868e_Thu12702ecb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4GV7C.tmp\61f292aaee251_Thu12817405.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a688404_Thu122ae6bbac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292adcd500_Thu12dd12e2c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292aaee251_Thu12817405.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-U1CEV.tmp\61f292aaee251_Thu12817405.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292af47cdd_Thu12168454a4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\QWE00000.gol\\\"" C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ae24e70_Thu12a74e4137.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfhgpjbcoignfibliobpclhpfnadhofn\10.59.13_0\manifest.json C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ad20a43_Thu120f4aad3d7.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292b2a8973_Thu12d2978de30.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a50b8fa_Thu12c85191.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a4b3280_Thu12692268df32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\waitfor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-4GV7C.tmp\61f292aaee251_Thu12817405.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-3JG61.tmp\61f292a4b3280_Thu12692268df32.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292aaee251_Thu12817405.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-U1CEV.tmp\61f292aaee251_Thu12817405.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292af47cdd_Thu12168454a4a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292aaee251_Thu12817405.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292b10868e_Thu12702ecb5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292af47cdd_Thu12168454a4a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a688404_Thu122ae6bbac.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292adcd500_Thu12dd12e2c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ae24e70_Thu12a74e4137.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ad20a43_Thu120f4aad3d7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292adcd500_Thu12dd12e2c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a8a0a6c_Thu12fda79da.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ac194f1_Thu1230653d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\find.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\control.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ac194f1_Thu1230653d.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ac194f1_Thu1230653d.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ac194f1_Thu1230653d.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133756166420771177" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ae71b3f_Thu1291f781.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292af47cdd_Thu12168454a4a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ad20a43_Thu120f4aad3d7.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a50b8fa_Thu12c85191.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 900 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 900 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 900 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1016 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe
PID 1016 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe
PID 1016 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe
PID 492 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\System32\WaaSMedicAgent.exe
PID 492 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\System32\WaaSMedicAgent.exe
PID 492 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\System32\WaaSMedicAgent.exe
PID 492 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\waitfor.exe
PID 492 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\waitfor.exe
PID 492 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\waitfor.exe
PID 492 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 228 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ae24e70_Thu12a74e4137.exe
PID 2020 wrote to memory of 228 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ae24e70_Thu12a74e4137.exe
PID 2020 wrote to memory of 228 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ae24e70_Thu12a74e4137.exe
PID 2216 wrote to memory of 4704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WerFault.exe
PID 2216 wrote to memory of 4704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WerFault.exe
PID 2216 wrote to memory of 4704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WerFault.exe
PID 1720 wrote to memory of 4904 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe
PID 1720 wrote to memory of 4904 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe
PID 1720 wrote to memory of 4904 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe
PID 4892 wrote to memory of 3452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e.exe

"C:\Users\Admin\AppData\Local\Temp\174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292a3b1188_Thu12926eaf6b3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292a4b3280_Thu12692268df32.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292a50b8fa_Thu12c85191.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292a688404_Thu122ae6bbac.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292a8a0a6c_Thu12fda79da.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292aaee251_Thu12817405.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292ac194f1_Thu1230653d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292ad20a43_Thu120f4aad3d7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292adcd500_Thu12dd12e2c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292ae24e70_Thu12a74e4137.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292ae71b3f_Thu1291f781.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292af47cdd_Thu12168454a4a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292b10868e_Thu12702ecb5.exe /mixtwo

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292b2a8973_Thu12d2978de30.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61f292b465d58_Thu127ed1404d.exe

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ae24e70_Thu12a74e4137.exe

61f292ae24e70_Thu12a74e4137.exe

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a8a0a6c_Thu12fda79da.exe

61f292a8a0a6c_Thu12fda79da.exe

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe

61f292a3b1188_Thu12926eaf6b3.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a688404_Thu122ae6bbac.exe

61f292a688404_Thu122ae6bbac.exe

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a4b3280_Thu12692268df32.exe

61f292a4b3280_Thu12692268df32.exe

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ac194f1_Thu1230653d.exe

61f292ac194f1_Thu1230653d.exe

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ad20a43_Thu120f4aad3d7.exe

61f292ad20a43_Thu120f4aad3d7.exe

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292adcd500_Thu12dd12e2c.exe

61f292adcd500_Thu12dd12e2c.exe

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a50b8fa_Thu12c85191.exe

61f292a50b8fa_Thu12c85191.exe

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292b465d58_Thu127ed1404d.exe

61f292b465d58_Thu127ed1404d.exe

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292b2a8973_Thu12d2978de30.exe

61f292b2a8973_Thu12d2978de30.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 492 -ip 492

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292aaee251_Thu12817405.exe

61f292aaee251_Thu12817405.exe

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ae71b3f_Thu1291f781.exe

61f292ae71b3f_Thu1291f781.exe

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292af47cdd_Thu12168454a4a.exe

61f292af47cdd_Thu12168454a4a.exe

C:\Users\Admin\AppData\Local\Temp\is-3JG61.tmp\61f292a4b3280_Thu12692268df32.tmp

"C:\Users\Admin\AppData\Local\Temp\is-3JG61.tmp\61f292a4b3280_Thu12692268df32.tmp" /SL5="$602D4,140559,56832,C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a4b3280_Thu12692268df32.exe"

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292b10868e_Thu12702ecb5.exe

61f292b10868e_Thu12702ecb5.exe /mixtwo

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 492 -s 612

C:\Users\Admin\AppData\Local\Temp\is-4GV7C.tmp\61f292aaee251_Thu12817405.tmp

"C:\Users\Admin\AppData\Local\Temp\is-4GV7C.tmp\61f292aaee251_Thu12817405.tmp" /SL5="$7029A,870458,780800,C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292aaee251_Thu12817405.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c cmd < Esistenza.wbk

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292af47cdd_Thu12168454a4a.exe

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292af47cdd_Thu12168454a4a.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2648 -ip 2648

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a688404_Thu122ae6bbac.exe

61f292a688404_Thu122ae6bbac.exe

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292adcd500_Thu12dd12e2c.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292adcd500_Thu12dd12e2c.exe" -a

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C timeout 19

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4368 -ip 4368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 624

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292aaee251_Thu12817405.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292aaee251_Thu12817405.exe" /SILENT

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Users\Admin\AppData\Local\Temp\is-U1CEV.tmp\61f292aaee251_Thu12817405.tmp

"C:\Users\Admin\AppData\Local\Temp\is-U1CEV.tmp\61f292aaee251_Thu12817405.tmp" /SL5="$A01C6,870458,780800,C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292aaee251_Thu12817405.exe" /SILENT

C:\Windows\SysWOW64\timeout.exe

timeout 19

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "imagename eq BullGuardCore.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4704 -ip 4704

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 1860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4368 -ip 4368

C:\Windows\SysWOW64\find.exe

find /I /N "bullguardcore.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 624

C:\Users\Admin\AppData\Local\Temp\11111.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Windows\SysWOW64\control.exe

"C:\Windows\System32\control.exe" .\CZlKA.Q5

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4368 -ip 4368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 752

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\CZlKA.Q5

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4368 -ip 4368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 780

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^tDPdzRbUMNXkpbEMSMKZXPerlnGmckXJGXqJvnomwNbPoElbkyeDIDcfALyUkXmAQhFkvUdzDkXpshUFgogfpxwrCLpKzhhtgXYVZZwdO$" Impaziente.wbk

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4368 -ip 4368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 832

C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif

Sul.exe.pif J

C:\Windows\SysWOW64\waitfor.exe

waitfor /t 10 citDNEKXehVmhlzMlgdNbKGouCJxkZjiUQRiy

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4368 -ip 4368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 840

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif

C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif J

C:\Users\Admin\AppData\Local\Temp\11111.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Windows\System32\WaaSMedicAgent.exe

C:\Windows\System32\WaaSMedicAgent.exe 04027fb0f481940795e2c30bcb6b4d6a yqOnbuLyc02ioy+ZBia7tQ.0.1.0.0.0

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff96fb3cc40,0x7ff96fb3cc4c,0x7ff96fb3cc58

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4368 -ip 4368

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,4872267081243524556,13007038579805581382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1904 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2144,i,4872267081243524556,13007038579805581382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2136 /prefetch:3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 844

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,4872267081243524556,13007038579805581382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2432 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,4872267081243524556,13007038579805581382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3148 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2824,i,4872267081243524556,13007038579805581382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3180 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4188,i,4872267081243524556,13007038579805581382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4504 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4676,i,4872267081243524556,13007038579805581382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4528 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3132,i,4872267081243524556,13007038579805581382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4804 /prefetch:8

C:\Windows\SysWOW64\rundll32.exe

rundll32

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4996,i,4872267081243524556,13007038579805581382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3688 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5412,i,4872267081243524556,13007038579805581382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5424 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5420,i,4872267081243524556,13007038579805581382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5448 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5416,i,4872267081243524556,13007038579805581382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4472 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4880,i,4872267081243524556,13007038579805581382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4704 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5096,i,4872267081243524556,13007038579805581382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5008 /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2596 -ip 2596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 1280

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4832,i,4872267081243524556,13007038579805581382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4728 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5380,i,4872267081243524556,13007038579805581382,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5256 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 hornygl.xyz udp
US 8.8.8.8:53 www.listincode.com udp
US 52.203.72.196:443 www.listincode.com tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 46.2.26.104.in-addr.arpa udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 zenitsu.s3.pl-waw.scw.cloud udp
US 8.8.8.8:53 ip-api.com udp
PL 151.115.10.3:80 zenitsu.s3.pl-waw.scw.cloud tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 inosuke.s3.pl-waw.scw.cloud udp
US 8.8.8.8:53 presstheme.me udp
PL 151.115.10.3:80 inosuke.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 3.10.115.151.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 signaturebusinesspark.com udp
US 8.8.8.8:53 signaturebusinesspark.com udp
US 54.205.158.59:443 www.listincode.com tcp
US 8.8.8.8:53 onlinehueplet.com udp
RU 92.255.57.115:11841 tcp
DE 92.246.89.93:80 onlinehueplet.com tcp
US 8.8.8.8:53 appwebstat.biz udp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 KLGqdXSVxgZGfuYBAcEbdNW.KLGqdXSVxgZGfuYBAcEbdNW udp
N/A 127.0.0.1:61586 tcp
N/A 127.0.0.1:61591 tcp
US 8.8.8.8:53 www.hhiuew33.com udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 appwebstat.biz udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 172.217.169.10:443 ogads-pa.googleapis.com tcp
GB 216.58.201.110:443 apis.google.com tcp
GB 172.217.169.10:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 10.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.16.238:443 play.google.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
US 104.26.2.46:443 iplogger.org tcp
GB 142.250.178.14:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 216.58.213.1:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 1.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 104.26.2.46:443 iplogger.org tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 v.xyzgamev.com udp
NL 81.4.105.174:80 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
DE 92.246.89.93:80 onlinehueplet.com tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
RU 92.255.57.115:11841 tcp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
RU 92.255.57.115:11841 tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
RU 92.255.57.115:11841 tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
RU 92.255.57.115:11841 tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
RU 92.255.57.115:11841 tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.26.2.46:443 iplogger.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 d3e22d7fcc478eaf4b9e03a8a5038c12
SHA1 bfa29d4c2535b479102cd37c4a7f4245961daeb3
SHA256 6d7f35c19fef11f48a274dcf38e942635e6946eca4ecd3c39dd38de8e0cbf656
SHA512 83bc2bd9f2b5fe85a5eabdb6aab5c6ba64ac590b005780cee51d7c01f565a416b674fa9ff1b439325f9e50604fe130c3911c43c50da0254f0309beca742a1956

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\setup_install.exe

MD5 b14eef8f9059c67b05c710b51d150f82
SHA1 645988e081d1948cae842614cc75875aec8cf68c
SHA256 3b9601b7d67b3e2541bf93f753248aae02ea9ba0fb46186d6d0ee97634052e0e
SHA512 bdfcac2b5631b38a0555c1f0c70f3bec0d67955adf0d8f679d05a1218e2d9e5d0c7bf0a5d221235b96aec99e35d3521f9030bdab511bfbfeaa6a20f9b3c942e5

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/492-80-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292b10868e_Thu12702ecb5.exe

MD5 6cda68905cfd314c1b5dcafd6adebc96
SHA1 c6e952b5190121ab0c082a2de4bc0caf06d1dcf0
SHA256 927c40d5808645ff97bbf5fc4c1d517d37a801c81553dc54becd8a0770ee54b0
SHA512 952074dffb293dd455751a44f18409adf4afa2c4c2f130dc2b6368791b78af06cf19bdbdc4278ccdb4ca3326db100fc695245543aa5e447927c4c095640d98c6

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ae24e70_Thu12a74e4137.exe

MD5 cc722fd0bd387cf472350dc2dd7ddd1e
SHA1 49d288ddbb09265a586dd8d6629c130be7063afa
SHA256 588a87d450987dfb3a72361c012b36285a5b3087cc8c282b6f2de46ae95291f2
SHA512 893375a8816bc333a9521b50d26b4018d1a3181b502dac73cef3357755651d833744a42bfd7f2daeb6e15d420600b91cdb910a0a1fb1a28d5012697a1f92733b

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a8a0a6c_Thu12fda79da.exe

MD5 b8ecec542a07067a193637269973c2e8
SHA1 97178479fd0fc608d6c0fbf243a0bb136d7b0ecb
SHA256 fc6b5ec20b7f2c902e9413c71be5718eb58640d86189306fe4c592af70fe3b7e
SHA512 730d74a72c7af91b10f06ae98235792740bed2afc86eb8ddc15ecaf7c31ec757ac3803697644ac0f60c2e8e0fd875b94299763ac0fed74d392ac828b61689893

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ac194f1_Thu1230653d.exe

MD5 af0de0482a6545057fb04ece77e0e83e
SHA1 a5275870f175a76ae14d965211d02a5214adb5c2
SHA256 605f47756284111370f163638d93e580830db4dd10b16a274735c052ea1f2c8a
SHA512 92b76a20957a3daafd588434cb6259213af9689a1dd75c97f61f16ceff95e1e79924431ad4f8a075b90535081a00b6ced7ffada6db8a843a4f8ecaa27ca1e96d

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a50b8fa_Thu12c85191.exe

MD5 4fda4b291bdc23439208635f8b4f10e5
SHA1 6911fce737067d5bbeab05960ecd56d3a0fe0dfb
SHA256 79a77b41388477a3cb157995c0ad1757a8ced2b49fc968dc5d8c28806aaee480
SHA512 5ca7652ea5c795dd613da2ef773e048efa240d4cb5b6970d91ddb2367eda27e879d735360625725881d4940b23b6e153cb148b630f183d21025b31b4675b17cb

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292b2a8973_Thu12d2978de30.exe

MD5 9691ad5126152a385a01220ee47221c1
SHA1 48465630edcdc71525c792c0b855ef0d321f6a5e
SHA256 34da41baf54a2522aa5b332f1678400f2fb271e12dcfad3870ef47d37ac4ba67
SHA512 b7b3ac05988ec34d586f7764bbe2bce43ca3c9361ce3626f041eefb635d8ab3af047009ce74cce50cdddb6dbec35b60139a50e9f2598e86cdf484c60e4be5949

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292aaee251_Thu12817405.exe

MD5 e65bf2d56fcaa18c1a8d0d481072dc62
SHA1 c7492c7e09b329bed044e9ee45e425e0817c22f4
SHA256 c24f98a0e80be8f215f9b93c9823497c1ea547ca9fdd3621ef6a96dfb1eaa895
SHA512 39c3400315055b2c9fdb3d9d9d54f4a8c7120721aa0850c29d313824846cec7aae74b1f25569636d9eb81184f211e0bc391de02c212b6f0994a42096268414a9

memory/4528-124-0x0000000000CA0000-0x0000000000D2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-3JG61.tmp\61f292a4b3280_Thu12692268df32.tmp

MD5 ffcf263a020aa7794015af0edee5df0b
SHA1 bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA256 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA512 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

memory/3416-131-0x00000000021F0000-0x0000000002208000-memory.dmp

memory/3452-148-0x0000000005320000-0x0000000005356000-memory.dmp

memory/3452-158-0x0000000005990000-0x0000000005FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-4GV7C.tmp\61f292aaee251_Thu12817405.tmp

MD5 83b531c1515044f8241cd9627fbfbe86
SHA1 d2f7096e18531abb963fc9af7ecc543641570ac8
SHA256 565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c
SHA512 9f7304ecb7573c0b8b4d7a2f49bcb9902499523b84502609f81b6f1b84faa1152a46ea13813987567ce574bd7b9d7b3f44b2b76389d8135487dc3c7f5e314f1b

memory/3416-159-0x00000000004D0000-0x0000000000562000-memory.dmp

memory/4528-155-0x0000000005560000-0x000000000557E000-memory.dmp

memory/8-172-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292adcd500_Thu12dd12e2c.exe

MD5 b0448525c5a00135bb5b658cc6745574
SHA1 a08d53ce43ad01d47564a7dcdb87383652ef29f5
SHA256 b53ec612c61b38e29a8500f8d495e81dfdedc6b277958f36acfee6b8ee50a859
SHA512 b52e28e22916964a3d4d46e8fd09ba1f5c4867bd812d3c9af278bbeaf0ccfd9573e2bfc836c63079bc5de419b2c362247f85c3c494dfc66baf5cbadc6dbf462d

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hn3x0rbx.3px.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3452-185-0x0000000006290000-0x00000000062F6000-memory.dmp

memory/3452-180-0x00000000060F0000-0x0000000006112000-memory.dmp

memory/3452-186-0x0000000006370000-0x00000000063D6000-memory.dmp

memory/3452-188-0x00000000064B0000-0x0000000006804000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a688404_Thu122ae6bbac.exe

MD5 a05b981f73e296c8edf29ea9f68b8355
SHA1 f959ea0a5569320682e194bd87ae3fbf0b382647
SHA256 3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100
SHA512 d71c1655c13a4ea043caaa5533fe8b2b25f4146f5c750a801b4b19b3df514fedda7413dd9448be1b09eb6b532384d9439b1bb0628129413706224a051ea34ace

C:\Users\Admin\AppData\Local\Temp\is-G23JP.tmp\idp.dll

MD5 55c310c0319260d798757557ab3bf636
SHA1 0892eb7ed31d8bb20a56c6835990749011a2d8de
SHA256 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512 e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

memory/8-169-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3416-154-0x0000000005520000-0x0000000005AC4000-memory.dmp

memory/3416-201-0x00000000021F0000-0x0000000002208000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Esistenza.wbk

MD5 b2a2f85b4201446b23a250f68051b4dc
SHA1 8fc39fbfb341e55a6fda1ef3e0cfd25b2b8fdba5
SHA256 910165a85877eca36cb0e43aac5a42b643627aa7de90676cbdefcbf32fba4ade
SHA512 188b1ec9f2be6994de6e74f2385b3e0849968324cca1787b237d4eef381c9ffadc2c34c3f3131026d0ec1f89da6563455fe3f3d315d7d4673d303c38b2d0d32c

memory/492-214-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3972-218-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2648-220-0x0000000000400000-0x0000000000437000-memory.dmp

memory/492-216-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/492-215-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4236-219-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/3452-235-0x00000000068B0000-0x00000000068FC000-memory.dmp

memory/456-240-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\61f292af47cdd_Thu12168454a4a.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292af47cdd_Thu12168454a4a.exe

MD5 2fd3235d23e379fcca10cf25661689c8
SHA1 ac4c74c6c95693a6d9d67caf55a6106eaa408959
SHA256 a88f3682d185f01cd91890951a27f04e925f10bd61b1ded566889c0e008c3ccc
SHA512 e33873304eba441d8b5938ba1f28636c78ac751633ed209f8970d1aafcf193203941fc8ba59e151ea7d010b9d65476d486e07b4f045d0409222d6f8d99bcfbb0

memory/3452-234-0x0000000006890000-0x00000000068AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\11111.exe

MD5 94989927a6611e1919f84e1871922b63
SHA1 b602e4c47c9c42c273b68a1ce85f0814c0e05deb
SHA256 6abf00e8457005606b0286fba4abc75bdb5d8d8267b17678d719122946db5c17
SHA512 ce69c1597f759efdb61ba441a5c16b587b77e3780e134c312dc832a502a1933b04f6b981e0e4b5c998c38d77b25763d2c2875cb790b142f44a416dcf75880b6e

memory/4860-245-0x0000000000400000-0x0000000000480000-memory.dmp

memory/456-250-0x0000000005180000-0x0000000005192000-memory.dmp

memory/456-251-0x00000000052B0000-0x00000000053BA000-memory.dmp

memory/456-249-0x00000000056F0000-0x0000000005D08000-memory.dmp

memory/456-252-0x00000000051E0000-0x000000000521C000-memory.dmp

memory/1060-228-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3416-227-0x0000000000400000-0x00000000004C3000-memory.dmp

memory/3416-225-0x0000000000880000-0x00000000008BE000-memory.dmp

memory/492-209-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/492-206-0x0000000000400000-0x000000000051C000-memory.dmp

memory/2808-204-0x0000000000400000-0x0000000000682000-memory.dmp

memory/492-213-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/948-194-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/3416-147-0x0000000002F70000-0x0000000002F7A000-memory.dmp

memory/4528-146-0x0000000005580000-0x00000000055F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-RJIC8.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/3972-121-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/1572-122-0x0000000000F20000-0x0000000000F28000-memory.dmp

memory/2596-120-0x00000000006F0000-0x0000000000710000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ae71b3f_Thu1291f781.exe

MD5 ce54b9287c3e4b5733035d0be085d989
SHA1 07a17e423bf89d9b056562d822a8f651aeb33c96
SHA256 e2beaf61ef8408e20b5dd05ffab6e1a62774088b3acdebd834f51d77f9824112
SHA512 c85680a63c9e852dfee438c9b8d47443f8b998ea1f8f573b3fcf1e31abc44415a1c18bac2bc6c5fb2caed0872a69fc9be758a510b9049c854fd48e31bf0815a0

memory/3416-127-0x0000000000880000-0x00000000008BE000-memory.dmp

memory/3416-126-0x0000000002270000-0x0000000002271000-memory.dmp

memory/3416-125-0x0000000000400000-0x00000000004C3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292b465d58_Thu127ed1404d.exe

MD5 79400b1fd740d9cb7ec7c2c2e9a7d618
SHA1 8ab8d7dcd469853f61ca27b8afe2ab6e0f2a1bb3
SHA256 556d5c93b2ceb585711ccce22e39e3327f388b893d76a3a7974967fe99a6fa7f
SHA512 3ed024b02d7410d5ddc7bb772a2b3e8a5516a16d1cb5fac9f5d925da84b376b67117daf238fb53c7707e6bb86a0198534ad1e79b6ebed979b505b3faf9ae55ac

memory/3416-113-0x0000000000400000-0x00000000004C3000-memory.dmp

memory/1060-109-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292ad20a43_Thu120f4aad3d7.exe

MD5 8b361d36500a8a4abd21c08235e6c0c8
SHA1 c52bb8ead2e3b7dfb45f8e1163a2ae05588d70ce
SHA256 dc791b99f5e4e21d1022fe5cf80231da85fd716cf0132a25d1596b9680e45cf5
SHA512 6ebdbd3c45d869bb8852e6662cd0f2f397322f3907377b60f6c70910a8a01d955b30b59ee93d76001688a465449bcbb061169e85a4e67b102a537440909cf10a

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a4b3280_Thu12692268df32.exe

MD5 5b14369c347439becacaa0883c07f17b
SHA1 126b0012934a2bf5aab025d931feb3b4315a2d9a
SHA256 8f362cedd16992cd2605b87129e491620b323f2a60e0cbb2f77d66a38f1e2307
SHA512 4abd011ac7e4dba50cef3d166ca3c2c4148e737291f196e68c61f3a19e0e2b13bef5bb95fa53223cbc5ae514467309da6c92f1acfa194980624282d7c88c521b

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\61f292a3b1188_Thu12926eaf6b3.exe

MD5 fbd3940d1ad28166d8539eae23d44d5b
SHA1 55fff8a0aa435885fc86f7f33fec24558aa21ef5
SHA256 21ceb2021197d8b5f73f8f264163e1f73e6a454ff0dffad24e87037f3a0b9ac7
SHA512 26efcab71ea6ffd07c800a9ab014adc1813742d99923e17f02d92ffe5fccc8ad1efbf1e6124fd68fd1638e0d9c5f9a79b8c3faf2ae85c71ead6fb8940e26ad11

memory/3452-269-0x0000000007A50000-0x0000000007A6E000-memory.dmp

memory/3452-270-0x0000000007A80000-0x0000000007B23000-memory.dmp

memory/4736-257-0x0000000002650000-0x0000000003650000-memory.dmp

memory/3452-258-0x0000000006E60000-0x0000000006E92000-memory.dmp

memory/3452-259-0x000000006F3E0000-0x000000006F42C000-memory.dmp

memory/492-86-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Impaziente.wbk

MD5 662676b6ae749090c43a0c5507b16131
SHA1 0aec9044c592c79aa2a44f66b73ed0c5cb62fd68
SHA256 4dd868c3015b92c1b8b520c0459c952090e08b4ba8d81d259e1b0630156dada4
SHA512 ec363e232c544f904286831f19bcc20ec0180da0e28bb2480eeccfaac7b4722e9ae5f050fec4fb7de18f6b35092e1296fd8e62022daa0b583eaba8fc4ea253f4

memory/492-85-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/492-84-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/492-83-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/492-82-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3452-273-0x0000000007BC0000-0x0000000007BDA000-memory.dmp

memory/3452-272-0x0000000008200000-0x000000000887A000-memory.dmp

memory/492-81-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/492-79-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/492-78-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/492-77-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3452-275-0x0000000007C40000-0x0000000007C4A000-memory.dmp

memory/492-76-0x000000006494A000-0x000000006494F000-memory.dmp

memory/492-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/492-74-0x00000000007A0000-0x000000000082F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Riflettere.wbk

MD5 4008d7f17a08efd3fbd18e4e1ba29e00
SHA1 53e25946589981cb36b0e9fb5b26fc334d4f9424
SHA256 752cf7d34bc7433f590cdf45e0bb3922ca7ba2220a7ec09df7f1f6c9644dee3b
SHA512 39e2bfad68403808924cece9c6ab43b0dc4aada62850a8c70b8e9481d825bcc90fa8a91688e3b559d4e5a517bc21931cef8037d585063885d5c948809d961978

memory/3452-279-0x0000000007E30000-0x0000000007EC6000-memory.dmp

memory/3452-282-0x0000000007DC0000-0x0000000007DD1000-memory.dmp

memory/492-73-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/492-66-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS8F3DF8D7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/3452-283-0x0000000007DF0000-0x0000000007DFE000-memory.dmp

memory/3452-284-0x0000000007E00000-0x0000000007E14000-memory.dmp

memory/3452-286-0x0000000007EF0000-0x0000000007F0A000-memory.dmp

memory/3452-287-0x0000000007EE0000-0x0000000007EE8000-memory.dmp

memory/1668-291-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1668-297-0x0000000000400000-0x0000000000483000-memory.dmp

memory/4368-298-0x0000000000400000-0x000000000045C000-memory.dmp

memory/948-319-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/220-320-0x0000000000400000-0x0000000000682000-memory.dmp

memory/4368-325-0x0000000000400000-0x000000000045C000-memory.dmp

memory/4736-332-0x0000000002650000-0x0000000003650000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 7bc798965e9c6e9d55a783976e3d34fa
SHA1 6cb7fdff7679a9359238d79e577f666c8ccb3b32
SHA256 1ca89720a6e20c356150a5a9feed44df6aa9f9508d22c804f810cea4c984a403
SHA512 23ffca4d7cab02c9d7d31a2f6179b4a5b171c360c75a62a39fd3e46eed00151d3d42d6664a2999da817fc14e1d80a9587f9d68e591b6d95182153572748bd7a0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\af21aefe-9635-4fe7-ba2c-e44cbefc13a4.tmp

MD5 78402cd12e3310c867a29cc291912f2c
SHA1 5b10967db1a7d36ab7b54f0ba0a9a04bf0ee68b7
SHA256 0f0335782cdb6dc3b3d3a87b4f72a751234df02094db3a2ebe0d57729ea87657
SHA512 0e5142a45f3225229581704adde58ad057ef553c31bd9b0ff858c9b10da8d0805a1d55042dd2d584bef8737af375575588f6eb38ac94893a7dd78c3f905af0c4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c9e42eaeacf3f5f47c5bac270d6f1fd0
SHA1 cb9339649b048e526cd648e69590403f4cfe7cb8
SHA256 74e9fe16bec804a2ef5cf1bf844712a334ee942f55126af0e3694f20203aabf2
SHA512 3752d22f3c8c568dbde3ffa0904e34754aab30ebd88556de683f371a2e6c61504b7de2a4bc542829d7c44bb1719cb5e9c411ab75a16c56f1f79caa3935e097bb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 a31b520999574d594add58c4fe06335f
SHA1 906bee80677eb21bef0f7f3d82c048dfe7529076
SHA256 9345765716eba391b3199082b202e1eb5664a643af9799a954078a82f9cfe7fb
SHA512 211c55fc7cda6e7f96941efabf0e67a922766ecb2cf3f6c4b58d82031eed0692395e0a4bea722aacbdae5a33d11d169ffb945ad08fbac73942aa5e090f41882d

memory/4736-372-0x0000000002650000-0x0000000003650000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 267956d72762740c13784b89288b5487
SHA1 0d75407c76c5343126b6795c8eb707cb059aef69
SHA256 f9de4db5f863d4d465b754cb9163f08170821b1f93a0924a9745546381e3c195
SHA512 1938113c161732a355a33f857f62eca05da6914eb8c15a7377e1d01a6cf93bd8fb0bd8986f7450356fcbae0554b43e3304a49c14c13d75ae77ae88a378e9e9eb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 467713059e07eeb6af7234de2f48d6d1
SHA1 c65ccb04123b1a138e51715800378f364b141f3f
SHA256 9b3aeb0b261c3e367cc9ecb2879a4a08a613e8970f30144ac27928cc5f4cf22f
SHA512 07c7463bd5d7478aac9022dd3c8ccfa77b62025649a3ec24bb980152c7daa3a76c767b12257bfaac61baf9dd2e4357d1ac4d8157cad6ec0a880e86c0f22d164d

memory/4736-397-0x0000000002650000-0x0000000003650000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 c7d3ef729df3802894a9be0674f7bef1
SHA1 8d3b2d73cb8592c9f2ea5e78aa89c339b3b5509b
SHA256 06139d90e0a1abcbc32cc8c1ab57bd940f8a85a39311f7b8511a31a8a9d87b17
SHA512 7ad5aa7a79cb11c6aaddbb1efa5c43c9e91a097f9df873a31839ebcf665779134c6a5809ba7053f6832248afdbe00182df447f634c6d34d8f829d38deeeead01

C:\Users\Admin\AppData\Local\Temp\scoped_dir1704_500290361\b352d79f-b0df-497e-b18a-ebb714513420.tmp

MD5 da75bb05d10acc967eecaac040d3d733
SHA1 95c08e067df713af8992db113f7e9aec84f17181
SHA256 33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
SHA512 56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 daa2133343dbb78c76288e9e14e6a661
SHA1 9605c9d690a3886978ab38cf687e84f4bec21d1c
SHA256 fdb0828e264dd382b2f94009c82e7f742b710cf21819beb79e3d6090f7836c39
SHA512 3a4e0faa35ceec313f87f234ce93e25ebd8f8d152de276b172b89cbccbec86cc74922e63a5fdf4a94a443263cb132b7459ff1e1b303a44953afe365478a15440

C:\Users\Admin\AppData\Local\Temp\scoped_dir1704_500290361\CRX_INSTALL\_locales\en_CA\messages.json

MD5 558659936250e03cc14b60ebf648aa09
SHA1 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA256 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA512 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

memory/4736-640-0x0000000002650000-0x0000000003650000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 b35124ecdea56eb27b1d2b0ab5b07860
SHA1 631d285b9571f4e7e592d227f0a4b3aeacdfd347
SHA256 2c9051c1e8638d75043989fd5a014209df57ef6498424a43bbf21ce76f5ef864
SHA512 effc8d819cf125339dee533c77c962234e6856a41624613e39a833585c94088c85bf64e8746ae403a0c154691d6078b20bf701b446a02e7051a61b189b452fcb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

MD5 4ec1df2da46182103d2ffc3b92d20ca5
SHA1 fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA256 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en\messages.json

MD5 07ffbe5f24ca348723ff8c6c488abfb8
SHA1 6dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA256 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA512 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 36cf361719ff8abe9b651b31298a2758
SHA1 0e6f3992177b24a5dce38e9a8ea1f3ff1d449dd3
SHA256 4839214518bdb44c4d833374b8da5f3dab858cd246adc9c1e9d717347865782d
SHA512 91db3d45daf1077ea5eba047a2d40de2a368228f85d09c78f69d6fbacbe400240005565083ac32ae239b965550707613d5e2cb4df9cdcaed28b9e1f7bea1ea4c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 a8784e18376fc7d276ab54e0c7ae4bf0
SHA1 f238f59c8b8d602cc6578cebdad75902db8c790e
SHA256 d18df5304b6574b86e83d0fc0b8487fd8994be77ca46c1e887eb506b6098ae30
SHA512 f55e9704d736c2a3874aae843caa031c72f678894cb353f8861609b3ba5db874a89d0ee88433624247bb0cc47ebbe18e920e8df72ea1dd1368a57c44c861175b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 b27c1c944f451cc765ef256487d8e7ed
SHA1 ca46ce0fdc0031a273800c2c28ebc6550ced9d0a
SHA256 5f00d41579db48431fc1bfa01d31111d66329c8cdac6e36553eeb1390e911669
SHA512 30f942a7c0a89178b8f57fa0e42d867b844121408f84c47d0df401384015a915cc92196c71c001dba207fbb37a3c91b7ca50ccce8609dd2fb08e976a969adb98

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 1626e991d60ea680d05d0eb387a23cca
SHA1 431ca4870e49cd3cccd1e31bd60a2854d56773ad
SHA256 4becc7585afc10aa6ecc57636130e84fe64b55772c0144bba515bed4ed8d3fa0
SHA512 ae5215bde7e92376e5e751c44b8c38e94ed3350ac622a12c9a23e4305ddbda5c439bdb75b52303128f7745da727ed9d0905394ff1d3708e49d088143fd80833f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 ca5179d9fc0d9a43a91c0283ec5cb0f8
SHA1 1bea38e3b8d20a9a94c180a9df26b2cd0dd8115d
SHA256 4a24c0004bc4bde4b98d1593d162ace4a2795935e84ca13b0c1005ee219741f4
SHA512 8cf2ec1371d68b53a27f6320aa170aafbafad8950d6944884788f739dfb073d0772b096984206e99b3a2bf13e3f66e1cfd6f6e02b9bf3d52e8303fc09c7992d0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 5accc2c103602af5978c5bc6a2d27e76
SHA1 0d0559bae729d52425266ff2fe4a93f453227b30
SHA256 dcebae2f4255aef13efea1cb922872699471aa04624f683a2e1eee9dbd863274
SHA512 742835e72258662c2e877526f89a58dba66dbe0d0af75afdd41464138ad85300697b610f15481fba03d85ff272a41e80342db1527ad611b26a2131211115a70e