redline | 2205e931fcca292889c4845eb2b0e961fc7b598c276b6abf71bb5cf6c59c1132

Target

8 (21).exe
Size

3.0MB
MD5

bb072cad921aa5ce8b97706ce01bc570
SHA1

18bf034906c1341b7817e7361ad27a4425d820bd
SHA256

817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97
SHA512

d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

Score

10^/10

redline vidar 933 aspackv2 evasion infostealer persistence stealer suricata themida trojan upx vmprotect

Malware Config

Extracted

Family

vidar

Version

39.6

Botnet

933

https://sslamlssa1.tumblr.com/

Attributes

profile_id
933

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 1848 rUNdlL32.eXe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	1848	rUNdlL32.eXe

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral27/memory/900-260-0x0000000000418836-mapping.dmp	family_redline
behavioral27/memory/892-262-0x0000000000418846-mapping.dmp	family_redline

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE GCleaner Downloader Activity M1
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Win32/Kelihos.F exe Download 2
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Nirsoft 1 IoCs

Processes:

resource	yara_rule
behavioral27/memory/2836-230-0x0000000000400000-0x0000000000455000-memory.dmp	Nirsoft

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral27/memory/1640-157-0x0000000000900000-0x000000000099D000-memory.dmp	family_vidar
behavioral27/memory/1640-161-0x0000000000400000-0x00000000008F2000-memory.dmp	family_vidar

ASPack v2.12-2.42 18 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\7zS0530D795\setup_install.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS0530D795\setup_install.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS0530D795\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0530D795\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0530D795\libcurlpp.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS0530D795\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0530D795\libcurl.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS0530D795\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0530D795\libstdc++-6.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS0530D795\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0530D795\setup_install.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS0530D795\setup_install.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS0530D795\setup_install.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS0530D795\setup_install.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS0530D795\setup_install.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS0530D795\setup_install.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS0530D795\setup_install.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS0530D795\setup_install.exe	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 22 IoCs

Processes:

setup_installer.exesetup_install.exesonia_1.exesonia_3.exesonia_4.exesonia_2.exesonia_5.exesonia_6.exejfiag3g_gg.exeXN2GoTLmPPzxVHpCFMGc0LPu.exeFY8_BpN95wpRcYqnjEcI0dLT.exe6Ltht0BzS_gXI3ibSS0IsFLf.exeKZvqShJ9r4xiJVc_UVFdJBCR.exeEXgOyzYGTmbrN6E1RUlwawJR.exefWdKz3EuYHJn48bJrSL8nFVb.exeLrDJtjZxoUhrCgBPKoA3j1Ve.exetT3zRPobCkhQwzkaTalybj9u.exedDBJ8YwgEJDByPJuNMNmre8Q.exeVHPnnt3DYjtIKlU8mLwO7AHY.exeXaS9QUUrhNj21ykaBuCx53yR.exe4OpcfTducy9hrCU6bSiXKPfo.exep9lbRFUuZxPe4_3PMNzzwxv7.exe

pid	process
848	setup_installer.exe
316	setup_install.exe
1960	sonia_1.exe
1640	sonia_3.exe
1564	sonia_4.exe
1320	sonia_2.exe
1368	sonia_5.exe
1364	sonia_6.exe
1068	jfiag3g_gg.exe
2028	XN2GoTLmPPzxVHpCFMGc0LPu.exe
2024	FY8_BpN95wpRcYqnjEcI0dLT.exe
1164	6Ltht0BzS_gXI3ibSS0IsFLf.exe
1828	KZvqShJ9r4xiJVc_UVFdJBCR.exe
1952	EXgOyzYGTmbrN6E1RUlwawJR.exe
1612	fWdKz3EuYHJn48bJrSL8nFVb.exe
864	LrDJtjZxoUhrCgBPKoA3j1Ve.exe
2052	tT3zRPobCkhQwzkaTalybj9u.exe
2140	dDBJ8YwgEJDByPJuNMNmre8Q.exe
2192	VHPnnt3DYjtIKlU8mLwO7AHY.exe
2216	XaS9QUUrhNj21ykaBuCx53yR.exe
2204	4OpcfTducy9hrCU6bSiXKPfo.exe
2248	p9lbRFUuZxPe4_3PMNzzwxv7.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral27/memory/2680-223-0x0000000000400000-0x000000000064F000-memory.dmp	vmprotect
behavioral27/memory/2680-220-0x0000000000400000-0x000000000064F000-memory.dmp	vmprotect

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dDBJ8YwgEJDByPJuNMNmre8Q.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dDBJ8YwgEJDByPJuNMNmre8Q.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dDBJ8YwgEJDByPJuNMNmre8Q.exe

Loads dropped DLL 64 IoCs

Processes:

8 (21).exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.exesonia_3.exesonia_5.exesonia_6.exeWerFault.exejfiag3g_gg.exetaskkill.exeKZvqShJ9r4xiJVc_UVFdJBCR.exeEXgOyzYGTmbrN6E1RUlwawJR.exefWdKz3EuYHJn48bJrSL8nFVb.exeXaS9QUUrhNj21ykaBuCx53yR.exe

pid	process
520	8 (21).exe
848	setup_installer.exe
848	setup_installer.exe
848	setup_installer.exe
848	setup_installer.exe
848	setup_installer.exe
848	setup_installer.exe
316	setup_install.exe
316	setup_install.exe
316	setup_install.exe
316	setup_install.exe
316	setup_install.exe
316	setup_install.exe
316	setup_install.exe
316	setup_install.exe
1252	cmd.exe
1252	cmd.exe
2020	cmd.exe
2020	cmd.exe
1996	cmd.exe
2016	cmd.exe
1684	cmd.exe
1684	cmd.exe
1840	cmd.exe
1640	sonia_3.exe
1640	sonia_3.exe
1368	sonia_5.exe
1368	sonia_5.exe
1364	sonia_6.exe
1364	sonia_6.exe
1520	WerFault.exe
1520	WerFault.exe
1520	WerFault.exe
1364	sonia_6.exe
1364	sonia_6.exe
1068	jfiag3g_gg.exe
1068	jfiag3g_gg.exe
1520	WerFault.exe
1368	taskkill.exe
1368	taskkill.exe
1368	taskkill.exe
1368	taskkill.exe
1368	taskkill.exe
1368	taskkill.exe
1368	taskkill.exe
1368	taskkill.exe
1368	taskkill.exe
1368	taskkill.exe
1828	KZvqShJ9r4xiJVc_UVFdJBCR.exe
1828	KZvqShJ9r4xiJVc_UVFdJBCR.exe
1952	EXgOyzYGTmbrN6E1RUlwawJR.exe
1952	EXgOyzYGTmbrN6E1RUlwawJR.exe
1368	taskkill.exe
1612	fWdKz3EuYHJn48bJrSL8nFVb.exe
1612	fWdKz3EuYHJn48bJrSL8nFVb.exe
1368	taskkill.exe
1368	taskkill.exe
1368	taskkill.exe
1368	taskkill.exe
1368	taskkill.exe
1368	taskkill.exe
1368	taskkill.exe
2216	XaS9QUUrhNj21ykaBuCx53yR.exe
2216	XaS9QUUrhNj21ykaBuCx53yR.exe

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral27/memory/2140-210-0x0000000000190000-0x0000000000191000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

sonia_6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	sonia_6.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

dDBJ8YwgEJDByPJuNMNmre8Q.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dDBJ8YwgEJDByPJuNMNmre8Q.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ipinfo.io
12 ip-api.com
290 ip-api.com
2 ipinfo.io
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

dDBJ8YwgEJDByPJuNMNmre8Q.exe

pid process

2140 dDBJ8YwgEJDByPJuNMNmre8Q.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
5	ipinfo.io
12	ip-api.com
290	ip-api.com
2	ipinfo.io

pid	process
2140	dDBJ8YwgEJDByPJuNMNmre8Q.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1520	316	WerFault.exe	setup_install.exe
2532	1640	WerFault.exe	sonia_3.exe
2788	2680	WerFault.exe	md8_8eus.exe
1308	2204	WerFault.exe	4OpcfTducy9hrCU6bSiXKPfo.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1628 timeout.exe
2300 timeout.exe
Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1368 taskkill.exe
1072 taskkill.exe
3448 taskkill.exe
3336 taskkill.exe
2768 taskkill.exe

pid	process
1628	timeout.exe
2300	timeout.exe

pid	process
1368	taskkill.exe
1072	taskkill.exe
3448	taskkill.exe
3336	taskkill.exe
2768	taskkill.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

sonia_4.exesonia_3.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	sonia_4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	sonia_4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	sonia_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	sonia_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	sonia_3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	sonia_4.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

3904 PING.EXE
524 PING.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

WerFault.exe

pid process

1520 WerFault.exe
1520 WerFault.exe
1520 WerFault.exe
1520 WerFault.exe
1520 WerFault.exe
1520 WerFault.exe

pid	process
3904	PING.EXE
524	PING.EXE

pid	process
1520	WerFault.exe
1520	WerFault.exe
1520	WerFault.exe
1520	WerFault.exe
1520	WerFault.exe
1520	WerFault.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

sonia_4.exeWerFault.exetT3zRPobCkhQwzkaTalybj9u.exe

description	pid	process
Token: SeDebugPrivilege	1564	sonia_4.exe
Token: SeDebugPrivilege	1520	WerFault.exe
Token: SeCreateTokenPrivilege	2052	tT3zRPobCkhQwzkaTalybj9u.exe
Token: SeAssignPrimaryTokenPrivilege	2052	tT3zRPobCkhQwzkaTalybj9u.exe
Token: SeLockMemoryPrivilege	2052	tT3zRPobCkhQwzkaTalybj9u.exe
Token: SeIncreaseQuotaPrivilege	2052	tT3zRPobCkhQwzkaTalybj9u.exe
Token: SeMachineAccountPrivilege	2052	tT3zRPobCkhQwzkaTalybj9u.exe
Token: SeTcbPrivilege	2052	tT3zRPobCkhQwzkaTalybj9u.exe
Token: SeSecurityPrivilege	2052	tT3zRPobCkhQwzkaTalybj9u.exe
Token: SeTakeOwnershipPrivilege	2052	tT3zRPobCkhQwzkaTalybj9u.exe
Token: SeLoadDriverPrivilege	2052	tT3zRPobCkhQwzkaTalybj9u.exe
Token: SeSystemProfilePrivilege	2052	tT3zRPobCkhQwzkaTalybj9u.exe
Token: SeSystemtimePrivilege	2052	tT3zRPobCkhQwzkaTalybj9u.exe
Token: SeProfSingleProcessPrivilege	2052	tT3zRPobCkhQwzkaTalybj9u.exe
Token: SeIncBasePriorityPrivilege	2052	tT3zRPobCkhQwzkaTalybj9u.exe
Token: SeCreatePagefilePrivilege	2052	tT3zRPobCkhQwzkaTalybj9u.exe
Token: SeCreatePermanentPrivilege	2052	tT3zRPobCkhQwzkaTalybj9u.exe
Token: SeBackupPrivilege	2052	tT3zRPobCkhQwzkaTalybj9u.exe
Token: SeRestorePrivilege	2052	tT3zRPobCkhQwzkaTalybj9u.exe
Token: SeShutdownPrivilege	2052	tT3zRPobCkhQwzkaTalybj9u.exe
Token: SeDebugPrivilege	2052	tT3zRPobCkhQwzkaTalybj9u.exe
Token: SeAuditPrivilege	2052	tT3zRPobCkhQwzkaTalybj9u.exe
Token: SeSystemEnvironmentPrivilege	2052	tT3zRPobCkhQwzkaTalybj9u.exe
Token: SeChangeNotifyPrivilege	2052	tT3zRPobCkhQwzkaTalybj9u.exe
Token: SeRemoteShutdownPrivilege	2052	tT3zRPobCkhQwzkaTalybj9u.exe
Token: SeUndockPrivilege	2052	tT3zRPobCkhQwzkaTalybj9u.exe
Token: SeSyncAgentPrivilege	2052	tT3zRPobCkhQwzkaTalybj9u.exe
Token: SeEnableDelegationPrivilege	2052	tT3zRPobCkhQwzkaTalybj9u.exe
Token: SeManageVolumePrivilege	2052	tT3zRPobCkhQwzkaTalybj9u.exe
Token: SeImpersonatePrivilege	2052	tT3zRPobCkhQwzkaTalybj9u.exe
Token: SeCreateGlobalPrivilege	2052	tT3zRPobCkhQwzkaTalybj9u.exe
Token: 31	2052	tT3zRPobCkhQwzkaTalybj9u.exe
Token: 32	2052	tT3zRPobCkhQwzkaTalybj9u.exe
Token: 33	2052	tT3zRPobCkhQwzkaTalybj9u.exe
Token: 34	2052	tT3zRPobCkhQwzkaTalybj9u.exe
Token: 35	2052	tT3zRPobCkhQwzkaTalybj9u.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

fWdKz3EuYHJn48bJrSL8nFVb.exe

pid process

1612 fWdKz3EuYHJn48bJrSL8nFVb.exe
1612 fWdKz3EuYHJn48bJrSL8nFVb.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

fWdKz3EuYHJn48bJrSL8nFVb.exe

pid process

1612 fWdKz3EuYHJn48bJrSL8nFVb.exe
1612 fWdKz3EuYHJn48bJrSL8nFVb.exe

pid	process
1612	fWdKz3EuYHJn48bJrSL8nFVb.exe
1612	fWdKz3EuYHJn48bJrSL8nFVb.exe

pid	process
1612	fWdKz3EuYHJn48bJrSL8nFVb.exe
1612	fWdKz3EuYHJn48bJrSL8nFVb.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8 (21).exesetup_installer.exesetup_install.execmd.execmd.exe

description	pid	process	target process
PID 520 wrote to memory of 848	520	8 (21).exe	setup_installer.exe
PID 520 wrote to memory of 848	520	8 (21).exe	setup_installer.exe
PID 520 wrote to memory of 848	520	8 (21).exe	setup_installer.exe
PID 520 wrote to memory of 848	520	8 (21).exe	setup_installer.exe
PID 520 wrote to memory of 848	520	8 (21).exe	setup_installer.exe
PID 520 wrote to memory of 848	520	8 (21).exe	setup_installer.exe
PID 520 wrote to memory of 848	520	8 (21).exe	setup_installer.exe
PID 848 wrote to memory of 316	848	setup_installer.exe	setup_install.exe
PID 848 wrote to memory of 316	848	setup_installer.exe	setup_install.exe
PID 848 wrote to memory of 316	848	setup_installer.exe	setup_install.exe
PID 848 wrote to memory of 316	848	setup_installer.exe	setup_install.exe
PID 848 wrote to memory of 316	848	setup_installer.exe	setup_install.exe
PID 848 wrote to memory of 316	848	setup_installer.exe	setup_install.exe
PID 848 wrote to memory of 316	848	setup_installer.exe	setup_install.exe
PID 316 wrote to memory of 1252	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 1252	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 1252	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 1252	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 1252	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 1252	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 1252	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 1684	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 1684	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 1684	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 1684	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 1684	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 1684	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 1684	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 2020	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 2020	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 2020	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 2020	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 2020	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 2020	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 2020	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 1996	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 1996	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 1996	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 1996	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 1996	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 1996	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 1996	316	setup_install.exe	cmd.exe
PID 1252 wrote to memory of 1960	1252	cmd.exe	sonia_1.exe
PID 1252 wrote to memory of 1960	1252	cmd.exe	sonia_1.exe
PID 1252 wrote to memory of 1960	1252	cmd.exe	sonia_1.exe
PID 1252 wrote to memory of 1960	1252	cmd.exe	sonia_1.exe
PID 1252 wrote to memory of 1960	1252	cmd.exe	sonia_1.exe
PID 1252 wrote to memory of 1960	1252	cmd.exe	sonia_1.exe
PID 1252 wrote to memory of 1960	1252	cmd.exe	sonia_1.exe
PID 316 wrote to memory of 2016	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 2016	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 2016	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 2016	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 2016	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 2016	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 2016	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 1840	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 1840	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 1840	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 1840	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 1840	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 1840	316	setup_install.exe	cmd.exe
PID 316 wrote to memory of 1840	316	setup_install.exe	cmd.exe
PID 2020 wrote to memory of 1640	2020	cmd.exe	sonia_3.exe

C:\Users\Admin\AppData\Local\Temp\8 (21).exe
"C:\Users\Admin\AppData\Local\Temp\8 (21).exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:520

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:848

C:\Users\Admin\AppData\Local\Temp\7zS0530D795\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0530D795\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_1.exe
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252

C:\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_1.exe
sonia_1.exe
5⤵
- Executes dropped EXE
PID:1960

C:\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_1.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_1.exe" -a
6⤵
PID:720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_2.exe
4⤵
- Loads dropped DLL
PID:1684

C:\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_2.exe
sonia_2.exe
5⤵
- Executes dropped EXE
PID:1320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_3.exe
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_3.exe
sonia_3.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 1000
6⤵
- Program crash
PID:2532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_4.exe
4⤵
- Loads dropped DLL
PID:1996

C:\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_4.exe
sonia_4.exe
5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_5.exe
4⤵
- Loads dropped DLL
PID:2016

C:\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_5.exe
sonia_5.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1368

C:\Users\Admin\Documents\KZvqShJ9r4xiJVc_UVFdJBCR.exe
"C:\Users\Admin\Documents\KZvqShJ9r4xiJVc_UVFdJBCR.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1828

C:\Users\Admin\Documents\KZvqShJ9r4xiJVc_UVFdJBCR.exe
"C:\Users\Admin\Documents\KZvqShJ9r4xiJVc_UVFdJBCR.exe"
7⤵
PID:2856

C:\Users\Admin\Documents\6Ltht0BzS_gXI3ibSS0IsFLf.exe
"C:\Users\Admin\Documents\6Ltht0BzS_gXI3ibSS0IsFLf.exe"
6⤵
- Executes dropped EXE
PID:1164

C:\Users\Admin\Documents\XN2GoTLmPPzxVHpCFMGc0LPu.exe
"C:\Users\Admin\Documents\XN2GoTLmPPzxVHpCFMGc0LPu.exe"
6⤵
- Executes dropped EXE
PID:2028

C:\Users\Admin\Documents\FY8_BpN95wpRcYqnjEcI0dLT.exe
"C:\Users\Admin\Documents\FY8_BpN95wpRcYqnjEcI0dLT.exe"
6⤵
- Executes dropped EXE
PID:2024

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
PID:2836

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"
7⤵
PID:2900

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
PID:2276

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
7⤵
PID:2740

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
7⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
PID:852

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
PID:2892

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
7⤵
PID:2228

C:\Users\Admin\Documents\LrDJtjZxoUhrCgBPKoA3j1Ve.exe
"C:\Users\Admin\Documents\LrDJtjZxoUhrCgBPKoA3j1Ve.exe"
6⤵
- Executes dropped EXE
PID:864

C:\Users\Admin\Documents\LrDJtjZxoUhrCgBPKoA3j1Ve.exe
C:\Users\Admin\Documents\LrDJtjZxoUhrCgBPKoA3j1Ve.exe
7⤵
PID:892

C:\Users\Admin\Documents\tT3zRPobCkhQwzkaTalybj9u.exe
"C:\Users\Admin\Documents\tT3zRPobCkhQwzkaTalybj9u.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
7⤵
PID:2668

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
8⤵
- Kills process with taskkill
PID:2768

C:\Users\Admin\Documents\fWdKz3EuYHJn48bJrSL8nFVb.exe
"C:\Users\Admin\Documents\fWdKz3EuYHJn48bJrSL8nFVb.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1612

C:\Users\Public\run.exe
C:\Users\Public\run.exe
7⤵
PID:2280

C:\Users\Public\run.exe
C:\Users\Public\run.exe
8⤵
PID:2768

C:\Users\Admin\Documents\EXgOyzYGTmbrN6E1RUlwawJR.exe
"C:\Users\Admin\Documents\EXgOyzYGTmbrN6E1RUlwawJR.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1952

C:\Users\Admin\Documents\EXgOyzYGTmbrN6E1RUlwawJR.exe
"C:\Users\Admin\Documents\EXgOyzYGTmbrN6E1RUlwawJR.exe"
7⤵
PID:2976

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
8⤵
PID:2900

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
9⤵
PID:2448

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2448.0.1587411387\95208403" -parentBuildID 20200403170909 -prefsHandle 1132 -prefMapHandle 1068 -prefsLen 1 -prefMapSize 218938 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2448 "\\.\pipe\gecko-crash-server-pipe.2448" 1216 gpu
10⤵
PID:2284

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2448.3.264911914\465962297" -childID 1 -isForBrowser -prefsHandle 4272 -prefMapHandle 4268 -prefsLen 156 -prefMapSize 218938 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2448 "\\.\pipe\gecko-crash-server-pipe.2448" 4284 tab
10⤵
PID:3580

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2448.13.1297685243\734563361" -childID 2 -isForBrowser -prefsHandle 2604 -prefMapHandle 2592 -prefsLen 7588 -prefMapSize 218938 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2448 "\\.\pipe\gecko-crash-server-pipe.2448" 3288 tab
10⤵
PID:1608

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2448.20.862995282\1228269900" -childID 3 -isForBrowser -prefsHandle 2388 -prefMapHandle 2356 -prefsLen 8981 -prefMapSize 218938 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2448 "\\.\pipe\gecko-crash-server-pipe.2448" 2560 tab
10⤵
PID:3120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
8⤵
PID:2732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef19e4f50,0x7fef19e4f60,0x7fef19e4f70
9⤵
PID:2628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1048,8747893937291852942,7452543449508468204,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1060 /prefetch:2
9⤵
PID:2504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1048,8747893937291852942,7452543449508468204,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1440 /prefetch:8
9⤵
PID:2984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1048,8747893937291852942,7452543449508468204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1628 /prefetch:8
9⤵
PID:1312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1048,8747893937291852942,7452543449508468204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1820 /prefetch:1
9⤵
PID:3640

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings
9⤵
PID:1556

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x13c,0x140,0x144,0x110,0x148,0x13fc0a890,0x13fc0a8a0,0x13fc0a8b0
10⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C taskkill /F /PID 2976 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\EXgOyzYGTmbrN6E1RUlwawJR.exe"
8⤵
PID:2336

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 2976
9⤵
- Kills process with taskkill
PID:1072

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C taskkill /F /PID 2976 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\EXgOyzYGTmbrN6E1RUlwawJR.exe"
8⤵
PID:2136

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 2976
9⤵
- Loads dropped DLL
- Kills process with taskkill
PID:1368

C:\Users\Admin\Documents\dDBJ8YwgEJDByPJuNMNmre8Q.exe
"C:\Users\Admin\Documents\dDBJ8YwgEJDByPJuNMNmre8Q.exe"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2140

C:\Users\Admin\Documents\p9lbRFUuZxPe4_3PMNzzwxv7.exe
"C:\Users\Admin\Documents\p9lbRFUuZxPe4_3PMNzzwxv7.exe"
6⤵
- Executes dropped EXE
PID:2248

C:\Program Files (x86)\Company\NewProduct\customer3.exe
"C:\Program Files (x86)\Company\NewProduct\customer3.exe"
7⤵
PID:2648

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"
8⤵
PID:2168

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
8⤵
PID:568

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
8⤵
PID:2632

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
8⤵
PID:2660

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
8⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
8⤵
PID:2472

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
8⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
8⤵
PID:2628

C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
7⤵
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 276
8⤵
- Program crash
PID:2788

C:\Program Files (x86)\Company\NewProduct\jooyu.exe
"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
7⤵
PID:2748

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
8⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
8⤵
PID:2796

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
8⤵
PID:3244

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
8⤵
PID:3340

C:\Users\Admin\Documents\XaS9QUUrhNj21ykaBuCx53yR.exe
"C:\Users\Admin\Documents\XaS9QUUrhNj21ykaBuCx53yR.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "XaS9QUUrhNj21ykaBuCx53yR.exe" /f & erase "C:\Users\Admin\Documents\XaS9QUUrhNj21ykaBuCx53yR.exe" & exit
7⤵
PID:908

C:\Users\Admin\Documents\4OpcfTducy9hrCU6bSiXKPfo.exe
"C:\Users\Admin\Documents\4OpcfTducy9hrCU6bSiXKPfo.exe"
6⤵
- Executes dropped EXE
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 968
7⤵
- Program crash
PID:1308

C:\Users\Admin\Documents\VHPnnt3DYjtIKlU8mLwO7AHY.exe
"C:\Users\Admin\Documents\VHPnnt3DYjtIKlU8mLwO7AHY.exe"
6⤵
- Executes dropped EXE
PID:2192

C:\Users\Admin\Documents\VHPnnt3DYjtIKlU8mLwO7AHY.exe
C:\Users\Admin\Documents\VHPnnt3DYjtIKlU8mLwO7AHY.exe
7⤵
PID:900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_6.exe
4⤵
- Loads dropped DLL
PID:1840

C:\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_6.exe
sonia_6.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1364

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1068

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
PID:2932

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
PID:3248

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
PID:2476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_7.exe
4⤵
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 412
4⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:2392

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
PID:2984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:2396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:1004

C:\Users\Admin\AppData\Local\Temp\4A78.exe
C:\Users\Admin\AppData\Local\Temp\4A78.exe
1⤵
PID:3536

C:\Users\Admin\AppData\Local\Temp\8BEC.exe
C:\Users\Admin\AppData\Local\Temp\8BEC.exe
1⤵
PID:3416

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 8BEC.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\8BEC.exe" & del C:\ProgramData\*.dll & exit
2⤵
PID:2556

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 8BEC.exe /f
3⤵
- Kills process with taskkill
PID:3448

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
3⤵
- Delays execution with timeout.exe
PID:1628

C:\Windows\system32\taskeng.exe
taskeng.exe {E49F9313-260A-4D92-98A3-4BF1AF38854A} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
1⤵
PID:1072

C:\Users\Admin\AppData\Roaming\vvbuuvf
C:\Users\Admin\AppData\Roaming\vvbuuvf
2⤵
PID:2908

C:\Users\Admin\AppData\Roaming\vvbuuvf
C:\Users\Admin\AppData\Roaming\vvbuuvf
3⤵
PID:4056

C:\Users\Admin\AppData\Local\Temp\6B43.exe
C:\Users\Admin\AppData\Local\Temp\6B43.exe
1⤵
PID:3996

C:\Users\Admin\AppData\Local\Temp\A602.exe
C:\Users\Admin\AppData\Local\Temp\A602.exe
1⤵
PID:3912

C:\Users\Admin\AppData\Local\Temp\BFF9.exe
C:\Users\Admin\AppData\Local\Temp\BFF9.exe
1⤵
PID:4084

C:\Users\Admin\AppData\Local\Temp\DB28.exe
C:\Users\Admin\AppData\Local\Temp\DB28.exe
1⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\EF83.exe
C:\Users\Admin\AppData\Local\Temp\EF83.exe
1⤵
PID:3828

C:\Users\Admin\AppData\Local\Temp\5C89.exe
C:\Users\Admin\AppData\Local\Temp\5C89.exe
1⤵
PID:3164

C:\Windows\system32\cmd.exe
cmd /c start c.exe & start l.exe
2⤵
PID:3276

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l.exe
l.exe
3⤵
PID:3316

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.exe
c.exe
3⤵
PID:3264

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Parlasse.wmv
4⤵
PID:388

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
PID:968

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^hqVLSBiFVkisDvgANWfHkkgqnFPqUPdvHQlUgqiIGEuNwqJAbhcZzXvwMVhhLiKuVLKNjzkNOHwGyBYbVfCGzdrKzoozMTXmTqRddWgreIkLVQWlWPacEtMEHZxtk$" Ove.wmv
1⤵
PID:2152

C:\Windows\SysWOW64\PING.EXE
ping QWOCTUPM -n 30
1⤵
- Runs ping.exe
PID:3904

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Puramente.exe.com
Puramente.exe.com m
1⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Puramente.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Puramente.exe.com m
2⤵
PID:3160

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Puramente.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Puramente.exe.com m
3⤵
PID:3760

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Puramente.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Puramente.exe.com m
4⤵
PID:852

C:\Users\Admin\AppData\Local\Temp\7DB0.exe
C:\Users\Admin\AppData\Local\Temp\7DB0.exe
1⤵
PID:3016

C:\Windows\system32\cmd.exe
cmd /c start c.exe & start l.exe
2⤵
PID:3784

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l.exe
l.exe
3⤵
PID:2660

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c.exe
c.exe
3⤵
PID:2760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Parlasse.wmv
4⤵
PID:1760

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
PID:2240

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^hqVLSBiFVkisDvgANWfHkkgqnFPqUPdvHQlUgqiIGEuNwqJAbhcZzXvwMVhhLiKuVLKNjzkNOHwGyBYbVfCGzdrKzoozMTXmTqRddWgreIkLVQWlWPacEtMEHZxtk$" Ove.wmv
6⤵
PID:2948

C:\Windows\SysWOW64\PING.EXE
ping QWOCTUPM -n 30
6⤵
- Runs ping.exe
PID:524

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Puramente.exe.com
Puramente.exe.com m
6⤵
PID:2188

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Puramente.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Puramente.exe.com m
7⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\RegAsm.exe
8⤵
PID:2288

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3576

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2480

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3380

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3100

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3352

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2812

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1680

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3120

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3672

C:\Windows\system32\taskeng.exe
taskeng.exe {BCA11F77-3BA9-461F-B745-51375D17818C} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
1⤵
PID:3032

C:\Users\Admin\AppData\Roaming\vvbuuvf
C:\Users\Admin\AppData\Roaming\vvbuuvf
2⤵
PID:2928

C:\Users\Admin\AppData\Roaming\vvbuuvf
C:\Users\Admin\AppData\Roaming\vvbuuvf
3⤵
PID:2956

C:\Users\Admin\AppData\Local\Temp\BB9B.exe
C:\Users\Admin\AppData\Local\Temp\BB9B.exe
1⤵
PID:1296

C:\Users\Admin\AppData\Local\Temp\DC07.exe
C:\Users\Admin\AppData\Local\Temp\DC07.exe
1⤵
PID:3584

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im DC07.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\DC07.exe" & del C:\ProgramData\*.dll & exit
2⤵
PID:4076

C:\Windows\SysWOW64\taskkill.exe
taskkill /im DC07.exe /f
3⤵
- Kills process with taskkill
PID:3336

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
3⤵
- Delays execution with timeout.exe
PID:2300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5
2902de11e30dcc620b184e3bb0f0c1cb

SHA1
5d11d14a2558801a2688dc2d6dfad39ac294f222

SHA256
e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544

SHA512
efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
a9717eb4afbf9c3a47d17aefc5dfef17

SHA1
484b877021a569778230a2a1750f4beb843217c3

SHA256
4a163bdfe6e4bed324afa91891caafad37ab5dec3d43a872fb2c8bacd5f51504

SHA512
4f84a9997f9c8e34de2ee2073fe7ac0eba6425783b1dbb288843c3add72f3c63ebe6b9a09db0def4dff0fd1b8eb0b63ae56aac8479e368cfacf9c382c6708ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0530D795\libcurl.dll

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0530D795\libcurlpp.dll

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0530D795\libgcc_s_dw2-1.dll

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0530D795\libstdc++-6.dll

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0530D795\libwinpthread-1.dll

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0530D795\setup_install.exe

MD5
a3ca32ebdba2c07c2d386bb31cbd6d51

SHA1
e7841e1f475f922d5264b5ce5d123a1b3927f9e6

SHA256
0ab2a0bdb8e7a72b5eacb1af5325036266987c5d00b13a981c95754a94f55b1b

SHA512
c8abd3a0c8004c11462bf139a873311333cbe6c26046810844199f67d6dd9d7196a7e168261013c50bcb9f24a6bdd37879f617d7aa2089d2a067cb6ca09cbaea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0530D795\setup_install.exe

MD5
a3ca32ebdba2c07c2d386bb31cbd6d51

SHA1
e7841e1f475f922d5264b5ce5d123a1b3927f9e6

SHA256
0ab2a0bdb8e7a72b5eacb1af5325036266987c5d00b13a981c95754a94f55b1b

SHA512
c8abd3a0c8004c11462bf139a873311333cbe6c26046810844199f67d6dd9d7196a7e168261013c50bcb9f24a6bdd37879f617d7aa2089d2a067cb6ca09cbaea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_1.exe

MD5
6e43430011784cff369ea5a5ae4b000f

SHA1
5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f

SHA256
a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a

SHA512
33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_1.txt

MD5
6e43430011784cff369ea5a5ae4b000f

SHA1
5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f

SHA256
a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a

SHA512
33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_2.exe

MD5
18ffdaa7a2c9906db10ffc13f7c73d23

SHA1
f195661bc0f9735d02fbe0e937bfd80cf0bcb11f

SHA256
365bbeb36a288d829c8dc0f1bf7f70949dd10474586cfc7123c1503256b9e5c3

SHA512
db1f81c5b6cac59d6e58e8ab4020bdef7386fa1aa7297f57f693334b70d3dd553ab844f85f92e9903b667cae19f30f188f84939ac0bba2f5999d5bf89793ea34

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_2.txt

MD5
18ffdaa7a2c9906db10ffc13f7c73d23

SHA1
f195661bc0f9735d02fbe0e937bfd80cf0bcb11f

SHA256
365bbeb36a288d829c8dc0f1bf7f70949dd10474586cfc7123c1503256b9e5c3

SHA512
db1f81c5b6cac59d6e58e8ab4020bdef7386fa1aa7297f57f693334b70d3dd553ab844f85f92e9903b667cae19f30f188f84939ac0bba2f5999d5bf89793ea34

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_3.exe

MD5
ee658be7ea7269085f4004d68960e547

SHA1
979afc4726af14d9079b6cf288686b0e7e4a17e5

SHA256
d7e078e3e520767a92acb1eaadf4c7ef75f30e215be4dddfebe684c2504c6fe3

SHA512
fc77c079d152b595e249c13b9b0ca97d525407e228c416630a2565707eaacd6805fe1a1c6029b0032d493ae5b67c7d566cc19ab317d9c8e56dfdabc3646d5b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_3.txt

MD5
ee658be7ea7269085f4004d68960e547

SHA1
979afc4726af14d9079b6cf288686b0e7e4a17e5

SHA256
d7e078e3e520767a92acb1eaadf4c7ef75f30e215be4dddfebe684c2504c6fe3

SHA512
fc77c079d152b595e249c13b9b0ca97d525407e228c416630a2565707eaacd6805fe1a1c6029b0032d493ae5b67c7d566cc19ab317d9c8e56dfdabc3646d5b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_4.exe

MD5
6765fe4e4be8c4daf3763706a58f42d0

SHA1
cebb504bfc3097a95d40016f01123b275c97d58c

SHA256
755a4266245c52bcd0328044c8a0908b2daafbad140cee06830b991493f21f60

SHA512
c6b8d328768040b31aad0441258240ce8e99a80dba028462bd03ad9d5964d4877c296f25a5a2ca59bcafe0ad75297da39352c17f3df1bb79ec091e5ace3b5d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_4.txt

MD5
6765fe4e4be8c4daf3763706a58f42d0

SHA1
cebb504bfc3097a95d40016f01123b275c97d58c

SHA256
755a4266245c52bcd0328044c8a0908b2daafbad140cee06830b991493f21f60

SHA512
c6b8d328768040b31aad0441258240ce8e99a80dba028462bd03ad9d5964d4877c296f25a5a2ca59bcafe0ad75297da39352c17f3df1bb79ec091e5ace3b5d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_5.exe

MD5
0c3f670f496ffcf516fe77d2a161a6ee

SHA1
0c59d3494b38d768fe120e0a4ca2a1dca7567e6e

SHA256
8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0

SHA512
bce80fa77557683645480ec28bf5f3a4facb780728d709166890c18decb2095509f69c524e4ce5fbcb48788961554be0467dc78db70f1fd2d242dbd5922a1095

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_5.txt

MD5
0c3f670f496ffcf516fe77d2a161a6ee

SHA1
0c59d3494b38d768fe120e0a4ca2a1dca7567e6e

SHA256
8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0

SHA512
bce80fa77557683645480ec28bf5f3a4facb780728d709166890c18decb2095509f69c524e4ce5fbcb48788961554be0467dc78db70f1fd2d242dbd5922a1095

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_6.exe

MD5
2eb68e495e4eb18c86a443b2754bbab2

SHA1
82a535e1277ea7a80b809cfeb97dcfb5a5d48a37

SHA256
a9083c13dd04bf55cc8e29ab4fe8a0053edf3ffe9b1e5ec31db207a45a98aaaf

SHA512
f7dc8d9a8726a6da6226a059094fcaf45190b2b41e6fae7d2aa48eacbd1dfc3b871770c74b1504801f5e7a05f1e3b47ac13cffc8190089f3d07e5c55aa725898

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_6.txt

MD5
2eb68e495e4eb18c86a443b2754bbab2

SHA1
82a535e1277ea7a80b809cfeb97dcfb5a5d48a37

SHA256
a9083c13dd04bf55cc8e29ab4fe8a0053edf3ffe9b1e5ec31db207a45a98aaaf

SHA512
f7dc8d9a8726a6da6226a059094fcaf45190b2b41e6fae7d2aa48eacbd1dfc3b871770c74b1504801f5e7a05f1e3b47ac13cffc8190089f3d07e5c55aa725898

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5
74231678f536a19b3016840f56b845c7

SHA1
a5645777558a7d5905e101e54d61b0c8c1120de3

SHA256
cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4

SHA512
4117ad2bcdca9104ca8a53df0f7de102509ba6eb264d025ab1facd7a7ca0c14a1c4dd17de130521c4169aaaaeb6e779579dcb16d63a58b77feebfdc32d983d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5
74231678f536a19b3016840f56b845c7

SHA1
a5645777558a7d5905e101e54d61b0c8c1120de3

SHA256
cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4

SHA512
4117ad2bcdca9104ca8a53df0f7de102509ba6eb264d025ab1facd7a7ca0c14a1c4dd17de130521c4169aaaaeb6e779579dcb16d63a58b77feebfdc32d983d1f

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0530D795\libcurl.dll

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0530D795\libcurlpp.dll

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0530D795\libgcc_s_dw2-1.dll

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0530D795\libstdc++-6.dll

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0530D795\libwinpthread-1.dll

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0530D795\setup_install.exe

MD5
a3ca32ebdba2c07c2d386bb31cbd6d51

SHA1
e7841e1f475f922d5264b5ce5d123a1b3927f9e6

SHA256
0ab2a0bdb8e7a72b5eacb1af5325036266987c5d00b13a981c95754a94f55b1b

SHA512
c8abd3a0c8004c11462bf139a873311333cbe6c26046810844199f67d6dd9d7196a7e168261013c50bcb9f24a6bdd37879f617d7aa2089d2a067cb6ca09cbaea

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0530D795\setup_install.exe

MD5
a3ca32ebdba2c07c2d386bb31cbd6d51

SHA1
e7841e1f475f922d5264b5ce5d123a1b3927f9e6

SHA256
0ab2a0bdb8e7a72b5eacb1af5325036266987c5d00b13a981c95754a94f55b1b

SHA512
c8abd3a0c8004c11462bf139a873311333cbe6c26046810844199f67d6dd9d7196a7e168261013c50bcb9f24a6bdd37879f617d7aa2089d2a067cb6ca09cbaea

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0530D795\setup_install.exe

MD5
a3ca32ebdba2c07c2d386bb31cbd6d51

SHA1
e7841e1f475f922d5264b5ce5d123a1b3927f9e6

SHA256
0ab2a0bdb8e7a72b5eacb1af5325036266987c5d00b13a981c95754a94f55b1b

SHA512
c8abd3a0c8004c11462bf139a873311333cbe6c26046810844199f67d6dd9d7196a7e168261013c50bcb9f24a6bdd37879f617d7aa2089d2a067cb6ca09cbaea

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0530D795\setup_install.exe

MD5
a3ca32ebdba2c07c2d386bb31cbd6d51

SHA1
e7841e1f475f922d5264b5ce5d123a1b3927f9e6

SHA256
0ab2a0bdb8e7a72b5eacb1af5325036266987c5d00b13a981c95754a94f55b1b

SHA512
c8abd3a0c8004c11462bf139a873311333cbe6c26046810844199f67d6dd9d7196a7e168261013c50bcb9f24a6bdd37879f617d7aa2089d2a067cb6ca09cbaea

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0530D795\setup_install.exe

MD5
a3ca32ebdba2c07c2d386bb31cbd6d51

SHA1
e7841e1f475f922d5264b5ce5d123a1b3927f9e6

SHA256
0ab2a0bdb8e7a72b5eacb1af5325036266987c5d00b13a981c95754a94f55b1b

SHA512
c8abd3a0c8004c11462bf139a873311333cbe6c26046810844199f67d6dd9d7196a7e168261013c50bcb9f24a6bdd37879f617d7aa2089d2a067cb6ca09cbaea

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0530D795\setup_install.exe

MD5
a3ca32ebdba2c07c2d386bb31cbd6d51

SHA1
e7841e1f475f922d5264b5ce5d123a1b3927f9e6

SHA256
0ab2a0bdb8e7a72b5eacb1af5325036266987c5d00b13a981c95754a94f55b1b

SHA512
c8abd3a0c8004c11462bf139a873311333cbe6c26046810844199f67d6dd9d7196a7e168261013c50bcb9f24a6bdd37879f617d7aa2089d2a067cb6ca09cbaea

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0530D795\setup_install.exe

MD5
a3ca32ebdba2c07c2d386bb31cbd6d51

SHA1
e7841e1f475f922d5264b5ce5d123a1b3927f9e6

SHA256
0ab2a0bdb8e7a72b5eacb1af5325036266987c5d00b13a981c95754a94f55b1b

SHA512
c8abd3a0c8004c11462bf139a873311333cbe6c26046810844199f67d6dd9d7196a7e168261013c50bcb9f24a6bdd37879f617d7aa2089d2a067cb6ca09cbaea

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0530D795\setup_install.exe

MD5
a3ca32ebdba2c07c2d386bb31cbd6d51

SHA1
e7841e1f475f922d5264b5ce5d123a1b3927f9e6

SHA256
0ab2a0bdb8e7a72b5eacb1af5325036266987c5d00b13a981c95754a94f55b1b

SHA512
c8abd3a0c8004c11462bf139a873311333cbe6c26046810844199f67d6dd9d7196a7e168261013c50bcb9f24a6bdd37879f617d7aa2089d2a067cb6ca09cbaea

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0530D795\setup_install.exe

MD5
a3ca32ebdba2c07c2d386bb31cbd6d51

SHA1
e7841e1f475f922d5264b5ce5d123a1b3927f9e6

SHA256
0ab2a0bdb8e7a72b5eacb1af5325036266987c5d00b13a981c95754a94f55b1b

SHA512
c8abd3a0c8004c11462bf139a873311333cbe6c26046810844199f67d6dd9d7196a7e168261013c50bcb9f24a6bdd37879f617d7aa2089d2a067cb6ca09cbaea

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0530D795\setup_install.exe

MD5
a3ca32ebdba2c07c2d386bb31cbd6d51

SHA1
e7841e1f475f922d5264b5ce5d123a1b3927f9e6

SHA256
0ab2a0bdb8e7a72b5eacb1af5325036266987c5d00b13a981c95754a94f55b1b

SHA512
c8abd3a0c8004c11462bf139a873311333cbe6c26046810844199f67d6dd9d7196a7e168261013c50bcb9f24a6bdd37879f617d7aa2089d2a067cb6ca09cbaea

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_1.exe

MD5
6e43430011784cff369ea5a5ae4b000f

SHA1
5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f

SHA256
a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a

SHA512
33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_1.exe

MD5
6e43430011784cff369ea5a5ae4b000f

SHA1
5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f

SHA256
a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a

SHA512
33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_2.exe

MD5
18ffdaa7a2c9906db10ffc13f7c73d23

SHA1
f195661bc0f9735d02fbe0e937bfd80cf0bcb11f

SHA256
365bbeb36a288d829c8dc0f1bf7f70949dd10474586cfc7123c1503256b9e5c3

SHA512
db1f81c5b6cac59d6e58e8ab4020bdef7386fa1aa7297f57f693334b70d3dd553ab844f85f92e9903b667cae19f30f188f84939ac0bba2f5999d5bf89793ea34

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_2.exe

MD5
18ffdaa7a2c9906db10ffc13f7c73d23

SHA1
f195661bc0f9735d02fbe0e937bfd80cf0bcb11f

SHA256
365bbeb36a288d829c8dc0f1bf7f70949dd10474586cfc7123c1503256b9e5c3

SHA512
db1f81c5b6cac59d6e58e8ab4020bdef7386fa1aa7297f57f693334b70d3dd553ab844f85f92e9903b667cae19f30f188f84939ac0bba2f5999d5bf89793ea34

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_3.exe

MD5
ee658be7ea7269085f4004d68960e547

SHA1
979afc4726af14d9079b6cf288686b0e7e4a17e5

SHA256
d7e078e3e520767a92acb1eaadf4c7ef75f30e215be4dddfebe684c2504c6fe3

SHA512
fc77c079d152b595e249c13b9b0ca97d525407e228c416630a2565707eaacd6805fe1a1c6029b0032d493ae5b67c7d566cc19ab317d9c8e56dfdabc3646d5b1e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_3.exe

MD5
ee658be7ea7269085f4004d68960e547

SHA1
979afc4726af14d9079b6cf288686b0e7e4a17e5

SHA256
d7e078e3e520767a92acb1eaadf4c7ef75f30e215be4dddfebe684c2504c6fe3

SHA512
fc77c079d152b595e249c13b9b0ca97d525407e228c416630a2565707eaacd6805fe1a1c6029b0032d493ae5b67c7d566cc19ab317d9c8e56dfdabc3646d5b1e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_3.exe

MD5
ee658be7ea7269085f4004d68960e547

SHA1
979afc4726af14d9079b6cf288686b0e7e4a17e5

SHA256
d7e078e3e520767a92acb1eaadf4c7ef75f30e215be4dddfebe684c2504c6fe3

SHA512
fc77c079d152b595e249c13b9b0ca97d525407e228c416630a2565707eaacd6805fe1a1c6029b0032d493ae5b67c7d566cc19ab317d9c8e56dfdabc3646d5b1e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_3.exe

MD5
ee658be7ea7269085f4004d68960e547

SHA1
979afc4726af14d9079b6cf288686b0e7e4a17e5

SHA256
d7e078e3e520767a92acb1eaadf4c7ef75f30e215be4dddfebe684c2504c6fe3

SHA512
fc77c079d152b595e249c13b9b0ca97d525407e228c416630a2565707eaacd6805fe1a1c6029b0032d493ae5b67c7d566cc19ab317d9c8e56dfdabc3646d5b1e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_4.exe

MD5
6765fe4e4be8c4daf3763706a58f42d0

SHA1
cebb504bfc3097a95d40016f01123b275c97d58c

SHA256
755a4266245c52bcd0328044c8a0908b2daafbad140cee06830b991493f21f60

SHA512
c6b8d328768040b31aad0441258240ce8e99a80dba028462bd03ad9d5964d4877c296f25a5a2ca59bcafe0ad75297da39352c17f3df1bb79ec091e5ace3b5d55

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_5.exe

MD5
0c3f670f496ffcf516fe77d2a161a6ee

SHA1
0c59d3494b38d768fe120e0a4ca2a1dca7567e6e

SHA256
8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0

SHA512
bce80fa77557683645480ec28bf5f3a4facb780728d709166890c18decb2095509f69c524e4ce5fbcb48788961554be0467dc78db70f1fd2d242dbd5922a1095

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_5.exe

MD5
0c3f670f496ffcf516fe77d2a161a6ee

SHA1
0c59d3494b38d768fe120e0a4ca2a1dca7567e6e

SHA256
8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0

SHA512
bce80fa77557683645480ec28bf5f3a4facb780728d709166890c18decb2095509f69c524e4ce5fbcb48788961554be0467dc78db70f1fd2d242dbd5922a1095

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_5.exe

MD5
0c3f670f496ffcf516fe77d2a161a6ee

SHA1
0c59d3494b38d768fe120e0a4ca2a1dca7567e6e

SHA256
8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0

SHA512
bce80fa77557683645480ec28bf5f3a4facb780728d709166890c18decb2095509f69c524e4ce5fbcb48788961554be0467dc78db70f1fd2d242dbd5922a1095

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_6.exe

MD5
2eb68e495e4eb18c86a443b2754bbab2

SHA1
82a535e1277ea7a80b809cfeb97dcfb5a5d48a37

SHA256
a9083c13dd04bf55cc8e29ab4fe8a0053edf3ffe9b1e5ec31db207a45a98aaaf

SHA512
f7dc8d9a8726a6da6226a059094fcaf45190b2b41e6fae7d2aa48eacbd1dfc3b871770c74b1504801f5e7a05f1e3b47ac13cffc8190089f3d07e5c55aa725898

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_6.exe

MD5
2eb68e495e4eb18c86a443b2754bbab2

SHA1
82a535e1277ea7a80b809cfeb97dcfb5a5d48a37

SHA256
a9083c13dd04bf55cc8e29ab4fe8a0053edf3ffe9b1e5ec31db207a45a98aaaf

SHA512
f7dc8d9a8726a6da6226a059094fcaf45190b2b41e6fae7d2aa48eacbd1dfc3b871770c74b1504801f5e7a05f1e3b47ac13cffc8190089f3d07e5c55aa725898

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_6.exe

MD5
2eb68e495e4eb18c86a443b2754bbab2

SHA1
82a535e1277ea7a80b809cfeb97dcfb5a5d48a37

SHA256
a9083c13dd04bf55cc8e29ab4fe8a0053edf3ffe9b1e5ec31db207a45a98aaaf

SHA512
f7dc8d9a8726a6da6226a059094fcaf45190b2b41e6fae7d2aa48eacbd1dfc3b871770c74b1504801f5e7a05f1e3b47ac13cffc8190089f3d07e5c55aa725898

Download Submit
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5
74231678f536a19b3016840f56b845c7

SHA1
a5645777558a7d5905e101e54d61b0c8c1120de3

SHA256
cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4

SHA512
4117ad2bcdca9104ca8a53df0f7de102509ba6eb264d025ab1facd7a7ca0c14a1c4dd17de130521c4169aaaaeb6e779579dcb16d63a58b77feebfdc32d983d1f

Download Submit
\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5
74231678f536a19b3016840f56b845c7

SHA1
a5645777558a7d5905e101e54d61b0c8c1120de3

SHA256
cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4

SHA512
4117ad2bcdca9104ca8a53df0f7de102509ba6eb264d025ab1facd7a7ca0c14a1c4dd17de130521c4169aaaaeb6e779579dcb16d63a58b77feebfdc32d983d1f

Download Submit
\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5
74231678f536a19b3016840f56b845c7

SHA1
a5645777558a7d5905e101e54d61b0c8c1120de3

SHA256
cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4

SHA512
4117ad2bcdca9104ca8a53df0f7de102509ba6eb264d025ab1facd7a7ca0c14a1c4dd17de130521c4169aaaaeb6e779579dcb16d63a58b77feebfdc32d983d1f

Download Submit
\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5
74231678f536a19b3016840f56b845c7

SHA1
a5645777558a7d5905e101e54d61b0c8c1120de3

SHA256
cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4

SHA512
4117ad2bcdca9104ca8a53df0f7de102509ba6eb264d025ab1facd7a7ca0c14a1c4dd17de130521c4169aaaaeb6e779579dcb16d63a58b77feebfdc32d983d1f

Download Submit
memory/316-104-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/316-95-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/316-89-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/316-91-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/316-94-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/316-88-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/316-105-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/316-71-0x0000000000000000-mapping.dmp

Download
memory/316-93-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/316-90-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/316-92-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/316-102-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/316-103-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/520-59-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download
memory/556-125-0x0000000000000000-mapping.dmp

Download
memory/568-273-0x0000000000000000-mapping.dmp

Download
memory/848-61-0x0000000000000000-mapping.dmp

Download
memory/852-305-0x0000000000000000-mapping.dmp

Download
memory/864-240-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/864-179-0x0000000000000000-mapping.dmp

Download
memory/864-201-0x0000000001210000-0x0000000001211000-memory.dmp

Filesize
4KB

Download
memory/892-262-0x0000000000418846-mapping.dmp

Download
memory/900-260-0x0000000000418836-mapping.dmp

Download
memory/908-246-0x0000000000000000-mapping.dmp

Download
memory/1068-164-0x0000000000000000-mapping.dmp

Download
memory/1164-184-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/1164-177-0x0000000000000000-mapping.dmp

Download
memory/1252-106-0x0000000000000000-mapping.dmp

Download
memory/1264-257-0x0000000000000000-mapping.dmp

Download
memory/1308-255-0x0000000000000000-mapping.dmp

Download
memory/1320-135-0x0000000000000000-mapping.dmp

Download
memory/1364-137-0x0000000000000000-mapping.dmp

Download
memory/1368-132-0x0000000000000000-mapping.dmp

Download
memory/1520-171-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/1520-155-0x0000000000000000-mapping.dmp

Download
memory/1564-154-0x000000001A6F0000-0x000000001A6F2000-memory.dmp

Filesize
8KB

Download
memory/1564-142-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1564-127-0x0000000000000000-mapping.dmp

Download
memory/1612-248-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1612-181-0x0000000000000000-mapping.dmp

Download
memory/1640-123-0x0000000000000000-mapping.dmp

Download
memory/1640-161-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/1640-157-0x0000000000900000-0x000000000099D000-memory.dmp

Filesize
628KB

Download
memory/1684-107-0x0000000000000000-mapping.dmp

Download
memory/1828-232-0x0000000000240000-0x000000000024A000-memory.dmp

Filesize
40KB

Download
memory/1828-178-0x0000000000000000-mapping.dmp

Download
memory/1832-308-0x0000000000000000-mapping.dmp

Download
memory/1840-119-0x0000000000000000-mapping.dmp

Download
memory/1952-180-0x0000000000000000-mapping.dmp

Download
memory/1952-245-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/1952-204-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/1960-114-0x0000000000000000-mapping.dmp

Download
memory/1996-112-0x0000000000000000-mapping.dmp

Download
memory/2016-116-0x0000000000000000-mapping.dmp

Download
memory/2020-109-0x0000000000000000-mapping.dmp

Download
memory/2024-214-0x0000000002830000-0x0000000002901000-memory.dmp

Filesize
836KB

Download
memory/2024-207-0x000007FEFBB31000-0x000007FEFBB33000-memory.dmp

Filesize
8KB

Download
memory/2024-212-0x0000000002050000-0x00000000020C0000-memory.dmp

Filesize
448KB

Download
memory/2024-175-0x0000000000000000-mapping.dmp

Download
memory/2028-176-0x0000000000000000-mapping.dmp

Download
memory/2052-182-0x0000000000000000-mapping.dmp

Download
memory/2068-287-0x0000000000000000-mapping.dmp

Download
memory/2140-210-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2140-188-0x0000000000000000-mapping.dmp

Download
memory/2168-278-0x0000000000000000-mapping.dmp

Download
memory/2192-200-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/2192-190-0x0000000000000000-mapping.dmp

Download
memory/2192-241-0x0000000000460000-0x00000000004C8000-memory.dmp

Filesize
416KB

Download
memory/2204-247-0x00000000038D0000-0x0000000006770000-memory.dmp

Filesize
46.6MB

Download
memory/2204-191-0x0000000000000000-mapping.dmp

Download
memory/2216-243-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2216-192-0x0000000000000000-mapping.dmp

Download
memory/2216-242-0x0000000000370000-0x000000000039F000-memory.dmp

Filesize
188KB

Download
memory/2228-314-0x0000000000000000-mapping.dmp

Download
memory/2248-194-0x0000000000000000-mapping.dmp

Download
memory/2276-269-0x0000000000000000-mapping.dmp

Download
memory/2280-253-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/2280-251-0x0000000000000000-mapping.dmp

Download
memory/2396-294-0x0000000000000000-mapping.dmp

Download
memory/2472-290-0x0000000000000000-mapping.dmp

Download
memory/2532-208-0x0000000000000000-mapping.dmp

Download
memory/2532-213-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/2628-297-0x0000000000000000-mapping.dmp

Download
memory/2632-284-0x0000000000000000-mapping.dmp

Download
memory/2648-215-0x0000000000000000-mapping.dmp

Download
memory/2660-281-0x0000000000000000-mapping.dmp

Download
memory/2668-216-0x0000000000000000-mapping.dmp

Download
memory/2680-220-0x0000000000400000-0x000000000064F000-memory.dmp

Filesize
2.3MB

Download
memory/2680-223-0x0000000000400000-0x000000000064F000-memory.dmp

Filesize
2.3MB

Download
memory/2680-217-0x0000000000000000-mapping.dmp

Download
memory/2740-272-0x0000000000000000-mapping.dmp

Download
memory/2748-221-0x0000000000000000-mapping.dmp

Download
memory/2768-222-0x0000000000000000-mapping.dmp

Download
memory/2768-303-0x000000000044003F-mapping.dmp

Download
memory/2788-244-0x0000000000310000-0x0000000000390000-memory.dmp

Filesize
512KB

Download
memory/2788-226-0x0000000000000000-mapping.dmp

Download
memory/2796-300-0x0000000000000000-mapping.dmp

Download
memory/2836-228-0x0000000000000000-mapping.dmp

Download
memory/2836-230-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2856-231-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2856-233-0x0000000000402E1A-mapping.dmp

Download
memory/2892-311-0x0000000000000000-mapping.dmp

Download
memory/2900-234-0x0000000000000000-mapping.dmp

Download
memory/2932-236-0x0000000000000000-mapping.dmp

Download
memory/2976-320-0x000000000040CD2F-mapping.dmp

Download