fabookie | 7eb214c1bf3b304e98eb37ac52c1fdb22f2c9b5bdad78cd33bfba0c544218f74

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2024 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ab3677b51329a0d044c8e75d80e0f6d.exe
Size

3.1MB
MD5

6ab3677b51329a0d044c8e75d80e0f6d
SHA1

70b9ff61f42e0a27eace42a7f8fa00d7ea8fb991
SHA256

7eb214c1bf3b304e98eb37ac52c1fdb22f2c9b5bdad78cd33bfba0c544218f74
SHA512

192f61319db69801dd7fcebcea349fcc1d51cb00a30179e2df5eec4c5f748564857207627f3e523cc03034b31a3c345152d6970e0212e9d1d9d27c9a7daa2c9f
SSDEEP

49152:EgTbJWbtaM4oNRU2Dhm/EGbKXTTUzChuLBXZ4+9/bkkd6wLP7qUxrGSr/Yfmgr3:JnStD4oTU2tRGmX3UxtaqTR7XNxDcfr3

Malware Config

Extracted

Family

nullmixer

http://watira.xyz/

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

vidar

Version

39.8

Botnet

706

https://xeronxikxxx.tumblr.com/

Attributes

profile_id
706

Extracted

Family

redline

Botnet

AniOLD

liezaphare.xyz:80

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Signatures

Detect Fabookie payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023230-88.dat	family_fabookie
behavioral2/files/0x0006000000023230-98.dat	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	sonia_7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	sonia_7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	sonia_7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	sonia_7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	sonia_7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	sonia_7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	sonia_7.exe

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/4536-169-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/4536-169-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Nirsoft 8 IoCs

resource	yara_rule
behavioral2/memory/2668-139-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4424-142-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/2412-167-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4628-164-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3896-197-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/1476-201-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4584-215-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/64-213-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft

Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral2/memory/1620-146-0x0000000003150000-0x00000000031ED000-memory.dmp	family_vidar
behavioral2/memory/1620-154-0x0000000000400000-0x000000000146C000-memory.dmp	family_vidar
behavioral2/memory/1620-202-0x0000000000400000-0x000000000146C000-memory.dmp	family_vidar

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0006000000023236-44.dat	aspack_v212_v242
behavioral2/files/0x0006000000023231-52.dat	aspack_v212_v242
behavioral2/files/0x0006000000023234-56.dat	aspack_v212_v242
behavioral2/files/0x0006000000023234-61.dat	aspack_v212_v242
behavioral2/files/0x0006000000023232-53.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	6ab3677b51329a0d044c8e75d80e0f6d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	setup_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	sonia_1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	sonia_7.exe

Executes dropped EXE 22 IoCs

pid	Process
3004	setup_installer.exe
5016	setup_install.exe
4972	sonia_1.exe
2932	sonia_4.exe
1620	sonia_3.exe
1820	sonia_10.exe
4832	sonia_2.exe
3624	sonia_5.exe
116	sonia_9.exe
4052	sonia_6.exe
3112	sonia_7.exe
3552	sonia_1.exe
2328	sonia_5.tmp
2668	jfiag3g_gg.exe
4424	jfiag3g_gg.exe
4628	jfiag3g_gg.exe
2412	jfiag3g_gg.exe
4536	sonia_4.exe
3896	jfiag3g_gg.exe
1476	jfiag3g_gg.exe
64	jfiag3g_gg.exe
4584	jfiag3g_gg.exe

Loads dropped DLL 7 IoCs

pid	Process
5016	setup_install.exe
5016	setup_install.exe
5016	setup_install.exe
5016	setup_install.exe
5016	setup_install.exe
5016	setup_install.exe
2328	sonia_5.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000023245-133.dat	upx
behavioral2/memory/2668-139-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4424-142-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/files/0x0006000000023245-141.dat	upx
behavioral2/files/0x0006000000023245-136.dat	upx
behavioral2/memory/2668-134-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/files/0x0006000000023245-162.dat	upx
behavioral2/memory/2412-167-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/files/0x0006000000023245-166.dat	upx
behavioral2/memory/4628-164-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/files/0x0006000000023245-161.dat	upx
behavioral2/files/0x0007000000023245-191.dat	upx
behavioral2/files/0x0007000000023245-194.dat	upx
behavioral2/memory/3896-197-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/files/0x0007000000023245-199.dat	upx
behavioral2/memory/1476-201-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/1476-200-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/files/0x0007000000023245-193.dat	upx
behavioral2/files/0x0007000000023245-211.dat	upx
behavioral2/files/0x0007000000023245-214.dat	upx
behavioral2/memory/4584-215-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/64-213-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/files/0x0007000000023245-210.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	ipinfo.io
14	ipinfo.io
20	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2932 set thread context of 4536	2932	sonia_4.exe	113

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2212	5016	WerFault.exe	91
4924	1620	WerFault.exe	98

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sonia_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sonia_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sonia_2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4832	sonia_2.exe
4832	sonia_2.exe
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4832	sonia_2.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	1820	sonia_10.exe
Token: SeDebugPrivilege	4052	sonia_6.exe
Token: SeDebugPrivilege	4536	sonia_4.exe
Token: SeShutdownPrivilege	3432	Process not Found
Token: SeCreatePagefilePrivilege	3432	Process not Found
Token: SeShutdownPrivilege	3432	Process not Found
Token: SeCreatePagefilePrivilege	3432	Process not Found
Token: SeShutdownPrivilege	3432	Process not Found
Token: SeCreatePagefilePrivilege	3432	Process not Found
Token: SeShutdownPrivilege	3432	Process not Found
Token: SeCreatePagefilePrivilege	3432	Process not Found
Token: SeShutdownPrivilege	3432	Process not Found
Token: SeCreatePagefilePrivilege	3432	Process not Found
Token: SeShutdownPrivilege	3432	Process not Found
Token: SeCreatePagefilePrivilege	3432	Process not Found
Token: SeShutdownPrivilege	3432	Process not Found
Token: SeCreatePagefilePrivilege	3432	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3432	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4572 wrote to memory of 3004	4572	6ab3677b51329a0d044c8e75d80e0f6d.exe	90
PID 4572 wrote to memory of 3004	4572	6ab3677b51329a0d044c8e75d80e0f6d.exe	90
PID 4572 wrote to memory of 3004	4572	6ab3677b51329a0d044c8e75d80e0f6d.exe	90
PID 3004 wrote to memory of 5016	3004	setup_installer.exe	91
PID 3004 wrote to memory of 5016	3004	setup_installer.exe	91
PID 3004 wrote to memory of 5016	3004	setup_installer.exe	91
PID 5016 wrote to memory of 1344	5016	setup_install.exe	107
PID 5016 wrote to memory of 1344	5016	setup_install.exe	107
PID 5016 wrote to memory of 1344	5016	setup_install.exe	107
PID 5016 wrote to memory of 2488	5016	setup_install.exe	106
PID 5016 wrote to memory of 2488	5016	setup_install.exe	106
PID 5016 wrote to memory of 2488	5016	setup_install.exe	106
PID 5016 wrote to memory of 444	5016	setup_install.exe	105
PID 5016 wrote to memory of 444	5016	setup_install.exe	105
PID 5016 wrote to memory of 444	5016	setup_install.exe	105
PID 1344 wrote to memory of 4972	1344	cmd.exe	104
PID 1344 wrote to memory of 4972	1344	cmd.exe	104
PID 1344 wrote to memory of 4972	1344	cmd.exe	104
PID 5016 wrote to memory of 2448	5016	setup_install.exe	103
PID 5016 wrote to memory of 2448	5016	setup_install.exe	103
PID 5016 wrote to memory of 2448	5016	setup_install.exe	103
PID 5016 wrote to memory of 3612	5016	setup_install.exe	102
PID 5016 wrote to memory of 3612	5016	setup_install.exe	102
PID 5016 wrote to memory of 3612	5016	setup_install.exe	102
PID 5016 wrote to memory of 3304	5016	setup_install.exe	101
PID 5016 wrote to memory of 3304	5016	setup_install.exe	101
PID 5016 wrote to memory of 3304	5016	setup_install.exe	101
PID 5016 wrote to memory of 3932	5016	setup_install.exe	100
PID 5016 wrote to memory of 3932	5016	setup_install.exe	100
PID 5016 wrote to memory of 3932	5016	setup_install.exe	100
PID 5016 wrote to memory of 3804	5016	setup_install.exe	95
PID 5016 wrote to memory of 3804	5016	setup_install.exe	95
PID 5016 wrote to memory of 3804	5016	setup_install.exe	95
PID 5016 wrote to memory of 4080	5016	setup_install.exe	94
PID 5016 wrote to memory of 4080	5016	setup_install.exe	94
PID 5016 wrote to memory of 4080	5016	setup_install.exe	94
PID 2448 wrote to memory of 2932	2448	cmd.exe	96
PID 2448 wrote to memory of 2932	2448	cmd.exe	96
PID 2448 wrote to memory of 2932	2448	cmd.exe	96
PID 2488 wrote to memory of 4832	2488	cmd.exe	97
PID 2488 wrote to memory of 4832	2488	cmd.exe	97
PID 2488 wrote to memory of 4832	2488	cmd.exe	97
PID 444 wrote to memory of 1620	444	cmd.exe	98
PID 444 wrote to memory of 1620	444	cmd.exe	98
PID 444 wrote to memory of 1620	444	cmd.exe	98
PID 4080 wrote to memory of 1820	4080	cmd.exe	108
PID 4080 wrote to memory of 1820	4080	cmd.exe	108
PID 3804 wrote to memory of 116	3804	cmd.exe	123
PID 3804 wrote to memory of 116	3804	cmd.exe	123
PID 3804 wrote to memory of 116	3804	cmd.exe	123
PID 3304 wrote to memory of 4052	3304	cmd.exe	122
PID 3304 wrote to memory of 4052	3304	cmd.exe	122
PID 3612 wrote to memory of 3624	3612	cmd.exe	124
PID 3612 wrote to memory of 3624	3612	cmd.exe	124
PID 3612 wrote to memory of 3624	3612	cmd.exe	124
PID 3932 wrote to memory of 3112	3932	cmd.exe	121
PID 3932 wrote to memory of 3112	3932	cmd.exe	121
PID 3932 wrote to memory of 3112	3932	cmd.exe	121
PID 4972 wrote to memory of 3552	4972	sonia_1.exe	117
PID 4972 wrote to memory of 3552	4972	sonia_1.exe	117
PID 4972 wrote to memory of 3552	4972	sonia_1.exe	117
PID 3624 wrote to memory of 2328	3624	sonia_5.exe	110
PID 3624 wrote to memory of 2328	3624	sonia_5.exe	110
PID 3624 wrote to memory of 2328	3624	sonia_5.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6ab3677b51329a0d044c8e75d80e0f6d.exe
"C:\Users\Admin\AppData\Local\Temp\6ab3677b51329a0d044c8e75d80e0f6d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:5016
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_10.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4080
    - - C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\sonia_10.exe
        
        sonia_10.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_9.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3804
    - - C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\sonia_9.exe
        
        sonia_9.exe
        5⤵
        Executes dropped EXE
        
        PID:116
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        Executes dropped EXE
        
        PID:3896
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
        6⤵
        Executes dropped EXE
        
        PID:1476
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
        6⤵
        Executes dropped EXE
        
        PID:4584
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        Executes dropped EXE
        
        PID:64
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_7.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3932
    - - C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\sonia_7.exe
        
        sonia_7.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Checks computer location settings
        Executes dropped EXE
        
        PID:3112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_6.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3304
    - - C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\sonia_6.exe
        
        sonia_6.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4052
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_5.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3612
    - - C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\sonia_5.exe
        
        sonia_5.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_4.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2448
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_3.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:444
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_2.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2488
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_1.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1344
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 556
      4⤵
      Program crash
      PID:2212

C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\sonia_4.exe
sonia_4.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2932
- C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\sonia_4.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\sonia_4.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4536

C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\sonia_2.exe
sonia_2.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4832

C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\sonia_3.exe
sonia_3.exe
1⤵
- Executes dropped EXE
PID:1620
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 1040
  2⤵
  - Program crash
  PID:4924

C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\sonia_1.exe
sonia_1.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\sonia_1.exe
  "C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\sonia_1.exe" -a
  2⤵
  - Executes dropped EXE
  PID:3552

C:\Users\Admin\AppData\Local\Temp\is-EVS07.tmp\sonia_5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-EVS07.tmp\sonia_5.tmp" /SL5="$501C6,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\sonia_5.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2328

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
1⤵
- Executes dropped EXE
PID:2668

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /DeleteCookiesWildcard "*.facebook.com"
1⤵
- Executes dropped EXE
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5016 -ip 5016
1⤵
PID:2428

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
1⤵
- Executes dropped EXE
PID:2412

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
1⤵
- Executes dropped EXE
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1620 -ip 1620
1⤵
PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sonia_4.exe.log

Filesize
700B

MD5
e5352797047ad2c91b83e933b24fbc4f

SHA1
9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772

SHA256
b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c

SHA512
dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\libstdc++-6.dll

Filesize
292KB

MD5
5e64ea291f2b54db798fc6e5672ee008

SHA1
4b93a61fa9b5648918171839910cec1910d7efc1

SHA256
9029fc09860c66d383bdab27d32531c3de890ea64bca2cb6d189345345c9e581

SHA512
c8538ca4d780406a9e8344df3e208702a17fc68da9f29fc92a607e5011aca5b0d77fb85d599d0a73bdb764d399ca784f8afee1758625d0323f5ad02831840fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\libstdc++-6.dll

Filesize
234KB

MD5
2e11dc7d6c2df6b18eba9721f5d05c25

SHA1
2fce2b01beba322e06183639c77d24b198466010

SHA256
290577f7d33348b30d41313ef000d4cb5fe3a88aa7949bcb510caa7cb9a211c7

SHA512
a9953eca3855c6927cc3555f028f6f5609e271a87bc222a4b2b2abfa2a953c5951cdfa0d6eed4f1bd3daf5bb330b818598a1d3e1173428a762af3faa97c3ded2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\setup_install.exe

Filesize
287KB

MD5
694323f2f59e2f071066caccb2b7ba7e

SHA1
8d9b63a4aa933cc5dbbe6328720c899e7331b967

SHA256
840afdf861e04bc929e22c55a1c8d284b62e359661d9de6911fe18231f48fc94

SHA512
0e22a09562d01be1b27a23afc56cbd6dfa25808192ee45a23333b012269c0e9e80b3663592ae47f16e3c492ece6f21d227b00c4e049e72ff390e9428a75bd53d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\sonia_1.exe

Filesize
46KB

MD5
1d5202073416778d06d8b083c4c2c629

SHA1
941593487cdd890e8b4010a0123aaec51a7f9b56

SHA256
9087962fef0bb4211ec3fd4d8cc931843d68b71a82b85ef795384b9327f0fb3e

SHA512
a0acc4aa645b69f0a5cf781ca1e10341b6061eb9b00a4f4ac3c809959a687934fa6d15370be9be6e384c68e98811b378413392f1a07b79158120cd502112e663

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\sonia_1.txt

Filesize
56KB

MD5
c0d18a829910babf695b4fdaea21a047

SHA1
236a19746fe1a1063ebe077c8a0553566f92ef0f

SHA256
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98

SHA512
cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\sonia_10.txt

Filesize
8KB

MD5
32f26aa4b7563812f3a1a68caad270b1

SHA1
91a45d1d4246a4c574e1238751ffacc68acc5fa7

SHA256
f182c0c6dc8944151e340b3cab01c6d0f97740379aff73d6657e8adec651551a

SHA512
96ac29b91dc1a350b704c0159ec5dd77813068440a67f34b3780fceca6515867afe3d16b900d64c148f7b232989e82a48e9ae8ecdb8177b004d63c02dedbc34a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\sonia_2.exe

Filesize
110KB

MD5
8044b6730abfaefd4233f5e4a96ee7a1

SHA1
9d870ebd384f965f33ffe7ca3de3288cf6c3036a

SHA256
b0e89e6eae14ad5dc94b1da9eb8b239db20d1915a8cc3dee6fa636326a8bcbee

SHA512
d27c9c814c781854ee961be6eb6d176c2dd9e1840c1bf648bf240e2f00845005ebf5bfd5f89034cb07015e8983dee8efbfd080e7780e8b255bc524f2472a3993

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\sonia_2.txt

Filesize
250KB

MD5
e15d173286d125056ce3350309eec28d

SHA1
3afccd783f0cdeaf549ea989f26da8a189dc4c87

SHA256
2f423c1bed693f48b771fbc9a4277b14fdbc95ffea8283c5cdc82499b29c9281

SHA512
ebbdda0fe5eef5d877a606663997d53fd8f045ceb5a792e67a97b9d2e474e403b0e14c18fd2d730cbc36824dc045cf1f7973d94f8ff0d9bd83e9de05a5df533b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\sonia_3.exe

Filesize
617KB

MD5
8cd7285d5e60bf65bee83a85d45c4f49

SHA1
e97b340224584bcadacfff06bf5cd9b5e8bc5825

SHA256
94ff0c6eadeea61a4330dfdc709c49f6f4cbbd2506aec9e3488d1b177eb43cf6

SHA512
f5d1c496c5e528955a888ff7e3e17f7f94e3997cba06191698d1c682efd01b54e4aed9ec5ae53a126712fd5f5a8f16fdce59141a794bd00eb5c5755c35cf8421

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\sonia_3.txt

Filesize
336KB

MD5
56ab89c0fcb71723662b6d56fe859cc8

SHA1
d5ec4b24cdce8d8bc992d953cceabdc747374fda

SHA256
486cc494165c31f145e404dec914d51269bf10b167dc7862d77a2c4158139d81

SHA512
b7a67db8b9d70d43385486946c745ebc728c899b772bafcba368b97a1e20d22bfacdb43198d067a8c7c00b263baf299ae650ce35417b60afc78e4f0792c0d18f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\sonia_4.exe

Filesize
62KB

MD5
3410e8880fc46c16bf62602ae32bef0e

SHA1
0f5b7dd9a3630cb589b6d9508a6f2096b40ac6bd

SHA256
e6ac60781dd109629c1439c0a51ee191aa0e5eefcca5ff92f777cde713910859

SHA512
fe38ad41a9fc5300a7b35f0662743d85feddd09b4205572589bdd3c2ce4688fca55e0f975f2d73b0aadab992312c6b2875bddc3903056e8b24a46221d283c914

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\sonia_4.exe

Filesize
37KB

MD5
64e802961b5199a3f98dbfe461f5c442

SHA1
dbaea0ff5ce4c08641810b596f1ff327f397f203

SHA256
c7d38eb634059a3974f92cea8b1692b82b3e14cddc99df6a993049f754545a95

SHA512
291caa6ba7191ece645337d1a4f63b9dc48d37018a06d99ef540f11121c56f882405c036f6bb675b065b204db6a3de9af05c2b8760465f65908e4d2e54cde754

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\sonia_4.txt

Filesize
390KB

MD5
eb73f48eaf544bf7e035a58f95f73394

SHA1
251f0d09f14452538ecfa0924a4618c3c16887e3

SHA256
da72fa2ad767e22db3d55506846b5d4db7932cd7287391c483faa80c5e86bcce

SHA512
a190b5e95308aa2a855dbb6c93841fbfbd79bd3c04b3f3c90e94b88c35c0409de68c39f31373b7dce38998ecdc35064541efad17f63978e14022ec9efac3b4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\sonia_5.exe

Filesize
354KB

MD5
e0bdf74d42ca84af724288b4101f235f

SHA1
f9534358de38949a13b8308ebc22e1d5d6bdcde3

SHA256
cdf81d3ecc8b9b5dabc447ae0863f052cfaa9eb9cd79e2a96299822459a6d544

SHA512
b9156822cbabc9540437f43b9a69a5911449178b7e83e09fbfe1ee61c57e16f1a535d2cdfe7350d831907f186fe97b2cbfa8304e29fd782500215630c67535d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\sonia_5.txt

Filesize
288KB

MD5
d6b6ae4967bd12fd926a180bfabdf437

SHA1
6b85c616fac1baf8e371e14b73119a33a062f9a9

SHA256
c6ca5a7a510f0808d54c3af25e5b07b2082fafee2de4c9a383747445bbb2bf41

SHA512
cbc75f475fc89df4ffc983c6182b8317b70e449cabe9de0c4fa7303c80afbfea09b4f36fac314b373e46716e23d8cfeeee92337f379b5bfe6a6c2c85b0fbe6ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\sonia_6.exe

Filesize
118KB

MD5
6d85b6e68e26737833e506992d28d4d6

SHA1
a7bf28ff9d510975a2502231d0c6eb511b79cb5f

SHA256
63a49e0d35e0aec4fc3244a6acf29e04400142a29aea24243cc3d9c8e9a8a00d

SHA512
248b71339d348fe255186a1d79e4716df75bc27fa05db0dca1995717a940f4ace290db83996a5011530504ac0fc63ffd6f24729523c88edc257e023cf47a92ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\sonia_6.txt

Filesize
186KB

MD5
19c2278bad4ce05a5efa4b458efdfa8b

SHA1
521d668d24f05c1a393887da1348255909037ce2

SHA256
ed6f65d65ba22fbaa3e526bd28c8f847bf12c545fdd543f092d55d0741f84e85

SHA512
8d39a3ff6746259cf9418f6a546c228fc8eedfe072749963221212ff0272a7eb9e1d63763f0da08aebf0c9258c665b0724d461c49392cead248572c85c1d2982

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\sonia_7.exe

Filesize
385KB

MD5
4ee5a425859d0c995e049f00ff764297

SHA1
587aa990934e52aa5a9751fa51c6f204c2917944

SHA256
afec9bbeaa623672621d7b2d2f8676a4d94ff3275e320ecde48a54604c725fb1

SHA512
d31502a3e086aea8f5657c8b8292e640fdbdf37ba3c57aef73eceaef1e87dead3b8c02ad0d1532b0153f0f897a981264ace3cd20e8de7346ea652fffd09f58c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\sonia_7.txt

Filesize
217KB

MD5
d5381ee47a1cb2a5bfac8ca61efbb456

SHA1
92e0ee9d1953554f3497cb3ea15b3cbaa3ba7b56

SHA256
f79eba668ffb0afdcc85e841c474463baa4c0c5b3b586bbfb4fee0d11421e496

SHA512
cd8b125774e68c8a9c96413d75bf9b948f1f27fd72457af4369d588340e18aa3345f91f4d8210b40bcb1770d914059cc49dc89d27506e99754715d4d641c10bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\sonia_9.exe

Filesize
644KB

MD5
8731b6d1864870bf6c7572ce0f3266ad

SHA1
4af666118030121a0e8f1a6d4c7b00322a8454eb

SHA256
48da1d1a5c7a3b7b3f4a86efc696eb8b3530e34e664f3585ae9c39ae0f08c9fb

SHA512
4654d140d2f2eac1cc9b07c05b76ca7f6a3aace897ae551d9506f698a2dc70c2d538e9faf3e97e7d0a34f900da31c2faab339c232848090cd03a6e99e81f46d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCBB04CE7\sonia_9.txt

Filesize
300KB

MD5
73a47bd69a0d11c65d8dd2ba238eb3cc

SHA1
fa421d02932e9fb161a14397640495a0467ea6d8

SHA256
266723463d860ff75446a4f8c22d0561f635a20f21c2e618d252a0d3da2a0786

SHA512
ec3080f6467b0318ec675deaa215998ec858c429900b98794e11de1bd844921fb478092a07445e16901f08d08bcc0874350e850473b2be9c5f1c337f8dfcb7fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Filesize
31B

MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EVS07.tmp\sonia_5.tmp

Filesize
98KB

MD5
0fc77692ffe7d98f13761510185421bd

SHA1
7daa055554e2f41230cdcb7032952c85082e79e7

SHA256
43d7d43dc99cf74f3144f5ccaf49f6eb3fc2940bbe43d514c7675d6fb6f9ebf1

SHA512
7e156b91483eca448c0f76c79cc505699e5f51503af5a5b005af96cf9dc0727f99626d96f8f7915ddb598253dc316cc4c9711e9fb8d4e47039b9ab6dbbf09a0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EVS07.tmp\sonia_5.tmp

Filesize
128KB

MD5
79d82b580a5409e1280ad5fb57ab19df

SHA1
1a1fe31a00d1701a50cafaaee5eee9800e3cb21d

SHA256
3405c8dd27e1863fd852901d21107519db1e7cf176dd84616357d12514409cc8

SHA512
eb48d7d4c3cdae6b8437140bc8da53aed9ae2197321f53d38fbaf0924ee00d09e68a26560e1928020d5e32823215d297e829240e6183d7e171d8ee06ab897b3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HP992.tmp\idp.dll

Filesize
46KB

MD5
488d2c910108755ee7fc8522c5bcbd94

SHA1
9e98b39299b31051c57c16a99ea5130a99b8c13f

SHA256
98001e807a48a7e90fa052106c7aba0df6f3b993e2af8d393d2016b6fb7fa3c5

SHA512
d43f7852b987c7daf803121e08ad2593b4dedf8ebfa168024f3f2dc7e96c0bcbaa724c16ca23b239a72e1bd1105d0977f27096c2498d2dbeeee5ead81153713d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
57KB

MD5
7019a216b53ce9042819c4c5809d243b

SHA1
b26deb4ca28d3a0a5dd8b4e59f8660c2de96d3ef

SHA256
3e572b564272851bb1d4d747201756d0cafffc94fab95455ec935ce6f72bb42c

SHA512
842e04554cb8e17dc95501c411ba0bb6fc7cc6b12705ce4dd22659cd3ea29744d3523135e7a0c38226d0a2538fa461a3d88bc5a6d415f88a1341c002f8a51966

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
136KB

MD5
78321c5968fc18470274b4478f9a20c8

SHA1
cce6b1354f4e4fc81239fc11d03437785cccead2

SHA256
6c2bbc543b1db350d1bb98eab9b15fcc6e7f6e03f85f85a10a74ba13ffd57ca2

SHA512
6d2a6d9c94b8c17b32755e3ccaac01b38d1566d543ced67afc1f4b9f45d90cb7504df8ea1b8d4084f7161567297e1bf022b50d635231715b2570ced096c21e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
42KB

MD5
0d621272b965ed0af40164b7293ca521

SHA1
f17f8756dab7f9b60e67397127e84cab804f5a61

SHA256
6378460587639e6511ddf90e75ad9775be9fbe2ba55380330f62f13698aeafe7

SHA512
a4ff7eee34a809cbab7dbef12e9a3ab1e802e9d229ee63a54b80aa27f7f9feebe41b1a000912f78e53a140c132141193764bf0f0848e4352c99af31772383aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
175KB

MD5
fbed2ead2e4b99a16792dc710be62969

SHA1
495ff77c69f7474834da3501d1f89fed877a8fdb

SHA256
720e34257e0b6752a7b7649d41291680b9a86158b5ce0cc604e42974f9282ad6

SHA512
aa0e025189548816b6e20cfbabb4fb4185abd00bed7e5db79f3d072629f366ef7edcecc0de9adeaf105579a1c4607e486cf881949954bd6e1b73f0fcd72b4449

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
92KB

MD5
6d659c592451ed7003d831e64614f337

SHA1
c0c12347ac46be9d510b4d3fdb5223a3b35b7648

SHA256
75dd51a4a95303aea9d0ab567ff111091be23cf7564e1087d77eaa73da74bbc0

SHA512
7b7876549a7e3b166314a74e7e6004c7354004068b105b33d7d8cb851b1930351e34f7e239ae058c76cbe3d3433314e29bde67ce463c13be793cff129e028c96

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
85KB

MD5
76b76de8bc94cec4a4dd4f0f0933b9f5

SHA1
e4087964579eae7f740bccd3bdc1ab0bea26de64

SHA256
e37451b6da99cc6bfefb9cc09073764f4af5fc7c7d77d30faf0d61d4a9d35a61

SHA512
f1bf5027f2f609b0929c60de6445341d726546cbbc0a6c82733ad247229e4bd7c447c05478362601ca5bf67f5870e98179373508911bdf86bf5350603708bf80

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
82KB

MD5
edf6c41c57e4c3119b59243a8549f899

SHA1
1f2f7c9ebd2b7e6f53050deaa66041178cd60e66

SHA256
5896dbcddf0e23943c7be2119a4b8e6fc5e02bdcc27f8aac65925d17a4fea08a

SHA512
f69929e18ffaa70c04ecd4f03d3d61735442889ac3751cc4f22d2ad0c759d26d21bcf7544175a660f4bdb1de9dd6d7b6278a0f82306e8db7b930ba879981bc9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
182KB

MD5
9ad776ae01c0f26f202956e09120d801

SHA1
2bcd86384ae7ae08ff8cd618cac8d01f5dabea3b

SHA256
20064b68e7a1659b59ed3d6f11c1fae88c2ee2f4bbe9c7765db615df5314af92

SHA512
05f9eaceafabaed77e3275b2ab6e6e0712db5cb0f1efeac124c2aa8dd94b66bddaf9283cb85072c6cc0d2ea263ac66da5a43cbd6b69ef5fbc66971e8f2105f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
141KB

MD5
0db9848114ed50b24a30d9394c3b4361

SHA1
fa9db9a341eb6e757d1691867e1a4591d4bb37af

SHA256
8993b85e93aeca12d643228598d71b9cf7d4c9d0f84fe799c13c982124cd094a

SHA512
f08fb849fdca65e55b9cdfc9b67c321b599c6e14f93b01f01464b8ba73ed6da512c80470dd6fe6662bf0a47ac3138b25f24806abcdb67dfcb8bd65517bd15982

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
102KB

MD5
943de34de5adc87ae69db3b50aac6ec1

SHA1
e3cc9442c707566644b2484ad29364c08db79414

SHA256
70529771625f7a1a772ca17950c92d0f4f1a6a7594b3b39fa17ef0414bae8871

SHA512
d4c63da39050447fc45239a7567d04d2719d73d3da2cfb1f6d695d2c8d7c197b15fa40ad8e78ed57901764f4ee4956a77eb361494df7085ddb29b62357d8f322

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
180KB

MD5
57ee41b02df81484e913f3f0ab1d6b94

SHA1
53b064b628b4a16a08cbf143c8b0df3d90611ab2

SHA256
4b887d3466b813ecd4d922886eed128320bf41e086aa611e84911cac70fadc85

SHA512
e0bd6768c54dd22b4d31df271b52ce74b6961d438348a436e36a45bd3aac5068110f056e551e272644ffd0de2dc76c4e5c19846bed2a22b5ac2d83495ade574a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
79KB

MD5
ab75d96b0fa42b18172592281ee656ea

SHA1
f031f4d549e9f8d661d6ec039c78b89989198d3d

SHA256
1005e7b319eca1c34699e7a46356d3088aaa6aed3d308a83db8c5882c5154791

SHA512
ef625c69cfd345a7d81d7ab477604793444a2c42fe92a5f0a8029ebb07787cb645cc833abb2b95c9ad72ec44ec5d19e0365acc4d3ed8a2c0b823449cdf8d6b11

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
184KB

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
1.9MB

MD5
c3343bf7ac0b6b648abd0ade7bb97de9

SHA1
8c4c9f9dbbd5c0437c49e885a4e0a4aeb3489fde

SHA256
850382beb3ae9a9fcf99a77a4d0c19ae1f0ab8d5afd2181aeb00dc4a3266707b

SHA512
6fc71659b1953fc4b19e8ce469328539dfa5f0a46012f0d78824455dca35f3d6ed9ab3e4133e25a668a3d7da2b9d3e2e8bdd42d67178d5d2c1e85ea15bb44f52

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
2.5MB

MD5
89e8e1b7f0410b88f1f20e1dd911df15

SHA1
411e89d806ad1e4fd2f516bb77490df6174c839d

SHA256
87a2bfb5de6cd3dfee25016a2e6be5ad7286ded29ec244fd9de28b1ea8a876c0

SHA512
b0b1aefdf0d738fff4b33d09a63e7dabefbbb4c688038d2ba5264501ade06eeba170fd74328bc9c6a981a8252f180252bf6d55b3d3b4b8c53ca6f0b18fb6af30

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
3.0MB

MD5
98cf7587435d603dbd7cf32b5dc985af

SHA1
0920aa37113ca0ee6011873aeb0688914c0eb4ae

SHA256
0eab15afca40da3808f9d4d14e804080cef0c17a3444ddaffaf5699b96fa5a17

SHA512
1b22f8701440af46124e3c7eedb88f2ab9f825a931a8b7216f6a9629d955289ae0b5d61018e079ee0cda897a27a6f8ec97307ed7dba196823cc78aea4a7cce84

Download Submit
C:\Users\Admin\AppData\Roaming\cstjtsr

Filesize
169KB

MD5
487c67e04836e93e9d8c2fc716aa064e

SHA1
00972d059b993a4929cf086b6f37fb30ccaf605d

SHA256
f993401e1721ee02d103dc3e75d518f87346eea780dc0dcb9d1d61a8b0d6c3fc

SHA512
b8896a5851d58c8151570e5d7e4329720a79addb71a7778187f7dd34b844f58731aed3b869a529f76b32409a8f8e862faaf41683fa0e0c59d6267517e9327874

Download Submit
memory/64-213-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1476-201-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1476-200-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1620-202-0x0000000000400000-0x000000000146C000-memory.dmp

Filesize
16.4MB

Download
memory/1620-144-0x0000000001520000-0x0000000001620000-memory.dmp

Filesize
1024KB

Download
memory/1620-154-0x0000000000400000-0x000000000146C000-memory.dmp

Filesize
16.4MB

Download
memory/1620-146-0x0000000003150000-0x00000000031ED000-memory.dmp

Filesize
628KB

Download
memory/1820-102-0x0000000000820000-0x0000000000828000-memory.dmp

Filesize
32KB

Download
memory/1820-113-0x00007FFA97070000-0x00007FFA97B31000-memory.dmp

Filesize
10.8MB

Download
memory/1820-168-0x00007FFA97070000-0x00007FFA97B31000-memory.dmp

Filesize
10.8MB

Download
memory/1820-196-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/1820-128-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/2328-233-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2328-129-0x0000000002020000-0x0000000002021000-memory.dmp

Filesize
4KB

Download
memory/2328-218-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2412-167-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2668-139-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2668-134-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2932-138-0x0000000005620000-0x0000000005BC4000-memory.dmp

Filesize
5.6MB

Download
memory/2932-112-0x0000000004E60000-0x0000000004ED6000-memory.dmp

Filesize
472KB

Download
memory/2932-126-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/2932-104-0x0000000073950000-0x0000000074100000-memory.dmp

Filesize
7.7MB

Download
memory/2932-105-0x00000000005F0000-0x0000000000658000-memory.dmp

Filesize
416KB

Download
memory/2932-124-0x0000000004E30000-0x0000000004E4E000-memory.dmp

Filesize
120KB

Download
memory/2932-173-0x0000000073950000-0x0000000074100000-memory.dmp

Filesize
7.7MB

Download
memory/3432-203-0x00000000029E0000-0x00000000029F6000-memory.dmp

Filesize
88KB

Download
memory/3624-100-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3624-127-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3624-234-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3896-197-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4052-140-0x000000001B8E0000-0x000000001B8F0000-memory.dmp

Filesize
64KB

Download
memory/4052-130-0x0000000002B50000-0x0000000002B78000-memory.dmp

Filesize
160KB

Download
memory/4052-108-0x0000000000A90000-0x0000000000AC6000-memory.dmp

Filesize
216KB

Download
memory/4052-135-0x0000000001420000-0x0000000001426000-memory.dmp

Filesize
24KB

Download
memory/4052-157-0x00007FFA97070000-0x00007FFA97B31000-memory.dmp

Filesize
10.8MB

Download
memory/4052-125-0x00007FFA97070000-0x00007FFA97B31000-memory.dmp

Filesize
10.8MB

Download
memory/4052-123-0x0000000001410000-0x0000000001416000-memory.dmp

Filesize
24KB

Download
memory/4424-142-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4536-174-0x0000000073950000-0x0000000074100000-memory.dmp

Filesize
7.7MB

Download
memory/4536-175-0x0000000005930000-0x0000000005F48000-memory.dmp

Filesize
6.1MB

Download
memory/4536-222-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/4536-221-0x0000000073950000-0x0000000074100000-memory.dmp

Filesize
7.7MB

Download
memory/4536-189-0x0000000005690000-0x000000000579A000-memory.dmp

Filesize
1.0MB

Download
memory/4536-182-0x0000000005420000-0x000000000546C000-memory.dmp

Filesize
304KB

Download
memory/4536-181-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/4536-176-0x0000000005380000-0x0000000005392000-memory.dmp

Filesize
72KB

Download
memory/4536-169-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4536-177-0x00000000053E0000-0x000000000541C000-memory.dmp

Filesize
240KB

Download
memory/4584-215-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4628-164-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4832-205-0x0000000000400000-0x0000000001410000-memory.dmp

Filesize
16.1MB

Download
memory/4832-153-0x0000000000400000-0x0000000001410000-memory.dmp

Filesize
16.1MB

Download
memory/4832-148-0x0000000001520000-0x0000000001529000-memory.dmp

Filesize
36KB

Download
memory/4832-155-0x0000000001580000-0x0000000001680000-memory.dmp

Filesize
1024KB

Download
memory/5016-62-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/5016-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/5016-76-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/5016-79-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/5016-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/5016-77-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/5016-78-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/5016-152-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/5016-75-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/5016-73-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/5016-74-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/5016-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/5016-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/5016-64-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/5016-151-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/5016-149-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/5016-69-0x00000000007F0000-0x000000000087F000-memory.dmp

Filesize
572KB

Download
memory/5016-66-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/5016-80-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/5016-67-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/5016-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/5016-63-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/5016-147-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/5016-145-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/5016-60-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/5016-48-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/5016-150-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download