redline | c38a744506be1491c4ec849d5ae8142fcd058251a32243ef2929f3861d8f99cd

Analysis

max time kernel
156s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
14-03-2022 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c38a744506be1491c4ec849d5ae8142fcd058251a32243ef2929f3861d8f99cd.exe
Size

3.6MB
MD5

0e889d6851ab22224f025dc82cfeae38
SHA1

ab9a4b6134da1f9f714ea64788b4cc7fd9ef49c7
SHA256

c38a744506be1491c4ec849d5ae8142fcd058251a32243ef2929f3861d8f99cd
SHA512

cbcda301fb0cad07deccb6ea1d1a10568f20f15d1342ed6493e60c278c129e733c3261d1518672c6b08c23ea9d0735dbaa3fc215b2d1a379e7dac6f995c407f1

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

vidar

Version

39.9

Botnet

706

https://prophefliloc.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

ANINEWONE

zisiarenal.xyz:80

Extracted

Family

redline

Botnet

da da

86.107.197.196:63065

Attributes

auth_value
9b1654b30797c210c85bd0890936a5b9

Extracted

Family

redline

5.206.224.220:81

Attributes

auth_value
4330eefe7c0f986c945c8babe3202f28

Extracted

Family

vidar

Version

50.7

Botnet

1177

https://ruhr.social/@sam9al

https://koyu.space/@samsa2l

Attributes

profile_id
1177

Extracted

Family

redline

Botnet

ruz876

185.215.113.7:5186

Attributes

auth_value
4750f6742a496bbe74a981d51e7680ad

Extracted

Family

redline

Botnet

ruzki14_03

176.122.23.55:11768

Attributes

auth_value
13b742acfe493b01c5301781c98d3fbe

Extracted

Family

redline

Botnet

@ywqmre

185.215.113.24:15994

Attributes

auth_value
5a482aa0be2b5e01649fe7a3ce943422

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4772 864 rundll32.exe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	864	rundll32.exe

RedLine Payload 17 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2420-227-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral2/memory/4544-243-0x0000000000C90000-0x0000000000DDE000-memory.dmp	family_redline
behavioral2/memory/4544-244-0x0000000000C90000-0x0000000000DDE000-memory.dmp	family_redline
behavioral2/memory/4544-250-0x0000000000C90000-0x0000000000DDE000-memory.dmp	family_redline
behavioral2/memory/1900-260-0x0000000000350000-0x0000000000370000-memory.dmp	family_redline
behavioral2/memory/4544-259-0x0000000000C90000-0x0000000000DDE000-memory.dmp	family_redline
behavioral2/memory/1500-268-0x00000000000B0000-0x0000000000235000-memory.dmp	family_redline
behavioral2/memory/1500-280-0x00000000000B0000-0x0000000000235000-memory.dmp	family_redline
behavioral2/memory/1888-279-0x00000000006B0000-0x0000000000835000-memory.dmp	family_redline
behavioral2/memory/1500-282-0x00000000000B0000-0x0000000000235000-memory.dmp	family_redline
behavioral2/memory/1888-297-0x00000000006B0000-0x0000000000835000-memory.dmp	family_redline
behavioral2/memory/1888-294-0x00000000006B0000-0x0000000000835000-memory.dmp	family_redline
behavioral2/memory/1500-266-0x00000000000B0000-0x0000000000235000-memory.dmp	family_redline
behavioral2/memory/1796-325-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/4484-341-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/260-345-0x0000000000540000-0x0000000000560000-memory.dmp	family_redline
behavioral2/memory/1248-352-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_8.txt	family_socelars
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_8.exe	family_socelars

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/5060-214-0x0000000004930000-0x00000000049CD000-memory.dmp	family_vidar
behavioral2/memory/5060-217-0x0000000000400000-0x0000000002CC4000-memory.dmp	family_vidar
behavioral2/memory/1716-275-0x0000000000860000-0x0000000000B0A000-memory.dmp	family_vidar

ASPack v2.12-2.42 8 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\libstdc++-6.dll	aspack_v212_v242

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 49 IoCs

Processes:

setup_installer.exesetup_install.exesonia_7.exesonia_6.exesonia_10.exesonia_8.exesonia_3.exesonia_1.exesonia_9.exesonia_4.exesonia_2.exesonia_5.exesonia_5.tmpsonia_1.exejfiag3g_gg.exejfiag3g_gg.exejfiag3g_gg.exejfiag3g_gg.exejfiag3g_gg.exejfiag3g_gg.exejfiag3g_gg.exejfiag3g_gg.exesonia_4.exeWerFault.exefEp6V4pwDrvz2ngDMyreFzJe.exehdnT_puPprZZ3FGyvXudyzFo.exeiZbaWkWl6dtfUck3VtmDN2tH.exeIeDv6qrqr0FfJiRPPIq5B_j9.exeWerFault.exe9ZmZCYYo5QTVMIfR71wfNb9A.exeIFoV6guv9l75_LfoTekl0bD6.exeuBrm5y5yarAACO1FSGmfTEQM.exeMlO3GsPQtRprsvH45kcdNRNQ.exerhzB7dfTGlWFVZ6ANt8KNA1R.exeKFwauIx9oMcak87wFdgs9PwT.exeYqo0f7jS52BJnAoqPSCSXoHg.exeLszTQvmqQCr0Bz5JVx9hHv31.exeConhost.exeMdMBjtlzBDhVvTIOUi4bhSI2.exetimeout.exesearch_hyperfs_213.exea9W7N6cin2_6PlZrdtaxA46Q.exeRgCqjCyX8hrVarlITqPUgz1y.exeiQqPrNFo2rYmEUgtuUzWr7PE.exeInstall.exeInstall.exe733088b4-c6d4-45fb-a667-4bb3c2b03cca.exeZHF_Mo6DOUKcp6X8u7aplKkY.exeoMHYxeYQTSamRprxBldEmotU.exe

pid	process
4428	setup_installer.exe
1708	setup_install.exe
1368	sonia_7.exe
1500	sonia_6.exe
4884	sonia_10.exe
4880	sonia_8.exe
5060	sonia_3.exe
4168	sonia_1.exe
2976	sonia_9.exe
2756	sonia_4.exe
3932	sonia_2.exe
2468	sonia_5.exe
2528	sonia_5.tmp
2872	sonia_1.exe
308	jfiag3g_gg.exe
4500	jfiag3g_gg.exe
3172	jfiag3g_gg.exe
3248	jfiag3g_gg.exe
3920	jfiag3g_gg.exe
3496	jfiag3g_gg.exe
2396	jfiag3g_gg.exe
3184	jfiag3g_gg.exe
2420	sonia_4.exe
2852	WerFault.exe
4500	fEp6V4pwDrvz2ngDMyreFzJe.exe
4544	hdnT_puPprZZ3FGyvXudyzFo.exe
4696	iZbaWkWl6dtfUck3VtmDN2tH.exe
1476	IeDv6qrqr0FfJiRPPIq5B_j9.exe
4832	WerFault.exe
4440	9ZmZCYYo5QTVMIfR71wfNb9A.exe
3240	IFoV6guv9l75_LfoTekl0bD6.exe
1900	uBrm5y5yarAACO1FSGmfTEQM.exe
2464	MlO3GsPQtRprsvH45kcdNRNQ.exe
1500	rhzB7dfTGlWFVZ6ANt8KNA1R.exe
1716	KFwauIx9oMcak87wFdgs9PwT.exe
5112	Yqo0f7jS52BJnAoqPSCSXoHg.exe
4512	LszTQvmqQCr0Bz5JVx9hHv31.exe
4988	Conhost.exe
1888	MdMBjtlzBDhVvTIOUi4bhSI2.exe
1260	timeout.exe
3496	search_hyperfs_213.exe
3184	a9W7N6cin2_6PlZrdtaxA46Q.exe
4572	RgCqjCyX8hrVarlITqPUgz1y.exe
372	iQqPrNFo2rYmEUgtuUzWr7PE.exe
1508	Install.exe
3108	Install.exe
3948	733088b4-c6d4-45fb-a667-4bb3c2b03cca.exe
672	ZHF_Mo6DOUKcp6X8u7aplKkY.exe
1920	oMHYxeYQTSamRprxBldEmotU.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

search_hyperfs_213.exeConhost.exefEp6V4pwDrvz2ngDMyreFzJe.exeWerFault.exeMlO3GsPQtRprsvH45kcdNRNQ.exeLszTQvmqQCr0Bz5JVx9hHv31.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	search_hyperfs_213.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Conhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fEp6V4pwDrvz2ngDMyreFzJe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MlO3GsPQtRprsvH45kcdNRNQ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	LszTQvmqQCr0Bz5JVx9hHv31.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	LszTQvmqQCr0Bz5JVx9hHv31.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fEp6V4pwDrvz2ngDMyreFzJe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MlO3GsPQtRprsvH45kcdNRNQ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	search_hyperfs_213.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Conhost.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c38a744506be1491c4ec849d5ae8142fcd058251a32243ef2929f3861d8f99cd.exesetup_installer.exesonia_1.exesonia_7.exeiZbaWkWl6dtfUck3VtmDN2tH.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	c38a744506be1491c4ec849d5ae8142fcd058251a32243ef2929f3861d8f99cd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	setup_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	sonia_1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	sonia_7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	iZbaWkWl6dtfUck3VtmDN2tH.exe

Loads dropped DLL 7 IoCs

Processes:

setup_install.exesonia_5.tmp

pid	process
1708	setup_install.exe
1708	setup_install.exe
1708	setup_install.exe
1708	setup_install.exe
1708	setup_install.exe
1708	setup_install.exe
2528	sonia_5.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

fEp6V4pwDrvz2ngDMyreFzJe.exeMlO3GsPQtRprsvH45kcdNRNQ.exeLszTQvmqQCr0Bz5JVx9hHv31.exesearch_hyperfs_213.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fEp6V4pwDrvz2ngDMyreFzJe.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MlO3GsPQtRprsvH45kcdNRNQ.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LszTQvmqQCr0Bz5JVx9hHv31.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	search_hyperfs_213.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 ipinfo.io
23 ip-api.com
192 ipinfo.io
193 ipinfo.io
225 ipinfo.io
17 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

hdnT_puPprZZ3FGyvXudyzFo.exerhzB7dfTGlWFVZ6ANt8KNA1R.exeKFwauIx9oMcak87wFdgs9PwT.exeMdMBjtlzBDhVvTIOUi4bhSI2.exe

pid process

4544 hdnT_puPprZZ3FGyvXudyzFo.exe
1500 rhzB7dfTGlWFVZ6ANt8KNA1R.exe
1716 KFwauIx9oMcak87wFdgs9PwT.exe
1888 MdMBjtlzBDhVvTIOUi4bhSI2.exe

flow	ioc
18	ipinfo.io
23	ip-api.com
192	ipinfo.io
193	ipinfo.io
225	ipinfo.io
17	ipinfo.io

pid	process
4544	hdnT_puPprZZ3FGyvXudyzFo.exe
1500	rhzB7dfTGlWFVZ6ANt8KNA1R.exe
1716	KFwauIx9oMcak87wFdgs9PwT.exe
1888	MdMBjtlzBDhVvTIOUi4bhSI2.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

sonia_4.exefEp6V4pwDrvz2ngDMyreFzJe.exeWerFault.exeIFoV6guv9l75_LfoTekl0bD6.exeMlO3GsPQtRprsvH45kcdNRNQ.exeConhost.exeLszTQvmqQCr0Bz5JVx9hHv31.exesearch_hyperfs_213.exe

description	pid	process	target process
PID 2756 set thread context of 2420	2756	sonia_4.exe	sonia_4.exe
PID 4500 set thread context of 1796	4500	fEp6V4pwDrvz2ngDMyreFzJe.exe	AppLaunch.exe
PID 4832 set thread context of 4484	4832	WerFault.exe	AppLaunch.exe
PID 3240 set thread context of 1920	3240	IFoV6guv9l75_LfoTekl0bD6.exe	oMHYxeYQTSamRprxBldEmotU.exe
PID 2464 set thread context of 260	2464	MlO3GsPQtRprsvH45kcdNRNQ.exe	AppLaunch.exe
PID 4988 set thread context of 1248	4988	Conhost.exe	AppLaunch.exe
PID 4512 set thread context of 2900	4512	LszTQvmqQCr0Bz5JVx9hHv31.exe	AppLaunch.exe
PID 3496 set thread context of 1220	3496	search_hyperfs_213.exe	AppLaunch.exe

Drops file in Program Files directory 2 IoCs

Processes:

WerFault.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	WerFault.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	WerFault.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 26 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1900	1708	WerFault.exe	setup_install.exe
1484	4440	WerFault.exe	9ZmZCYYo5QTVMIfR71wfNb9A.exe
2984	5112	WerFault.exe	Yqo0f7jS52BJnAoqPSCSXoHg.exe
2836	5112	WerFault.exe	Yqo0f7jS52BJnAoqPSCSXoHg.exe
2852	4440	WerFault.exe	9ZmZCYYo5QTVMIfR71wfNb9A.exe
2592	1920	WerFault.exe	IFoV6guv9l75_LfoTekl0bD6.exe
760	4440	WerFault.exe	9ZmZCYYo5QTVMIfR71wfNb9A.exe
4384	1260	WerFault.exe	i2vVuCrv_1D2dUsymu1c4kZW.exe
4832	4440	WerFault.exe	9ZmZCYYo5QTVMIfR71wfNb9A.exe
212	4440	WerFault.exe	9ZmZCYYo5QTVMIfR71wfNb9A.exe
212	1620	WerFault.exe	6jZH7tr1yYCULDHkM37xI9Nl.exe
4364	4440	WerFault.exe	9ZmZCYYo5QTVMIfR71wfNb9A.exe
5388	4380	WerFault.exe	5EhgIsmoMwJiXyDSSEdpe_lM.exe
5520	408	WerFault.exe	psnWJ9wypP9Dzpo1bZE3waQF.exe
5788	1620	WerFault.exe	6jZH7tr1yYCULDHkM37xI9Nl.exe
1116	1620	WerFault.exe	6jZH7tr1yYCULDHkM37xI9Nl.exe
5356	4440	WerFault.exe	9ZmZCYYo5QTVMIfR71wfNb9A.exe
5420	1620	WerFault.exe	6jZH7tr1yYCULDHkM37xI9Nl.exe
2776	1144	WerFault.exe	siww1049.exe
1368	1620	WerFault.exe	6jZH7tr1yYCULDHkM37xI9Nl.exe
5880	4440	WerFault.exe	9ZmZCYYo5QTVMIfR71wfNb9A.exe
5436	6028	WerFault.exe	rundll32.exe
5508	5176	WerFault.exe	anytime3.exe
5432	3040	WerFault.exe	bearvpn3.exe
1436	5392	WerFault.exe	anytime2.exe
816	5196	WerFault.exe	anytime1.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

sonia_2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sonia_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sonia_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sonia_2.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1512 schtasks.exe
5156 schtasks.exe
5932 schtasks.exe
1268 schtasks.exe
4100 schtasks.exe
Delays execution with timeout.exe 4 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exe

pid process

1260 timeout.exe
5484 timeout.exe
5264 timeout.exe
5916 timeout.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

456 taskkill.exe
5476 taskkill.exe
5468 taskkill.exe
684 taskkill.exe

pid	process
1512	schtasks.exe
5156	schtasks.exe
5932	schtasks.exe
1268	schtasks.exe
4100	schtasks.exe

pid	process
1260	timeout.exe
5484	timeout.exe
5264	timeout.exe
5916	timeout.exe

pid	process
456	taskkill.exe
5476	taskkill.exe
5468	taskkill.exe
684	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

sonia_3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	sonia_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	sonia_3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sonia_2.exe

pid	process
3932	sonia_2.exe
3932	sonia_2.exe
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

sonia_2.exe

pid process

3932 sonia_2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

sonia_8.exesonia_10.exesonia_6.exetaskkill.exesonia_4.exehdnT_puPprZZ3FGyvXudyzFo.exeiZbaWkWl6dtfUck3VtmDN2tH.exerhzB7dfTGlWFVZ6ANt8KNA1R.exeiQqPrNFo2rYmEUgtuUzWr7PE.exeMdMBjtlzBDhVvTIOUi4bhSI2.exe

description	pid	process
Token: SeCreateTokenPrivilege	4880	sonia_8.exe
Token: SeAssignPrimaryTokenPrivilege	4880	sonia_8.exe
Token: SeLockMemoryPrivilege	4880	sonia_8.exe
Token: SeIncreaseQuotaPrivilege	4880	sonia_8.exe
Token: SeMachineAccountPrivilege	4880	sonia_8.exe
Token: SeTcbPrivilege	4880	sonia_8.exe
Token: SeSecurityPrivilege	4880	sonia_8.exe
Token: SeTakeOwnershipPrivilege	4880	sonia_8.exe
Token: SeLoadDriverPrivilege	4880	sonia_8.exe
Token: SeSystemProfilePrivilege	4880	sonia_8.exe
Token: SeSystemtimePrivilege	4880	sonia_8.exe
Token: SeProfSingleProcessPrivilege	4880	sonia_8.exe
Token: SeIncBasePriorityPrivilege	4880	sonia_8.exe
Token: SeCreatePagefilePrivilege	4880	sonia_8.exe
Token: SeCreatePermanentPrivilege	4880	sonia_8.exe
Token: SeBackupPrivilege	4880	sonia_8.exe
Token: SeRestorePrivilege	4880	sonia_8.exe
Token: SeShutdownPrivilege	4880	sonia_8.exe
Token: SeDebugPrivilege	4880	sonia_8.exe
Token: SeAuditPrivilege	4880	sonia_8.exe
Token: SeSystemEnvironmentPrivilege	4880	sonia_8.exe
Token: SeChangeNotifyPrivilege	4880	sonia_8.exe
Token: SeRemoteShutdownPrivilege	4880	sonia_8.exe
Token: SeUndockPrivilege	4880	sonia_8.exe
Token: SeSyncAgentPrivilege	4880	sonia_8.exe
Token: SeEnableDelegationPrivilege	4880	sonia_8.exe
Token: SeManageVolumePrivilege	4880	sonia_8.exe
Token: SeImpersonatePrivilege	4880	sonia_8.exe
Token: SeCreateGlobalPrivilege	4880	sonia_8.exe
Token: 31	4880	sonia_8.exe
Token: 32	4880	sonia_8.exe
Token: 33	4880	sonia_8.exe
Token: 34	4880	sonia_8.exe
Token: 35	4880	sonia_8.exe
Token: SeDebugPrivilege	4884	sonia_10.exe
Token: SeDebugPrivilege	1500	sonia_6.exe
Token: SeDebugPrivilege	456	taskkill.exe
Token: SeDebugPrivilege	2420	sonia_4.exe
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeDebugPrivilege	4544	hdnT_puPprZZ3FGyvXudyzFo.exe
Token: SeDebugPrivilege	4696	iZbaWkWl6dtfUck3VtmDN2tH.exe
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeDebugPrivilege	1500	rhzB7dfTGlWFVZ6ANt8KNA1R.exe
Token: SeDebugPrivilege	372	iQqPrNFo2rYmEUgtuUzWr7PE.exe
Token: SeDebugPrivilege	1888	MdMBjtlzBDhVvTIOUi4bhSI2.exe
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c38a744506be1491c4ec849d5ae8142fcd058251a32243ef2929f3861d8f99cd.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1616 wrote to memory of 4428	1616	c38a744506be1491c4ec849d5ae8142fcd058251a32243ef2929f3861d8f99cd.exe	setup_installer.exe
PID 1616 wrote to memory of 4428	1616	c38a744506be1491c4ec849d5ae8142fcd058251a32243ef2929f3861d8f99cd.exe	setup_installer.exe
PID 1616 wrote to memory of 4428	1616	c38a744506be1491c4ec849d5ae8142fcd058251a32243ef2929f3861d8f99cd.exe	setup_installer.exe
PID 4428 wrote to memory of 1708	4428	setup_installer.exe	setup_install.exe
PID 4428 wrote to memory of 1708	4428	setup_installer.exe	setup_install.exe
PID 4428 wrote to memory of 1708	4428	setup_installer.exe	setup_install.exe
PID 1708 wrote to memory of 684	1708	setup_install.exe	cmd.exe
PID 1708 wrote to memory of 684	1708	setup_install.exe	cmd.exe
PID 1708 wrote to memory of 684	1708	setup_install.exe	cmd.exe
PID 1708 wrote to memory of 1328	1708	setup_install.exe	cmd.exe
PID 1708 wrote to memory of 1328	1708	setup_install.exe	cmd.exe
PID 1708 wrote to memory of 1328	1708	setup_install.exe	cmd.exe
PID 1708 wrote to memory of 5084	1708	setup_install.exe	cmd.exe
PID 1708 wrote to memory of 5084	1708	setup_install.exe	cmd.exe
PID 1708 wrote to memory of 5084	1708	setup_install.exe	cmd.exe
PID 1708 wrote to memory of 4772	1708	setup_install.exe	cmd.exe
PID 1708 wrote to memory of 4772	1708	setup_install.exe	cmd.exe
PID 1708 wrote to memory of 4772	1708	setup_install.exe	cmd.exe
PID 1708 wrote to memory of 4076	1708	setup_install.exe	cmd.exe
PID 1708 wrote to memory of 4076	1708	setup_install.exe	cmd.exe
PID 1708 wrote to memory of 4076	1708	setup_install.exe	cmd.exe
PID 1708 wrote to memory of 1716	1708	setup_install.exe	cmd.exe
PID 1708 wrote to memory of 1716	1708	setup_install.exe	cmd.exe
PID 1708 wrote to memory of 1716	1708	setup_install.exe	cmd.exe
PID 1708 wrote to memory of 4092	1708	setup_install.exe	cmd.exe
PID 1708 wrote to memory of 4092	1708	setup_install.exe	cmd.exe
PID 1708 wrote to memory of 4092	1708	setup_install.exe	cmd.exe
PID 1708 wrote to memory of 3716	1708	setup_install.exe	cmd.exe
PID 1708 wrote to memory of 3716	1708	setup_install.exe	cmd.exe
PID 1708 wrote to memory of 3716	1708	setup_install.exe	cmd.exe
PID 1708 wrote to memory of 4080	1708	setup_install.exe	cmd.exe
PID 1708 wrote to memory of 4080	1708	setup_install.exe	cmd.exe
PID 1708 wrote to memory of 4080	1708	setup_install.exe	cmd.exe
PID 1708 wrote to memory of 3132	1708	setup_install.exe	cmd.exe
PID 1708 wrote to memory of 3132	1708	setup_install.exe	cmd.exe
PID 1708 wrote to memory of 3132	1708	setup_install.exe	cmd.exe
PID 4092 wrote to memory of 1368	4092	cmd.exe	sonia_7.exe
PID 4092 wrote to memory of 1368	4092	cmd.exe	sonia_7.exe
PID 4092 wrote to memory of 1368	4092	cmd.exe	sonia_7.exe
PID 1716 wrote to memory of 1500	1716	cmd.exe	sonia_6.exe
PID 1716 wrote to memory of 1500	1716	cmd.exe	sonia_6.exe
PID 3132 wrote to memory of 4884	3132	cmd.exe	sonia_10.exe
PID 3132 wrote to memory of 4884	3132	cmd.exe	sonia_10.exe
PID 3716 wrote to memory of 4880	3716	cmd.exe	sonia_8.exe
PID 3716 wrote to memory of 4880	3716	cmd.exe	sonia_8.exe
PID 3716 wrote to memory of 4880	3716	cmd.exe	sonia_8.exe
PID 5084 wrote to memory of 5060	5084	cmd.exe	sonia_3.exe
PID 5084 wrote to memory of 5060	5084	cmd.exe	sonia_3.exe
PID 5084 wrote to memory of 5060	5084	cmd.exe	sonia_3.exe
PID 684 wrote to memory of 4168	684	cmd.exe	sonia_1.exe
PID 684 wrote to memory of 4168	684	cmd.exe	sonia_1.exe
PID 684 wrote to memory of 4168	684	cmd.exe	sonia_1.exe
PID 4772 wrote to memory of 2756	4772	cmd.exe	sonia_4.exe
PID 4772 wrote to memory of 2756	4772	cmd.exe	sonia_4.exe
PID 4772 wrote to memory of 2756	4772	cmd.exe	sonia_4.exe
PID 4080 wrote to memory of 2976	4080	cmd.exe	sonia_9.exe
PID 4080 wrote to memory of 2976	4080	cmd.exe	sonia_9.exe
PID 4080 wrote to memory of 2976	4080	cmd.exe	sonia_9.exe
PID 1328 wrote to memory of 3932	1328	cmd.exe	sonia_2.exe
PID 1328 wrote to memory of 3932	1328	cmd.exe	sonia_2.exe
PID 1328 wrote to memory of 3932	1328	cmd.exe	sonia_2.exe
PID 4076 wrote to memory of 2468	4076	cmd.exe	sonia_5.exe
PID 4076 wrote to memory of 2468	4076	cmd.exe	sonia_5.exe
PID 4076 wrote to memory of 2468	4076	cmd.exe	sonia_5.exe

C:\Users\Admin\AppData\Local\Temp\c38a744506be1491c4ec849d5ae8142fcd058251a32243ef2929f3861d8f99cd.exe
"C:\Users\Admin\AppData\Local\Temp\c38a744506be1491c4ec849d5ae8142fcd058251a32243ef2929f3861d8f99cd.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1616

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4428

C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_1.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:684

C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_1.exe
sonia_1.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:4168

C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_1.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_1.exe" -a
6⤵
- Executes dropped EXE
PID:2872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_3.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:5084

C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_3.exe
sonia_3.exe
5⤵
- Executes dropped EXE
- Modifies system certificate store
PID:5060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_2.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1328

C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_2.exe
sonia_2.exe
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_4.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4772

C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_4.exe
sonia_4.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2756

C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_4.exe
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_4.exe
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_6.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_6.exe
sonia_6.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_10.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3132

C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_10.exe
sonia_10.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_9.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4080

C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_9.exe
sonia_9.exe
5⤵
- Executes dropped EXE
PID:2976

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
- Executes dropped EXE
PID:308

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /DeleteCookiesWildcard "*.facebook.com"
6⤵
- Executes dropped EXE
PID:4500

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
- Executes dropped EXE
PID:3172

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
6⤵
- Executes dropped EXE
PID:3248

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
- Executes dropped EXE
PID:3920

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
6⤵
- Executes dropped EXE
PID:3496

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
- Executes dropped EXE
PID:2396

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
6⤵
- Executes dropped EXE
PID:3184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_8.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3716

C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_8.exe
sonia_8.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:4064

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_7.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4092

C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_7.exe
sonia_7.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:1368

C:\Users\Admin\Documents\C9n8_QaQW2VhznJjUM1tL_JK.exe
"C:\Users\Admin\Documents\C9n8_QaQW2VhznJjUM1tL_JK.exe"
6⤵
PID:2852

C:\Users\Admin\Documents\ZHF_Mo6DOUKcp6X8u7aplKkY.exe
"C:\Users\Admin\Documents\ZHF_Mo6DOUKcp6X8u7aplKkY.exe"
7⤵
- Executes dropped EXE
PID:672

C:\Users\Admin\Pictures\Adobe Films\mHUqH8Z8C5VwTW3VKQim0O45.exe
"C:\Users\Admin\Pictures\Adobe Films\mHUqH8Z8C5VwTW3VKQim0O45.exe"
8⤵
PID:1456

C:\Users\Admin\Pictures\Adobe Films\oMHYxeYQTSamRprxBldEmotU.exe
"C:\Users\Admin\Pictures\Adobe Films\oMHYxeYQTSamRprxBldEmotU.exe"
8⤵
- Executes dropped EXE
PID:1920

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\a6U_WGm.9B
9⤵
PID:5536

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\a6U_WGm.9B
10⤵
PID:6080

C:\Users\Admin\Pictures\Adobe Films\6jZH7tr1yYCULDHkM37xI9Nl.exe
"C:\Users\Admin\Pictures\Adobe Films\6jZH7tr1yYCULDHkM37xI9Nl.exe"
8⤵
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 616
9⤵
- Program crash
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 656
9⤵
- Program crash
PID:5788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 664
9⤵
- Program crash
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 808
9⤵
- Program crash
PID:5420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 776
9⤵
- Program crash
PID:1368

C:\Users\Admin\Pictures\Adobe Films\5EhgIsmoMwJiXyDSSEdpe_lM.exe
"C:\Users\Admin\Pictures\Adobe Films\5EhgIsmoMwJiXyDSSEdpe_lM.exe"
8⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 344
9⤵
- Program crash
PID:5388

C:\Users\Admin\Pictures\Adobe Films\c7iRGdgQ2EXZQeE22cNV09rC.exe
"C:\Users\Admin\Pictures\Adobe Films\c7iRGdgQ2EXZQeE22cNV09rC.exe"
8⤵
PID:964

C:\Users\Admin\AppData\Local\Temp\7zS8D73.tmp\Install.exe
.\Install.exe
9⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\7zSA263.tmp\Install.exe
.\Install.exe /S /site_id "525403"
10⤵
PID:6088

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
11⤵
PID:4640

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
12⤵
PID:2296

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
13⤵
PID:4136

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
13⤵
PID:4412

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
11⤵
PID:5168

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
12⤵
PID:4844

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
13⤵
PID:4300

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
13⤵
PID:5204

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gdMszaGPX" /SC once /ST 11:27:17 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
11⤵
- Creates scheduled task(s)
PID:5932

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gdMszaGPX"
11⤵
PID:260

C:\Users\Admin\Pictures\Adobe Films\psnWJ9wypP9Dzpo1bZE3waQF.exe
"C:\Users\Admin\Pictures\Adobe Films\psnWJ9wypP9Dzpo1bZE3waQF.exe"
8⤵
PID:408

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 408 -s 348
9⤵
- Program crash
PID:5520

C:\Users\Admin\Pictures\Adobe Films\xftoqWfC1RkSu9ZPunVZ4olD.exe
"C:\Users\Admin\Pictures\Adobe Films\xftoqWfC1RkSu9ZPunVZ4olD.exe"
8⤵
PID:1552

C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr1649.exe
"C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr1649.exe"
9⤵
PID:5716

C:\Users\Admin\AppData\Local\Temp\GE2KK55B7IE4I9F.exe
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="https://institutohood.edu.ar/webArg8.txt">here</a>.</p> </body></html>
10⤵
PID:6116

C:\Users\Admin\AppData\Local\Temp\xli.exe
"C:\Users\Admin\AppData\Local\Temp\xli.exe"
9⤵
PID:5976

C:\Users\Admin\AppData\Local\Temp\xli.exe
"C:\Users\Admin\AppData\Local\Temp\xli.exe" -h
10⤵
PID:5872

C:\Users\Admin\AppData\Local\Temp\InsigniaCleanerInstall238497.exe
"C:\Users\Admin\AppData\Local\Temp\InsigniaCleanerInstall238497.exe"
9⤵
PID:6096

C:\Users\Admin\AppData\Local\Temp\1c7640ff-c4f7-49ca-8531-7174fec3462e.exe
"C:\Users\Admin\AppData\Local\Temp\1c7640ff-c4f7-49ca-8531-7174fec3462e.exe"
10⤵
PID:5764

C:\Users\Admin\AppData\Local\Temp\po50.exe
"C:\Users\Admin\AppData\Local\Temp\po50.exe"
9⤵
PID:5516

C:\Users\Admin\AppData\Local\Temp\siww1049.exe
"C:\Users\Admin\AppData\Local\Temp\siww1049.exe"
9⤵
PID:1144

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1144 -s 852
10⤵
- Program crash
PID:2776

C:\Users\Admin\AppData\Local\Temp\pub1.exe
"C:\Users\Admin\AppData\Local\Temp\pub1.exe"
9⤵
PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fwk3tqfr.yv6.bat""
10⤵
PID:5740

C:\Windows\system32\timeout.exe
timeout 3
11⤵
- Executes dropped EXE
- Delays execution with timeout.exe
PID:1260

C:\ProgramData\BCleaner Software\BCleaner Software.exe
"C:\ProgramData\BCleaner Software\BCleaner Software.exe"
11⤵
PID:3576

C:\ProgramData\BCleaner Software\BCleaner Update Worker.exe
"C:\ProgramData\BCleaner Software\BCleaner Update Worker.exe"
11⤵
PID:1020

C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe
"C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe"
9⤵
PID:5936

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
9⤵
PID:5888

C:\Users\Admin\AppData\Local\Temp\is-IOUBR.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-IOUBR.tmp\setup.tmp" /SL5="$602A4,870458,780800,C:\Users\Admin\AppData\Local\Temp\setup.exe"
10⤵
PID:5136

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
11⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\is-S6CGJ.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-S6CGJ.tmp\setup.tmp" /SL5="$702A4,870458,780800,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
12⤵
PID:1692

C:\Users\Admin\AppData\Local\Temp\ip.exe
"C:\Users\Admin\AppData\Local\Temp\ip.exe"
9⤵
PID:5532

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
10⤵
PID:3376

C:\Users\Admin\AppData\Local\Temp\7zS30A9.tmp\Install.exe
.\Install.exe
11⤵
PID:4416

C:\Users\Admin\AppData\Local\Temp\7zS3E64.tmp\Install.exe
.\Install.exe /S /site_id "745794"
12⤵
PID:3248

C:\Users\Admin\AppData\Local\Temp\inst200.exe
"C:\Users\Admin\AppData\Local\Temp\inst200.exe"
9⤵
PID:5836

C:\Users\Admin\AppData\Local\Temp\udontsay.exe
"C:\Users\Admin\AppData\Local\Temp\udontsay.exe"
9⤵
PID:5332

C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe"
9⤵
PID:1116

C:\Users\Admin\AppData\Local\Temp\ClEhEaqvhpyqJ\app455.exe
C:\Users\Admin\AppData\Local\Temp\ClEhEaqvhpyqJ\app455.exe
10⤵
PID:2764

C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe
"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe"
9⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3496

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\XEB0.Cpl",
10⤵
PID:1092

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\XEB0.Cpl",
11⤵
PID:5580

C:\Users\Admin\AppData\Local\Temp\anytime1.exe
"C:\Users\Admin\AppData\Local\Temp\anytime1.exe"
9⤵
PID:5196

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5196 -s 1696
10⤵
- Program crash
PID:816

C:\Users\Admin\AppData\Local\Temp\anytime2.exe
"C:\Users\Admin\AppData\Local\Temp\anytime2.exe"
9⤵
PID:5392

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5392 -s 1692
10⤵
- Program crash
PID:1436

C:\Users\Admin\AppData\Local\Temp\anytime3.exe
"C:\Users\Admin\AppData\Local\Temp\anytime3.exe"
9⤵
PID:5176

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5176 -s 1692
10⤵
- Program crash
PID:5508

C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe
"C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe"
9⤵
PID:3040

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3040 -s 1688
10⤵
- Program crash
PID:5432

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
7⤵
- Creates scheduled task(s)
PID:4100

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
7⤵
- Creates scheduled task(s)
PID:1512

C:\Users\Admin\Documents\fEp6V4pwDrvz2ngDMyreFzJe.exe
"C:\Users\Admin\Documents\fEp6V4pwDrvz2ngDMyreFzJe.exe"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:4500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:1796

C:\Users\Admin\Documents\hdnT_puPprZZ3FGyvXudyzFo.exe
"C:\Users\Admin\Documents\hdnT_puPprZZ3FGyvXudyzFo.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Users\Admin\Documents\iZbaWkWl6dtfUck3VtmDN2tH.exe
"C:\Users\Admin\Documents\iZbaWkWl6dtfUck3VtmDN2tH.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Users\Admin\AppData\Local\Temp\733088b4-c6d4-45fb-a667-4bb3c2b03cca.exe
"C:\Users\Admin\AppData\Local\Temp\733088b4-c6d4-45fb-a667-4bb3c2b03cca.exe"
7⤵
- Executes dropped EXE
PID:3948

C:\Users\Admin\Documents\IeDv6qrqr0FfJiRPPIq5B_j9.exe
"C:\Users\Admin\Documents\IeDv6qrqr0FfJiRPPIq5B_j9.exe"
6⤵
- Executes dropped EXE
PID:1476

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im IeDv6qrqr0FfJiRPPIq5B_j9.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\IeDv6qrqr0FfJiRPPIq5B_j9.exe" & del C:\ProgramData\*.dll & exit
7⤵
PID:1260

C:\Windows\SysWOW64\taskkill.exe
taskkill /im IeDv6qrqr0FfJiRPPIq5B_j9.exe /f
8⤵
- Kills process with taskkill
PID:5476

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:5264

C:\Users\Admin\Documents\154DtZUUY2GSvbajoZkO7ACa.exe
"C:\Users\Admin\Documents\154DtZUUY2GSvbajoZkO7ACa.exe"
6⤵
PID:4832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:4484

C:\Users\Admin\Documents\MlO3GsPQtRprsvH45kcdNRNQ.exe
"C:\Users\Admin\Documents\MlO3GsPQtRprsvH45kcdNRNQ.exe"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:260

C:\Users\Admin\Documents\LszTQvmqQCr0Bz5JVx9hHv31.exe
"C:\Users\Admin\Documents\LszTQvmqQCr0Bz5JVx9hHv31.exe"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:4512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:2900

C:\Users\Admin\Documents\Yqo0f7jS52BJnAoqPSCSXoHg.exe
"C:\Users\Admin\Documents\Yqo0f7jS52BJnAoqPSCSXoHg.exe"
6⤵
- Executes dropped EXE
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 432
7⤵
- Program crash
PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 440
7⤵
- Program crash
PID:2836

C:\Users\Admin\Documents\KFwauIx9oMcak87wFdgs9PwT.exe
"C:\Users\Admin\Documents\KFwauIx9oMcak87wFdgs9PwT.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1716

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im KFwauIx9oMcak87wFdgs9PwT.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\KFwauIx9oMcak87wFdgs9PwT.exe" & del C:\ProgramData\*.dll & exit
7⤵
PID:2508

C:\Windows\SysWOW64\taskkill.exe
taskkill /im KFwauIx9oMcak87wFdgs9PwT.exe /f
8⤵
- Kills process with taskkill
PID:5468

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:5916

C:\Users\Admin\Documents\rhzB7dfTGlWFVZ6ANt8KNA1R.exe
"C:\Users\Admin\Documents\rhzB7dfTGlWFVZ6ANt8KNA1R.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Users\Admin\Documents\uBrm5y5yarAACO1FSGmfTEQM.exe
"C:\Users\Admin\Documents\uBrm5y5yarAACO1FSGmfTEQM.exe"
6⤵
- Executes dropped EXE
PID:1900

C:\Users\Admin\Documents\IFoV6guv9l75_LfoTekl0bD6.exe
"C:\Users\Admin\Documents\IFoV6guv9l75_LfoTekl0bD6.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3240

C:\Users\Admin\Documents\IFoV6guv9l75_LfoTekl0bD6.exe
"C:\Users\Admin\Documents\IFoV6guv9l75_LfoTekl0bD6.exe"
7⤵
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 552
8⤵
- Program crash
PID:2592

C:\Users\Admin\Documents\9ZmZCYYo5QTVMIfR71wfNb9A.exe
"C:\Users\Admin\Documents\9ZmZCYYo5QTVMIfR71wfNb9A.exe"
6⤵
- Executes dropped EXE
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 456
7⤵
- Program crash
PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 632
7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Program crash
PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 644
7⤵
- Program crash
PID:760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 816
7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Program crash
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 816
7⤵
- Program crash
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 1212
7⤵
- Program crash
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 1224
7⤵
- Program crash
PID:5356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "9ZmZCYYo5QTVMIfR71wfNb9A.exe" /f & erase "C:\Users\Admin\Documents\9ZmZCYYo5QTVMIfR71wfNb9A.exe" & exit
7⤵
PID:3660

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "9ZmZCYYo5QTVMIfR71wfNb9A.exe" /f
8⤵
- Kills process with taskkill
PID:684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 1332
7⤵
- Program crash
PID:5880

C:\Users\Admin\Documents\1x1kI27ir4x7427fPfeR8yUD.exe
"C:\Users\Admin\Documents\1x1kI27ir4x7427fPfeR8yUD.exe"
6⤵
PID:3496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:1220

C:\Users\Admin\Documents\RgCqjCyX8hrVarlITqPUgz1y.exe
"C:\Users\Admin\Documents\RgCqjCyX8hrVarlITqPUgz1y.exe"
6⤵
- Executes dropped EXE
PID:4572

C:\Users\Admin\AppData\Local\Temp\7zS10A2.tmp\Install.exe
.\Install.exe
7⤵
- Executes dropped EXE
PID:1508

C:\Users\Admin\AppData\Local\Temp\7zS2543.tmp\Install.exe
.\Install.exe /S /site_id "525403"
8⤵
- Executes dropped EXE
PID:3108

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
9⤵
PID:5656

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
10⤵
PID:4596

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
11⤵
PID:5188

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
11⤵
PID:5792

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
9⤵
PID:4844

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
10⤵
PID:5924

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
11⤵
PID:5436

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
11⤵
PID:5164

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gwUPaEOvg" /SC once /ST 15:31:26 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
9⤵
- Creates scheduled task(s)
PID:5156

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gwUPaEOvg"
9⤵
PID:4152

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gwUPaEOvg"
9⤵
PID:5300

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 16:28:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\fmnEBoa.exe\" j6 /site_id 525403 /S" /V1 /F
9⤵
- Creates scheduled task(s)
PID:1268

C:\Users\Admin\Documents\iQqPrNFo2rYmEUgtuUzWr7PE.exe
"C:\Users\Admin\Documents\iQqPrNFo2rYmEUgtuUzWr7PE.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 45
7⤵
PID:3308

C:\Windows\SysWOW64\timeout.exe
timeout 45
8⤵
- Delays execution with timeout.exe
PID:5484

C:\Users\Admin\Documents\a9W7N6cin2_6PlZrdtaxA46Q.exe
"C:\Users\Admin\Documents\a9W7N6cin2_6PlZrdtaxA46Q.exe"
6⤵
- Executes dropped EXE
PID:3184

C:\Users\Admin\Documents\i2vVuCrv_1D2dUsymu1c4kZW.exe
"C:\Users\Admin\Documents\i2vVuCrv_1D2dUsymu1c4kZW.exe"
6⤵
PID:1260

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\fmuzvrvu\
7⤵
PID:4452

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jvexnnri.exe" C:\Windows\SysWOW64\fmuzvrvu\
7⤵
PID:4404

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create fmuzvrvu binPath= "C:\Windows\SysWOW64\fmuzvrvu\jvexnnri.exe /d\"C:\Users\Admin\Documents\i2vVuCrv_1D2dUsymu1c4kZW.exe\"" type= own start= auto DisplayName= "wifi support"
7⤵
PID:3444

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description fmuzvrvu "wifi internet conection"
7⤵
PID:2876

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start fmuzvrvu
7⤵
PID:1620

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
7⤵
PID:3244

C:\Users\Admin\glgfdhzy.exe
"C:\Users\Admin\glgfdhzy.exe" /d"C:\Users\Admin\Documents\i2vVuCrv_1D2dUsymu1c4kZW.exe"
7⤵
PID:1308

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xshdxzxs.exe" C:\Windows\SysWOW64\fmuzvrvu\
8⤵
PID:4836

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" config fmuzvrvu binPath= "C:\Windows\SysWOW64\fmuzvrvu\xshdxzxs.exe /d\"C:\Users\Admin\glgfdhzy.exe\""
8⤵
PID:5408

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start fmuzvrvu
8⤵
PID:5696

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
8⤵
PID:5856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 1048
7⤵
- Program crash
PID:4384

C:\Users\Admin\Documents\MdMBjtlzBDhVvTIOUi4bhSI2.exe
"C:\Users\Admin\Documents\MdMBjtlzBDhVvTIOUi4bhSI2.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Users\Admin\Documents\jERkUL0k9nvsAt97rvAsPqbY.exe
"C:\Users\Admin\Documents\jERkUL0k9nvsAt97rvAsPqbY.exe"
6⤵
PID:4988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:1248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_5.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4076

C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_5.exe
sonia_5.exe
5⤵
- Executes dropped EXE
PID:2468

C:\Users\Admin\AppData\Local\Temp\is-5U9RG.tmp\sonia_5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5U9RG.tmp\sonia_5.tmp" /SL5="$70066,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_5.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 568
4⤵
- Program crash
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1708 -ip 1708
1⤵
PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5112 -ip 5112
1⤵
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4440 -ip 4440
1⤵
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5112 -ip 5112
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1920 -ip 1920
1⤵
PID:1456

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4440 -ip 4440
1⤵
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4440 -ip 4440
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4440 -ip 4440
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1260 -ip 1260
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4440 -ip 4440
1⤵
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4440 -ip 4440
1⤵
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1620 -ip 1620
1⤵
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4380 -ip 4380
1⤵
PID:5260

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 408 -ip 408
1⤵
PID:5324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1620 -ip 1620
1⤵
PID:5652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1308 -ip 1308
1⤵
PID:5872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1620 -ip 1620
1⤵
PID:5348

C:\Windows\SysWOW64\fmuzvrvu\xshdxzxs.exe
C:\Windows\SysWOW64\fmuzvrvu\xshdxzxs.exe /d"C:\Users\Admin\glgfdhzy.exe"
1⤵
PID:2388

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:6036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4440 -ip 4440
1⤵
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1620 -ip 1620
1⤵
PID:5392

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 1144 -ip 1144
1⤵
PID:976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1620 -ip 1620
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4440 -ip 4440
1⤵
PID:1332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2388 -ip 2388
1⤵
PID:4772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:116

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:4772

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
2⤵
PID:6028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6028 -s 604
3⤵
- Program crash
PID:5436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 6028 -ip 6028
1⤵
PID:5432

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 612 -p 5176 -ip 5176
1⤵
PID:3784

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 668 -p 5196 -ip 5196
1⤵
PID:6108

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 5392 -ip 5392
1⤵
PID:5496

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 3040 -ip 3040
1⤵
PID:5740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
7a51ad6c3244c0e0ed2b487b55cac8e1

SHA1
6c0bad9139cc9a1ea3cdd8fa5b88d8178ffca22e

SHA256
cc54c1b099f3766be8a90c793b244e07982b05b23773e2491da98feed48ee3b9

SHA512
f68992d782dae540b9b1f8a251788ca1bf608001ed8cdc19cb96e75ebdeef8d78f92106cae5cff5a3c899e0a648e0ff4a8a81a768d223eb8a52de390419143ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sonia_4.exe.log
MD5
e5352797047ad2c91b83e933b24fbc4f

SHA1
9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772

SHA256
b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c

SHA512
dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\setup_install.exe
MD5
c58a3134ed39ff2d4a12cc8bacb4afa4

SHA1
ac020e6f28dadbe47f8a733b04513c24d7d1de7d

SHA256
082086410c7e4b7c7e4b1ccc10084dea33d687f871333b95381b355094a60988

SHA512
11bd5d7f30fa96a4bbd480326557c03b9e4579fbcd036ca22b02a70398c80b5564559debc087eb87fb8aeaf127f422bd079e7fb6df0218d27f25a4121a5b0b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\setup_install.exe
MD5
c58a3134ed39ff2d4a12cc8bacb4afa4

SHA1
ac020e6f28dadbe47f8a733b04513c24d7d1de7d

SHA256
082086410c7e4b7c7e4b1ccc10084dea33d687f871333b95381b355094a60988

SHA512
11bd5d7f30fa96a4bbd480326557c03b9e4579fbcd036ca22b02a70398c80b5564559debc087eb87fb8aeaf127f422bd079e7fb6df0218d27f25a4121a5b0b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_1.exe
MD5
c0d18a829910babf695b4fdaea21a047

SHA1
236a19746fe1a1063ebe077c8a0553566f92ef0f

SHA256
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98

SHA512
cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_1.exe
MD5
c0d18a829910babf695b4fdaea21a047

SHA1
236a19746fe1a1063ebe077c8a0553566f92ef0f

SHA256
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98

SHA512
cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_1.txt
MD5
c0d18a829910babf695b4fdaea21a047

SHA1
236a19746fe1a1063ebe077c8a0553566f92ef0f

SHA256
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98

SHA512
cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_10.exe
MD5
a751ba2284537771139f262a569f215b

SHA1
99ccdf13399e5a9cd9390406e36da6fca4eeb30d

SHA256
e3241cc9f0b6e098e999c29eccf01937c90ad6ae5e51a867d41b39031e19a1c8

SHA512
cb8ffbc2efbe3809a1fd18ca8bfc955c645d36876b1628a358dfb9085901e9bd4d018052eaf4859fe473b3531bf2253ea154b584322193c8c9e268cb7b252026

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_10.txt
MD5
a751ba2284537771139f262a569f215b

SHA1
99ccdf13399e5a9cd9390406e36da6fca4eeb30d

SHA256
e3241cc9f0b6e098e999c29eccf01937c90ad6ae5e51a867d41b39031e19a1c8

SHA512
cb8ffbc2efbe3809a1fd18ca8bfc955c645d36876b1628a358dfb9085901e9bd4d018052eaf4859fe473b3531bf2253ea154b584322193c8c9e268cb7b252026

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_2.exe
MD5
f9732566b5c08534145cd14598c9be28

SHA1
2cc6b804e563801cf6fb38a471aaa64ddad64b9f

SHA256
e6823e51dc0aaee1a5e491b4f1849e34666c26badc90f52335f788096cf03cce

SHA512
21fe1b7709977d57b60035ae3f27f8316b0d2ff9683aa6af7da1289f73fd53ba041eb3eab0b32d7ccef71bb26826bff56b3eb22f91ed91b0fc585b31cb1f20de

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_2.txt
MD5
f9732566b5c08534145cd14598c9be28

SHA1
2cc6b804e563801cf6fb38a471aaa64ddad64b9f

SHA256
e6823e51dc0aaee1a5e491b4f1849e34666c26badc90f52335f788096cf03cce

SHA512
21fe1b7709977d57b60035ae3f27f8316b0d2ff9683aa6af7da1289f73fd53ba041eb3eab0b32d7ccef71bb26826bff56b3eb22f91ed91b0fc585b31cb1f20de

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_3.exe
MD5
d7d37a3edc2f2e2eed2d29ade66ffded

SHA1
d0c318d94d782c36bdc1c600c0b30ac89e8ecf59

SHA256
8c0de6774ee44030a078eeb0fd24ac172dd9a32a86d7925651978302590e3f85

SHA512
e1ed8882df5210e3013a8d5dfb92066f281f892becc9aff540973b6c11cf4f597490b4a6a44baa6ce9aeffaf9c9427f1cfe09c0c8e4e804d990b883b3c1b7f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_3.txt
MD5
d7d37a3edc2f2e2eed2d29ade66ffded

SHA1
d0c318d94d782c36bdc1c600c0b30ac89e8ecf59

SHA256
8c0de6774ee44030a078eeb0fd24ac172dd9a32a86d7925651978302590e3f85

SHA512
e1ed8882df5210e3013a8d5dfb92066f281f892becc9aff540973b6c11cf4f597490b4a6a44baa6ce9aeffaf9c9427f1cfe09c0c8e4e804d990b883b3c1b7f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_4.exe
MD5
6e59f2a87fd87c5d5eda76c81cb1b4dd

SHA1
40ec41d0d741be2c1d72090f360398571a2d8cb8

SHA256
cae278dded2dbf48c930e06d333ce32d0d7645d638203892a7c411ea814334db

SHA512
791bbf6ff77ad3d420b31a80b7cf5ba13d17e4e4427a64d4f3dbd6f37f59ab220852b6a859a374bd034a1403c5a6deadb9ffd0f79814a55d0d5e77f630964d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_4.exe
MD5
6e59f2a87fd87c5d5eda76c81cb1b4dd

SHA1
40ec41d0d741be2c1d72090f360398571a2d8cb8

SHA256
cae278dded2dbf48c930e06d333ce32d0d7645d638203892a7c411ea814334db

SHA512
791bbf6ff77ad3d420b31a80b7cf5ba13d17e4e4427a64d4f3dbd6f37f59ab220852b6a859a374bd034a1403c5a6deadb9ffd0f79814a55d0d5e77f630964d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_4.txt
MD5
6e59f2a87fd87c5d5eda76c81cb1b4dd

SHA1
40ec41d0d741be2c1d72090f360398571a2d8cb8

SHA256
cae278dded2dbf48c930e06d333ce32d0d7645d638203892a7c411ea814334db

SHA512
791bbf6ff77ad3d420b31a80b7cf5ba13d17e4e4427a64d4f3dbd6f37f59ab220852b6a859a374bd034a1403c5a6deadb9ffd0f79814a55d0d5e77f630964d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_5.exe
MD5
52e5bf9bc7e415e0dd079bfa2d753054

SHA1
086f3ca067952333f587384ec81ac5cfb343d1db

SHA256
19c5cf5343d2ab1b120d41b3c536340ccb8a6c0656ba9567d7ce5afaed18e277

SHA512
f3386dc44073be1f3bdf471a0144363a55311088738a4e0d87250f2038bcf41bd884afbce8a4d98f57a82d7ba8cfe68c9366ef4c5ba9250a0e470806338054bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_5.txt
MD5
52e5bf9bc7e415e0dd079bfa2d753054

SHA1
086f3ca067952333f587384ec81ac5cfb343d1db

SHA256
19c5cf5343d2ab1b120d41b3c536340ccb8a6c0656ba9567d7ce5afaed18e277

SHA512
f3386dc44073be1f3bdf471a0144363a55311088738a4e0d87250f2038bcf41bd884afbce8a4d98f57a82d7ba8cfe68c9366ef4c5ba9250a0e470806338054bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_6.exe
MD5
cfca2d6f3d47105a6b32b128e6e8bb5e

SHA1
1d2d075a9ffd4498ba690c9586b4d1c56bcfc719

SHA256
60b1235a8785ca8ba84ccb119fa4b04ff516c6a9c10262567c01b91545adc697

SHA512
4c9c24ebb867eefdf8b2fcec6ba3b6b1862a1afef4a32253aca374cbb74b597c43adaef82309ed817c3d740e3750d1e4efedd1c453bc52a65da36a4b542bb505

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_6.txt
MD5
cfca2d6f3d47105a6b32b128e6e8bb5e

SHA1
1d2d075a9ffd4498ba690c9586b4d1c56bcfc719

SHA256
60b1235a8785ca8ba84ccb119fa4b04ff516c6a9c10262567c01b91545adc697

SHA512
4c9c24ebb867eefdf8b2fcec6ba3b6b1862a1afef4a32253aca374cbb74b597c43adaef82309ed817c3d740e3750d1e4efedd1c453bc52a65da36a4b542bb505

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_7.exe
MD5
aca9e3d2f97237a4c3dd38a63bf092bc

SHA1
eec122a60c2433ee912c7f15d45be983170de81a

SHA256
fb927a1a69165c7e0dcb5365830d43a8dcb2210036ee121d801d02ee6b7a5458

SHA512
9c9b2387390e57ea68e4f9981070319c94bd2808ba0450eb373ae341d42398837d23a8982811779cb9ff854c92901d10fb37158560231554c07a49e7e3646a66

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_7.txt
MD5
aca9e3d2f97237a4c3dd38a63bf092bc

SHA1
eec122a60c2433ee912c7f15d45be983170de81a

SHA256
fb927a1a69165c7e0dcb5365830d43a8dcb2210036ee121d801d02ee6b7a5458

SHA512
9c9b2387390e57ea68e4f9981070319c94bd2808ba0450eb373ae341d42398837d23a8982811779cb9ff854c92901d10fb37158560231554c07a49e7e3646a66

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_8.exe
MD5
bc3f416df3ded32d46930db95917fd52

SHA1
0fce98b62fb734fddb457197b710d6966057e68e

SHA256
713cc95814f8cb1069d70187795a0177df12bc899889cbd80b8e2d75130b9570

SHA512
fbd41b8426635b78ec0288da80a28adca1b60600d8a03ac99886455e46da44172363f036a04fdbaaa07572d6053a03d506214f7b8f71ebf6e09655813871903d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_8.txt
MD5
bc3f416df3ded32d46930db95917fd52

SHA1
0fce98b62fb734fddb457197b710d6966057e68e

SHA256
713cc95814f8cb1069d70187795a0177df12bc899889cbd80b8e2d75130b9570

SHA512
fbd41b8426635b78ec0288da80a28adca1b60600d8a03ac99886455e46da44172363f036a04fdbaaa07572d6053a03d506214f7b8f71ebf6e09655813871903d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_9.exe
MD5
270dd1da0ab7f38cdff6fab84562ec7a

SHA1
cf7be169ee4415085baeb4aeaa60932ac5abf4ac

SHA256
7d7d5ae0fa9286fea65a6f94240389998ff0d08340a2aedc67ef3547e84d64c6

SHA512
dc3d7d112a8e43c34261f3425ef6710d61cb92d797dd4a1e9b04e02971db42a4a2e2488bf5397c0ec9a6a1a6a718cec77c379377647402099cb7e4a5bb381286

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC41A8E3D\sonia_9.txt
MD5
270dd1da0ab7f38cdff6fab84562ec7a

SHA1
cf7be169ee4415085baeb4aeaa60932ac5abf4ac

SHA256
7d7d5ae0fa9286fea65a6f94240389998ff0d08340a2aedc67ef3547e84d64c6

SHA512
dc3d7d112a8e43c34261f3425ef6710d61cb92d797dd4a1e9b04e02971db42a4a2e2488bf5397c0ec9a6a1a6a718cec77c379377647402099cb7e4a5bb381286

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5U9RG.tmp\sonia_5.tmp
MD5
9638f27a949cc2c5ba8eacaa5532256c

SHA1
5de822a91542245433b43cfb73c0bfc3cb4abc22

SHA256
263717e1bc127eb304a9e2f5f9498eb1de3104a4706b22401cff24554bed4e38

SHA512
1972e6aca6be4fb1c44de1e2aee43cb982024a52d88fa57b982592aa599d9eface31d4e67ced2f9a30e6c5120284e775f61f68dd08baae2eb59223f5083f3dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8JES9.tmp\idp.dll
MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
e42d368ea27da8a63c6f17d32a6073f3

SHA1
2f7a3a5b960629ad4796af348cd285d971f0e00f

SHA256
cc4918879851b55a73340a5c2492953a855d7b0e962fad76bd8706cdc96c2ecc

SHA512
60367d7c208aa96731bd0f7742741bc85a04a2feb52b0c133709d072daf8c1b0c111b66ab091b84c66331c21e567c804cfa18bdd4812276587c367ecd1925c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
e42d368ea27da8a63c6f17d32a6073f3

SHA1
2f7a3a5b960629ad4796af348cd285d971f0e00f

SHA256
cc4918879851b55a73340a5c2492953a855d7b0e962fad76bd8706cdc96c2ecc

SHA512
60367d7c208aa96731bd0f7742741bc85a04a2feb52b0c133709d072daf8c1b0c111b66ab091b84c66331c21e567c804cfa18bdd4812276587c367ecd1925c01

Download Submit
C:\Users\Admin\Documents\C9n8_QaQW2VhznJjUM1tL_JK.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Documents\C9n8_QaQW2VhznJjUM1tL_JK.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Documents\IeDv6qrqr0FfJiRPPIq5B_j9.exe
MD5
b89c6327e9eb15acc219eb18a7f81608

SHA1
11333acbaaac98e3675ea3ffd370dee6451c56d7

SHA256
3eb15c05741196022e4115b9267a818d7c032498704f95b9bfb261fe408558da

SHA512
7d7ea3763a021514f5c2726f962b2b282c787f5ea4246639be52a1251f5477e1f18bb061db61f435f72b9bd5becf5264ba6816cda3d1213e27c0a15c4eb213be

Download Submit
C:\Users\Admin\Documents\IeDv6qrqr0FfJiRPPIq5B_j9.exe
MD5
b89c6327e9eb15acc219eb18a7f81608

SHA1
11333acbaaac98e3675ea3ffd370dee6451c56d7

SHA256
3eb15c05741196022e4115b9267a818d7c032498704f95b9bfb261fe408558da

SHA512
7d7ea3763a021514f5c2726f962b2b282c787f5ea4246639be52a1251f5477e1f18bb061db61f435f72b9bd5becf5264ba6816cda3d1213e27c0a15c4eb213be

Download Submit
C:\Users\Admin\Documents\fEp6V4pwDrvz2ngDMyreFzJe.exe
MD5
792919798d7c3b992d2745371a458ff8

SHA1
5ff5ec90945a5329c839c05c24aeb4347225af15

SHA256
b626c13f3b8da2139e0c53ab0d444c35e7bf922d670be12c0f23f17c56fe0bff

SHA512
0d8fffefcc75f17c542d68ce32236949f75cd460e12b87d2543eafd5752263234c984d78995b3e2ce927ac4f06fc98bfcef893393e370a27d5e45046e495b649

Download Submit
C:\Users\Admin\Documents\hdnT_puPprZZ3FGyvXudyzFo.exe
MD5
16da3e726d6442b090375e12d2d67d50

SHA1
507bfb9f73c025b41a23bd3bf0d865934b22a07a

SHA256
6fbb311164a1ca952c97510e878dcfe2da5547e3ffefd3f89372a508697d4cc6

SHA512
1e4d1c2c693398edeae17517e202f673055358ddcc02427bfef2934ceff4b1aa82d241f2b7356728c350f7a5bd3639699ae060d9490967e9b2d067e42a51f2d6

Download Submit
C:\Users\Admin\Documents\hdnT_puPprZZ3FGyvXudyzFo.exe
MD5
16da3e726d6442b090375e12d2d67d50

SHA1
507bfb9f73c025b41a23bd3bf0d865934b22a07a

SHA256
6fbb311164a1ca952c97510e878dcfe2da5547e3ffefd3f89372a508697d4cc6

SHA512
1e4d1c2c693398edeae17517e202f673055358ddcc02427bfef2934ceff4b1aa82d241f2b7356728c350f7a5bd3639699ae060d9490967e9b2d067e42a51f2d6

Download Submit
C:\Users\Admin\Documents\iZbaWkWl6dtfUck3VtmDN2tH.exe
MD5
6822beca23cf1bf168c0876b07440378

SHA1
f0a30671ffc5c4fc3723f1c4aad0c8f6379f1be8

SHA256
c56f3595fc7a9fb30af85446f4e73448b261a61bb995224800581be7ac5aa896

SHA512
384c72e6cddec10a0a2da0b4eeccaefe0809c14ad8c080bf4cb2e449825fe97c2076ff5ecf5a734de918b77f631f70fdbb1a6e25aa60207425506d0b5f5176e5

Download Submit
C:\Users\Admin\Documents\iZbaWkWl6dtfUck3VtmDN2tH.exe
MD5
6822beca23cf1bf168c0876b07440378

SHA1
f0a30671ffc5c4fc3723f1c4aad0c8f6379f1be8

SHA256
c56f3595fc7a9fb30af85446f4e73448b261a61bb995224800581be7ac5aa896

SHA512
384c72e6cddec10a0a2da0b4eeccaefe0809c14ad8c080bf4cb2e449825fe97c2076ff5ecf5a734de918b77f631f70fdbb1a6e25aa60207425506d0b5f5176e5

Download Submit
memory/260-345-0x0000000000540000-0x0000000000560000-memory.dmp

Filesize
128KB

Download
memory/372-298-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download
memory/372-292-0x0000000000A10000-0x0000000000A24000-memory.dmp

Filesize
80KB

Download
memory/1248-352-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1260-278-0x00000000006DD000-0x00000000006EA000-memory.dmp

Filesize
52KB

Download
memory/1476-265-0x00000000005C0000-0x000000000062C000-memory.dmp

Filesize
432KB

Download
memory/1500-289-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/1500-273-0x0000000076600000-0x0000000076815000-memory.dmp

Filesize
2.1MB

Download
memory/1500-280-0x00000000000B0000-0x0000000000235000-memory.dmp

Filesize
1.5MB

Download
memory/1500-282-0x00000000000B0000-0x0000000000235000-memory.dmp

Filesize
1.5MB

Download
memory/1500-186-0x0000000000CD0000-0x0000000000D08000-memory.dmp

Filesize
224KB

Download
memory/1500-290-0x0000000076990000-0x0000000076F43000-memory.dmp

Filesize
5.7MB

Download
memory/1500-266-0x00000000000B0000-0x0000000000235000-memory.dmp

Filesize
1.5MB

Download
memory/1500-284-0x00000000746B0000-0x0000000074739000-memory.dmp

Filesize
548KB

Download
memory/1500-305-0x0000000074240000-0x000000007428C000-memory.dmp

Filesize
304KB

Download
memory/1500-268-0x00000000000B0000-0x0000000000235000-memory.dmp

Filesize
1.5MB

Download
memory/1500-200-0x00007FFD2B120000-0x00007FFD2BBE1000-memory.dmp

Filesize
10.8MB

Download
memory/1500-310-0x0000000001070000-0x00000000010B6000-memory.dmp

Filesize
280KB

Download
memory/1500-267-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/1708-157-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1708-155-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1708-149-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1708-202-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1708-150-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1708-151-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1708-203-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1708-204-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1708-162-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1708-152-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1708-161-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1708-160-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1708-153-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1708-159-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1708-154-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1708-156-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1708-205-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1708-206-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1708-158-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1716-270-0x0000000000860000-0x0000000000B0A000-memory.dmp

Filesize
2.7MB

Download
memory/1716-275-0x0000000000860000-0x0000000000B0A000-memory.dmp

Filesize
2.7MB

Download
memory/1716-276-0x0000000000BE0000-0x0000000000BE2000-memory.dmp

Filesize
8KB

Download
memory/1796-325-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1888-279-0x00000000006B0000-0x0000000000835000-memory.dmp

Filesize
1.5MB

Download
memory/1888-317-0x0000000074240000-0x000000007428C000-memory.dmp

Filesize
304KB

Download
memory/1888-288-0x0000000076600000-0x0000000076815000-memory.dmp

Filesize
2.1MB

Download
memory/1888-277-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/1888-294-0x00000000006B0000-0x0000000000835000-memory.dmp

Filesize
1.5MB

Download
memory/1888-297-0x00000000006B0000-0x0000000000835000-memory.dmp

Filesize
1.5MB

Download
memory/1888-309-0x0000000076990000-0x0000000076F43000-memory.dmp

Filesize
5.7MB

Download
memory/1888-299-0x00000000746B0000-0x0000000074739000-memory.dmp

Filesize
548KB

Download
memory/1900-285-0x0000000004BA0000-0x00000000051B8000-memory.dmp

Filesize
6.1MB

Download
memory/1900-262-0x0000000072510000-0x0000000072CC0000-memory.dmp

Filesize
7.7MB

Download
memory/1900-260-0x0000000000350000-0x0000000000370000-memory.dmp

Filesize
128KB

Download
memory/2420-234-0x0000000005700000-0x0000000005D18000-memory.dmp

Filesize
6.1MB

Download
memory/2420-235-0x0000000005AB0000-0x0000000005BBA000-memory.dmp

Filesize
1.0MB

Download
memory/2420-233-0x0000000005800000-0x000000000583C000-memory.dmp

Filesize
240KB

Download
memory/2420-230-0x0000000072510000-0x0000000072CC0000-memory.dmp

Filesize
7.7MB

Download
memory/2420-232-0x00000000057A0000-0x00000000057B2000-memory.dmp

Filesize
72KB

Download
memory/2420-227-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2420-231-0x0000000005D20000-0x0000000006338000-memory.dmp

Filesize
6.1MB

Download
memory/2464-300-0x0000000000400000-0x00000000007E1000-memory.dmp

Filesize
3.9MB

Download
memory/2464-313-0x0000000000400000-0x00000000007E1000-memory.dmp

Filesize
3.9MB

Download
memory/2464-306-0x0000000000400000-0x00000000007E1000-memory.dmp

Filesize
3.9MB

Download
memory/2464-302-0x0000000000400000-0x00000000007E1000-memory.dmp

Filesize
3.9MB

Download
memory/2468-196-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2468-187-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2756-195-0x0000000000B50000-0x0000000000BBA000-memory.dmp

Filesize
424KB

Download
memory/2756-220-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/2756-219-0x0000000005350000-0x000000000536E000-memory.dmp

Filesize
120KB

Download
memory/2756-225-0x0000000005BB0000-0x0000000006154000-memory.dmp

Filesize
5.6MB

Download
memory/2756-212-0x0000000072510000-0x0000000072CC0000-memory.dmp

Filesize
7.7MB

Download
memory/2756-201-0x00000000053A0000-0x0000000005416000-memory.dmp

Filesize
472KB

Download
memory/3060-224-0x0000000003310000-0x0000000003326000-memory.dmp

Filesize
88KB

Download
memory/3108-340-0x0000000010000000-0x0000000010D56000-memory.dmp

Filesize
13.3MB

Download
memory/3496-303-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/3496-295-0x0000000002420000-0x0000000002480000-memory.dmp

Filesize
384KB

Download
memory/3496-307-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/3932-211-0x0000000000400000-0x0000000002C68000-memory.dmp

Filesize
40.4MB

Download
memory/3932-209-0x0000000002DE0000-0x0000000002DE9000-memory.dmp

Filesize
36KB

Download
memory/3932-185-0x0000000002C98000-0x0000000002CA1000-memory.dmp

Filesize
36KB

Download
memory/3932-207-0x0000000002C98000-0x0000000002CA1000-memory.dmp

Filesize
36KB

Download
memory/4440-312-0x00000000006ED000-0x0000000000714000-memory.dmp

Filesize
156KB

Download
memory/4484-341-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4500-253-0x00000000009C0000-0x0000000000A20000-memory.dmp

Filesize
384KB

Download
memory/4500-256-0x0000000000400000-0x00000000007E1000-memory.dmp

Filesize
3.9MB

Download
memory/4500-258-0x0000000000400000-0x00000000007E1000-memory.dmp

Filesize
3.9MB

Download
memory/4500-261-0x0000000000400000-0x00000000007E1000-memory.dmp

Filesize
3.9MB

Download
memory/4512-311-0x0000000000400000-0x00000000007E3000-memory.dmp

Filesize
3.9MB

Download
memory/4512-304-0x0000000000400000-0x00000000007E3000-memory.dmp

Filesize
3.9MB

Download
memory/4512-293-0x0000000002360000-0x00000000023C0000-memory.dmp

Filesize
384KB

Download
memory/4512-308-0x0000000000400000-0x00000000007E3000-memory.dmp

Filesize
3.9MB

Download
memory/4512-314-0x0000000000400000-0x00000000007E3000-memory.dmp

Filesize
3.9MB

Download
memory/4544-263-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/4544-248-0x0000000076600000-0x0000000076815000-memory.dmp

Filesize
2.1MB

Download
memory/4544-252-0x0000000000C40000-0x0000000000C86000-memory.dmp

Filesize
280KB

Download
memory/4544-296-0x0000000074240000-0x000000007428C000-memory.dmp

Filesize
304KB

Download
memory/4544-250-0x0000000000C90000-0x0000000000DDE000-memory.dmp

Filesize
1.3MB

Download
memory/4544-246-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/4544-274-0x0000000076990000-0x0000000076F43000-memory.dmp

Filesize
5.7MB

Download
memory/4544-243-0x0000000000C90000-0x0000000000DDE000-memory.dmp

Filesize
1.3MB

Download
memory/4544-301-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/4544-251-0x00000000746B0000-0x0000000074739000-memory.dmp

Filesize
548KB

Download
memory/4544-259-0x0000000000C90000-0x0000000000DDE000-memory.dmp

Filesize
1.3MB

Download
memory/4544-244-0x0000000000C90000-0x0000000000DDE000-memory.dmp

Filesize
1.3MB

Download
memory/4696-257-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/4696-249-0x0000000000590000-0x00000000005BE000-memory.dmp

Filesize
184KB

Download
memory/4832-287-0x00000000036B0000-0x00000000036B1000-memory.dmp

Filesize
4KB

Download
memory/4832-286-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/4832-291-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/4832-281-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download
memory/4884-210-0x0000000000DA0000-0x0000000000DA2000-memory.dmp

Filesize
8KB

Download
memory/4884-208-0x00007FFD2B120000-0x00007FFD2BBE1000-memory.dmp

Filesize
10.8MB

Download
memory/4884-184-0x0000000000660000-0x0000000000668000-memory.dmp

Filesize
32KB

Download
memory/5060-214-0x0000000004930000-0x00000000049CD000-memory.dmp

Filesize
628KB

Download
memory/5060-217-0x0000000000400000-0x0000000002CC4000-memory.dmp

Filesize
40.8MB

Download
memory/5060-213-0x0000000002FA8000-0x000000000300D000-memory.dmp

Filesize
404KB

Download
memory/5060-178-0x0000000002FA8000-0x000000000300D000-memory.dmp

Filesize
404KB

Download