glupteba | 2205e931fcca292889c4845eb2b0e961fc7b598c276b6abf71bb5cf6c59c1132

Target

8 (19).exe
Size

3.0MB
MD5

bb072cad921aa5ce8b97706ce01bc570
SHA1

18bf034906c1341b7817e7361ad27a4425d820bd
SHA256

817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97
SHA512

d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

Malware Config

Extracted

Family

vidar

Version

39.6

Botnet

933

https://sslamlssa1.tumblr.com/

Attributes

profile_id
933

Extracted

Family

smokeloader

Version

2020

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

sel17

dwarimlari.xyz:80

Extracted

Family

vidar

Version

39.7

Botnet

865

https://shpak125.tumblr.com/

Attributes

profile_id
865

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

vidar

Version

39.7

Botnet

828

https://shpak125.tumblr.com/

Attributes

profile_id
828

Extracted

Family

vidar

Version

39.6

Botnet

517

https://sslamlssa1.tumblr.com/

Attributes

profile_id
517

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

Processes:

resource	yara_rule
behavioral21/memory/2752-390-0x0000000002D50000-0x0000000003676000-memory.dmp	family_glupteba
behavioral21/memory/2752-391-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
behavioral21/memory/2872-251-0x0000000000417DEA-mapping.dmp	family_redline
behavioral21/memory/2872-249-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral21/memory/1936-263-0x0000000000417DFA-mapping.dmp	family_redline
behavioral21/memory/3056-261-0x0000000000417DEE-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

redlinestealer 4 IoCs

RedlineStealer.

stealer

Processes:

resource	yara_rule
behavioral21/memory/2872-251-0x0000000000417DEA-mapping.dmp	Redline_stealer2
behavioral21/memory/2872-249-0x0000000000400000-0x000000000041E000-memory.dmp	Redline_stealer2
behavioral21/memory/1936-263-0x0000000000417DFA-mapping.dmp	Redline_stealer2
behavioral21/memory/3056-261-0x0000000000417DEE-mapping.dmp	Redline_stealer2

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 8 IoCs

stealer

Processes:

resource	yara_rule
behavioral21/memory/1016-160-0x0000000002270000-0x000000000230D000-memory.dmp	family_vidar
behavioral21/memory/1016-161-0x0000000000400000-0x00000000008F2000-memory.dmp	family_vidar
behavioral21/memory/2712-384-0x0000000000340000-0x00000000003DD000-memory.dmp	family_vidar
behavioral21/memory/2712-385-0x0000000000400000-0x00000000008EC000-memory.dmp	family_vidar
behavioral21/memory/2372-395-0x00000000008F0000-0x000000000098D000-memory.dmp	family_vidar
behavioral21/memory/2372-396-0x0000000000400000-0x00000000008EB000-memory.dmp	family_vidar
behavioral21/memory/1996-404-0x00000000021A0000-0x000000000223E000-memory.dmp	family_vidar
behavioral21/memory/1380-405-0x0000000000400000-0x00000000004A1000-memory.dmp	family_vidar

ASPack v2.12-2.42 14 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\7zS443E47D4\setup_install.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS443E47D4\setup_install.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS443E47D4\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS443E47D4\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS443E47D4\libcurlpp.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS443E47D4\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS443E47D4\libcurl.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS443E47D4\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS443E47D4\libstdc++-6.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS443E47D4\libstdc++-6.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS443E47D4\setup_install.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS443E47D4\setup_install.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS443E47D4\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS443E47D4\setup_install.exe	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 25 IoCs

Processes:

setup_installer.exesetup_install.exesonia_4.exesonia_1.exesonia_2.exesonia_3.exesonia_5.exesonia_6.exejfiag3g_gg.exeYCb7xPEKJAoKNG4baDTL6ydJ.exeeyWmyb3MtRATGQgTNvrZAL_c.exetaskkill.exebsXAAXp0rVhAYopR1FzfBWAX.exeuren1NgW68TZtePurtGVEnbZ.exewmiprvse.exeDllHost.exemzNoaTLwpChodbqqobM8w6aY.exevgAgKjYS2BgDZonkYSX_cxVw.exeDKDlG2eI1OTWcDEpjLGvRARu.exeIEXPLORE.EXEAcre.exe.comjfiag3g_gg.exeAcre.exe.comrcvbecsTnqOJlG5MEbN9y3LSRVr6pi0.exe

pid	process
836	setup_installer.exe
1712	setup_install.exe
112	sonia_4.exe
1552	sonia_1.exe
368	sonia_2.exe
1016	sonia_3.exe
1836	sonia_5.exe
1204	sonia_6.exe
1104	jfiag3g_gg.exe
1348	YCb7xPEKJAoKNG4baDTL6ydJ.exe
792	eyWmyb3MtRATGQgTNvrZAL_c.exe
1104	taskkill.exe
2016	bsXAAXp0rVhAYopR1FzfBWAX.exe
1524	uren1NgW68TZtePurtGVEnbZ.exe
1332	wmiprvse.exe
1580	DllHost.exe
2012	mzNoaTLwpChodbqqobM8w6aY.exe
744	vgAgKjYS2BgDZonkYSX_cxVw.exe
2140	DKDlG2eI1OTWcDEpjLGvRARu.exe
2480	IEXPLORE.EXE
2592	Acre.exe.com
2640	jfiag3g_gg.exe
2668	Acre.exe.com
2712	rcvbecs
2700	TnqOJlG5MEbN9y3LSRVr6pi0.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral21/memory/2760-242-0x0000000000400000-0x000000000064F000-memory.dmp	vmprotect
behavioral21/memory/2760-377-0x0000000000400000-0x000000000064F000-memory.dmp	vmprotect

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vgAgKjYS2BgDZonkYSX_cxVw.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vgAgKjYS2BgDZonkYSX_cxVw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	vgAgKjYS2BgDZonkYSX_cxVw.exe

Loads dropped DLL 64 IoCs

Processes:

8 (19).exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.exesonia_2.exesonia_3.execmd.exesonia_5.exesonia_6.exejfiag3g_gg.exetaskkill.exeuren1NgW68TZtePurtGVEnbZ.exewmiprvse.exebsXAAXp0rVhAYopR1FzfBWAX.exeDKDlG2eI1OTWcDEpjLGvRARu.exemzNoaTLwpChodbqqobM8w6aY.execmd.exeWerFault.exe

pid	process
1608	8 (19).exe
836	setup_installer.exe
836	setup_installer.exe
836	setup_installer.exe
836	setup_installer.exe
836	setup_installer.exe
836	setup_installer.exe
1712	setup_install.exe
1712	setup_install.exe
1712	setup_install.exe
1712	setup_install.exe
1712	setup_install.exe
1712	setup_install.exe
1712	setup_install.exe
1712	setup_install.exe
936	cmd.exe
1736	cmd.exe
1736	cmd.exe
1644	cmd.exe
1644	cmd.exe
824	cmd.exe
928	cmd.exe
928	cmd.exe
368	sonia_2.exe
368	sonia_2.exe
1016	sonia_3.exe
1016	sonia_3.exe
1188	cmd.exe
1836	sonia_5.exe
1836	sonia_5.exe
1204	sonia_6.exe
1204	sonia_6.exe
368	sonia_2.exe
1204	sonia_6.exe
1204	sonia_6.exe
1104	jfiag3g_gg.exe
1104	jfiag3g_gg.exe
1836	sonia_5.exe
1836	sonia_5.exe
1836	sonia_5.exe
1836	sonia_5.exe
1836	sonia_5.exe
1836	sonia_5.exe
1836	sonia_5.exe
1836	sonia_5.exe
1836	sonia_5.exe
1836	sonia_5.exe
1836	sonia_5.exe
1104	taskkill.exe
1104	taskkill.exe
1524	uren1NgW68TZtePurtGVEnbZ.exe
1524	uren1NgW68TZtePurtGVEnbZ.exe
1332	wmiprvse.exe
1332	wmiprvse.exe
1332	wmiprvse.exe
2016	bsXAAXp0rVhAYopR1FzfBWAX.exe
2016	bsXAAXp0rVhAYopR1FzfBWAX.exe
2140	DKDlG2eI1OTWcDEpjLGvRARu.exe
2140	DKDlG2eI1OTWcDEpjLGvRARu.exe
2012	mzNoaTLwpChodbqqobM8w6aY.exe
2012	mzNoaTLwpChodbqqobM8w6aY.exe
2376	cmd.exe
2520	WerFault.exe
2520	WerFault.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

2908 icacls.exe

pid	process
2908	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

sonia_6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	sonia_6.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

vgAgKjYS2BgDZonkYSX_cxVw.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vgAgKjYS2BgDZonkYSX_cxVw.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
17	api.db-ip.com
276	api.2ip.ua
538	api.2ip.ua
795	api.2ip.ua
4	ipinfo.io
6	ipinfo.io
11	ip-api.com
18	api.db-ip.com
278	api.2ip.ua
311	api.2ip.ua
494	eth0.me
537	api.2ip.ua
794	api.2ip.ua

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

vgAgKjYS2BgDZonkYSX_cxVw.exe

pid process

744 vgAgKjYS2BgDZonkYSX_cxVw.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

wmiprvse.exe

description pid process target process

PID 1332 set thread context of 2140 1332 wmiprvse.exe DKDlG2eI1OTWcDEpjLGvRARu.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2520 1016 WerFault.exe sonia_3.exe
3024 2760 WerFault.exe Lqq6nsllzOZDzYMMFEftThNI.exe

pid	process
744	vgAgKjYS2BgDZonkYSX_cxVw.exe

description	pid	process	target process
PID 1332 set thread context of 2140	1332	wmiprvse.exe	DKDlG2eI1OTWcDEpjLGvRARu.exe

pid	pid_target	process	target process
2520	1016	WerFault.exe	sonia_3.exe
3024	2760	WerFault.exe	Lqq6nsllzOZDzYMMFEftThNI.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

sonia_2.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sonia_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sonia_2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sonia_2.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2368 schtasks.exe
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

2928 timeout.exe
2332 timeout.exe
2976 timeout.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2420 taskkill.exe
2924 taskkill.exe
2064 taskkill.exe
1104 taskkill.exe

pid	process
2368	schtasks.exe

pid	process
2928	timeout.exe
2332	timeout.exe
2976	timeout.exe

pid	process
2420	taskkill.exe
2924	taskkill.exe
2064	taskkill.exe
1104	taskkill.exe

Modifies system certificate store 2 TTPs 15 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

sonia_5.exemzNoaTLwpChodbqqobM8w6aY.exesonia_3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	sonia_5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	sonia_5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	sonia_5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	sonia_5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	mzNoaTLwpChodbqqobM8w6aY.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	sonia_5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	sonia_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	sonia_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	sonia_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	sonia_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	mzNoaTLwpChodbqqobM8w6aY.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	mzNoaTLwpChodbqqobM8w6aY.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	sonia_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	sonia_3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	mzNoaTLwpChodbqqobM8w6aY.exe

Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

2884 regedit.exe
768 regedit.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

2492 PING.EXE
1860 PING.EXE

pid	process
2884	regedit.exe
768	regedit.exe

pid	process
2492	PING.EXE
1860	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sonia_2.exe

pid	process
368	sonia_2.exe
368	sonia_2.exe
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

sonia_2.exe

pid process

368 sonia_2.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

mzNoaTLwpChodbqqobM8w6aY.exe

description	pid	process
Token: SeCreateTokenPrivilege	2012	mzNoaTLwpChodbqqobM8w6aY.exe
Token: SeAssignPrimaryTokenPrivilege	2012	mzNoaTLwpChodbqqobM8w6aY.exe
Token: SeLockMemoryPrivilege	2012	mzNoaTLwpChodbqqobM8w6aY.exe
Token: SeIncreaseQuotaPrivilege	2012	mzNoaTLwpChodbqqobM8w6aY.exe
Token: SeMachineAccountPrivilege	2012	mzNoaTLwpChodbqqobM8w6aY.exe
Token: SeTcbPrivilege	2012	mzNoaTLwpChodbqqobM8w6aY.exe
Token: SeSecurityPrivilege	2012	mzNoaTLwpChodbqqobM8w6aY.exe
Token: SeTakeOwnershipPrivilege	2012	mzNoaTLwpChodbqqobM8w6aY.exe
Token: SeLoadDriverPrivilege	2012	mzNoaTLwpChodbqqobM8w6aY.exe
Token: SeSystemProfilePrivilege	2012	mzNoaTLwpChodbqqobM8w6aY.exe
Token: SeSystemtimePrivilege	2012	mzNoaTLwpChodbqqobM8w6aY.exe
Token: SeProfSingleProcessPrivilege	2012	mzNoaTLwpChodbqqobM8w6aY.exe
Token: SeIncBasePriorityPrivilege	2012	mzNoaTLwpChodbqqobM8w6aY.exe
Token: SeCreatePagefilePrivilege	2012	mzNoaTLwpChodbqqobM8w6aY.exe
Token: SeCreatePermanentPrivilege	2012	mzNoaTLwpChodbqqobM8w6aY.exe
Token: SeBackupPrivilege	2012	mzNoaTLwpChodbqqobM8w6aY.exe
Token: SeRestorePrivilege	2012	mzNoaTLwpChodbqqobM8w6aY.exe
Token: SeShutdownPrivilege	2012	mzNoaTLwpChodbqqobM8w6aY.exe
Token: SeDebugPrivilege	2012	mzNoaTLwpChodbqqobM8w6aY.exe
Token: SeAuditPrivilege	2012	mzNoaTLwpChodbqqobM8w6aY.exe
Token: SeSystemEnvironmentPrivilege	2012	mzNoaTLwpChodbqqobM8w6aY.exe
Token: SeChangeNotifyPrivilege	2012	mzNoaTLwpChodbqqobM8w6aY.exe
Token: SeRemoteShutdownPrivilege	2012	mzNoaTLwpChodbqqobM8w6aY.exe
Token: SeUndockPrivilege	2012	mzNoaTLwpChodbqqobM8w6aY.exe
Token: SeSyncAgentPrivilege	2012	mzNoaTLwpChodbqqobM8w6aY.exe
Token: SeEnableDelegationPrivilege	2012	mzNoaTLwpChodbqqobM8w6aY.exe
Token: SeManageVolumePrivilege	2012	mzNoaTLwpChodbqqobM8w6aY.exe
Token: SeImpersonatePrivilege	2012	mzNoaTLwpChodbqqobM8w6aY.exe
Token: SeCreateGlobalPrivilege	2012	mzNoaTLwpChodbqqobM8w6aY.exe
Token: 31	2012	mzNoaTLwpChodbqqobM8w6aY.exe
Token: 32	2012	mzNoaTLwpChodbqqobM8w6aY.exe
Token: 33	2012	mzNoaTLwpChodbqqobM8w6aY.exe
Token: 34	2012	mzNoaTLwpChodbqqobM8w6aY.exe
Token: 35	2012	mzNoaTLwpChodbqqobM8w6aY.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

pid process

1212
1212
1212
1212
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid process

1212
1212
1212
1212

pid	process
1212
1212
1212
1212

pid	process
1212
1212
1212
1212

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8 (19).exesetup_installer.exesetup_install.execmd.exe

description	pid	process	target process
PID 1608 wrote to memory of 836	1608	8 (19).exe	setup_installer.exe
PID 1608 wrote to memory of 836	1608	8 (19).exe	setup_installer.exe
PID 1608 wrote to memory of 836	1608	8 (19).exe	setup_installer.exe
PID 1608 wrote to memory of 836	1608	8 (19).exe	setup_installer.exe
PID 1608 wrote to memory of 836	1608	8 (19).exe	setup_installer.exe
PID 1608 wrote to memory of 836	1608	8 (19).exe	setup_installer.exe
PID 1608 wrote to memory of 836	1608	8 (19).exe	setup_installer.exe
PID 836 wrote to memory of 1712	836	setup_installer.exe	setup_install.exe
PID 836 wrote to memory of 1712	836	setup_installer.exe	setup_install.exe
PID 836 wrote to memory of 1712	836	setup_installer.exe	setup_install.exe
PID 836 wrote to memory of 1712	836	setup_installer.exe	setup_install.exe
PID 836 wrote to memory of 1712	836	setup_installer.exe	setup_install.exe
PID 836 wrote to memory of 1712	836	setup_installer.exe	setup_install.exe
PID 836 wrote to memory of 1712	836	setup_installer.exe	setup_install.exe
PID 1712 wrote to memory of 1736	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 1736	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 1736	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 1736	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 1736	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 1736	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 1736	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 1644	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 1644	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 1644	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 1644	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 1644	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 1644	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 1644	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 928	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 928	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 928	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 928	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 928	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 928	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 928	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 936	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 936	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 936	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 936	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 936	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 936	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 936	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 824	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 824	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 824	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 824	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 824	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 824	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 824	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 1188	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 1188	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 1188	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 1188	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 1188	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 1188	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 1188	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 108	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 108	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 108	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 108	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 108	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 108	1712	setup_install.exe	cmd.exe
PID 1712 wrote to memory of 108	1712	setup_install.exe	cmd.exe
PID 936 wrote to memory of 112	936	cmd.exe	sonia_4.exe

C:\Users\Admin\AppData\Local\Temp\8 (19).exe
"C:\Users\Admin\AppData\Local\Temp\8 (19).exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1608

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:836

C:\Users\Admin\AppData\Local\Temp\7zS443E47D4\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS443E47D4\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_1.exe
4⤵
- Loads dropped DLL
PID:1736

C:\Users\Admin\AppData\Local\Temp\7zS443E47D4\sonia_1.exe
sonia_1.exe
5⤵
- Executes dropped EXE
PID:1552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_2.exe
4⤵
- Loads dropped DLL
PID:1644

C:\Users\Admin\AppData\Local\Temp\7zS443E47D4\sonia_2.exe
sonia_2.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_3.exe
4⤵
- Loads dropped DLL
PID:928

C:\Users\Admin\AppData\Local\Temp\7zS443E47D4\sonia_3.exe
sonia_3.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 988
6⤵
- Loads dropped DLL
- Program crash
PID:2520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_4.exe
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:936

C:\Users\Admin\AppData\Local\Temp\7zS443E47D4\sonia_4.exe
sonia_4.exe
5⤵
- Executes dropped EXE
PID:112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_5.exe
4⤵
- Loads dropped DLL
PID:824

C:\Users\Admin\AppData\Local\Temp\7zS443E47D4\sonia_5.exe
sonia_5.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1836

C:\Users\Admin\Documents\bsXAAXp0rVhAYopR1FzfBWAX.exe
"C:\Users\Admin\Documents\bsXAAXp0rVhAYopR1FzfBWAX.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2016

C:\Users\Admin\Documents\bsXAAXp0rVhAYopR1FzfBWAX.exe
C:\Users\Admin\Documents\bsXAAXp0rVhAYopR1FzfBWAX.exe
7⤵
PID:2872

C:\Users\Admin\Documents\eyWmyb3MtRATGQgTNvrZAL_c.exe
"C:\Users\Admin\Documents\eyWmyb3MtRATGQgTNvrZAL_c.exe"
6⤵
- Executes dropped EXE
PID:792

C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe
"C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe"
7⤵
PID:1164

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\EverestSoftrade\TonerRecover\log.bat" "
7⤵
PID:2188

C:\Windows\SysWOW64\regedit.exe
regedit /s adj.reg
8⤵
- Runs .reg file with regedit
PID:2884

C:\Windows\SysWOW64\regedit.exe
regedit /s adj2.reg
8⤵
- Runs .reg file with regedit
PID:768

C:\Users\Admin\Documents\uren1NgW68TZtePurtGVEnbZ.exe
"C:\Users\Admin\Documents\uren1NgW68TZtePurtGVEnbZ.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Sorrisi.tmp
7⤵
PID:2288

C:\Windows\SysWOW64\cmd.exe
cmd
8⤵
- Loads dropped DLL
PID:2376

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^yNFefWPitqXbQXexaaaweTJMeyyzoIKOZcrabptodYbHejNKUaJtRjoktSZpRcZcdpbxUJWpgpLtcwKPaxnPYFWNhRgFpV$" Sapete.tmp
9⤵
PID:2400

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
Acre.exe.com k
9⤵
PID:2480

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
10⤵
- Executes dropped EXE
PID:2592

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
11⤵
- Executes dropped EXE
PID:2668

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
12⤵
PID:2504

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
13⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
14⤵
PID:2580

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
15⤵
PID:2124

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
16⤵
PID:2780

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
17⤵
PID:2200

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
18⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
19⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
20⤵
PID:824

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
21⤵
PID:3020

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
22⤵
PID:1996

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
23⤵
PID:2632

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
24⤵
PID:2420

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
25⤵
PID:2808

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
26⤵
PID:948

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
27⤵
PID:1548

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
28⤵
PID:2788

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
29⤵
PID:2464

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
30⤵
PID:3000

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
31⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
32⤵
PID:2824

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
33⤵
PID:2388

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
34⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
35⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
36⤵
PID:2696

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
37⤵
PID:2212

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
38⤵
PID:976

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
39⤵
PID:3004

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
40⤵
PID:2832

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
41⤵
PID:2672

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
42⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
43⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
44⤵
PID:2604

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
45⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
46⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
47⤵
PID:324

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
48⤵
PID:2516

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
49⤵
PID:2484

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
50⤵
PID:836

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
51⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
52⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
53⤵
PID:2620

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
54⤵
PID:2812

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
55⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
56⤵
PID:1756

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
57⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
58⤵
PID:3036

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
59⤵
PID:2796

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
60⤵
PID:2360

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
61⤵
PID:2852

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
62⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
63⤵
PID:2684

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
64⤵
PID:2308

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
65⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
66⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
67⤵
PID:1056

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
68⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
69⤵
PID:2984

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
70⤵
PID:2320

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
71⤵
PID:2956

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
72⤵
PID:1020

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
73⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
74⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
75⤵
PID:616

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
76⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
77⤵
PID:2928

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
78⤵
PID:1456

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
9⤵
- Runs ping.exe
PID:2492

C:\Users\Admin\Documents\Rp2BzvAeEyuiS9rEd719etDy.exe
"C:\Users\Admin\Documents\Rp2BzvAeEyuiS9rEd719etDy.exe"
6⤵
PID:1104

C:\Users\Admin\Documents\YCb7xPEKJAoKNG4baDTL6ydJ.exe
"C:\Users\Admin\Documents\YCb7xPEKJAoKNG4baDTL6ydJ.exe"
6⤵
- Executes dropped EXE
PID:1348

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Bagnava.xltm
7⤵
PID:2732

C:\Windows\SysWOW64\cmd.exe
cmd
8⤵
PID:2260

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^IPAFDLOJiKVQTxFiLgMiLlaMrCAuVnAKdUxdXbtsjyJWSQEpztbDlGmbvNCwlINIlkmYZfphlcUGAvUjYsMQqXmJxXUpUru$" Sia.xltm
9⤵
PID:1752

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
9⤵
- Runs ping.exe
PID:1860

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Sensitive.exe.com
Sensitive.exe.com p
9⤵
PID:2780

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Sensitive.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Sensitive.exe.com p
10⤵
PID:576

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Sensitive.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Sensitive.exe.com p
11⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Sensitive.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Sensitive.exe.com p
12⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Sensitive.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Sensitive.exe.com p
13⤵
PID:1300

C:\Users\Admin\Documents\DKDlG2eI1OTWcDEpjLGvRARu.exe
"C:\Users\Admin\Documents\DKDlG2eI1OTWcDEpjLGvRARu.exe"
6⤵
PID:1332

C:\Users\Admin\Documents\DKDlG2eI1OTWcDEpjLGvRARu.exe
"C:\Users\Admin\Documents\DKDlG2eI1OTWcDEpjLGvRARu.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2140

C:\Users\Admin\Documents\vgAgKjYS2BgDZonkYSX_cxVw.exe
"C:\Users\Admin\Documents\vgAgKjYS2BgDZonkYSX_cxVw.exe"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:744

C:\Users\Admin\AppData\Roaming\1234.exe
C:\Users\Admin\AppData\Roaming\1234.exe 1234
7⤵
PID:2648

C:\Users\Admin\AppData\Roaming\1234.exe
"{path}"
8⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\srvs.exe
"C:\Users\Admin\AppData\Local\Temp\srvs.exe"
9⤵
PID:1828

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jNEWIvlnVf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp93A8.tmp"
10⤵
- Creates scheduled task(s)
PID:2368

C:\Users\Admin\AppData\Local\Temp\srvs.exe
"{path}"
10⤵
PID:2188

C:\Users\Admin\Documents\mzNoaTLwpChodbqqobM8w6aY.exe
"C:\Users\Admin\Documents\mzNoaTLwpChodbqqobM8w6aY.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
7⤵
PID:2684

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
8⤵
- Kills process with taskkill
PID:2924

C:\Users\Admin\Documents\lZS48JN48f4ojRhJXrwms6KV.exe
"C:\Users\Admin\Documents\lZS48JN48f4ojRhJXrwms6KV.exe"
6⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
PID:2256

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
PID:2508

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
PID:1976

C:\Users\Admin\Documents\TnqOJlG5MEbN9y3LSRVr6pi0.exe
"C:\Users\Admin\Documents\TnqOJlG5MEbN9y3LSRVr6pi0.exe"
6⤵
- Executes dropped EXE
PID:2700

C:\Users\Admin\Documents\Zff78Suj2gPSLfYzA6H4CX3l.exe
"C:\Users\Admin\Documents\Zff78Suj2gPSLfYzA6H4CX3l.exe"
6⤵
PID:2776

C:\Users\Admin\Documents\Zff78Suj2gPSLfYzA6H4CX3l.exe
C:\Users\Admin\Documents\Zff78Suj2gPSLfYzA6H4CX3l.exe
7⤵
PID:3056

C:\Users\Admin\Documents\Lqq6nsllzOZDzYMMFEftThNI.exe
"C:\Users\Admin\Documents\Lqq6nsllzOZDzYMMFEftThNI.exe"
6⤵
PID:2760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 276
7⤵
- Program crash
PID:3024

C:\Users\Admin\Documents\S_5ArhhSUDH0fBOhIsWaWZoF.exe
"C:\Users\Admin\Documents\S_5ArhhSUDH0fBOhIsWaWZoF.exe"
6⤵
PID:2752

C:\Users\Admin\Documents\S_5ArhhSUDH0fBOhIsWaWZoF.exe
"C:\Users\Admin\Documents\S_5ArhhSUDH0fBOhIsWaWZoF.exe"
7⤵
PID:2620

C:\Users\Admin\Documents\jpJ7mXch1LXAfNYvLgYHjOPi.exe
"C:\Users\Admin\Documents\jpJ7mXch1LXAfNYvLgYHjOPi.exe"
6⤵
PID:2712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im jpJ7mXch1LXAfNYvLgYHjOPi.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\jpJ7mXch1LXAfNYvLgYHjOPi.exe" & del C:\ProgramData\*.dll & exit
7⤵
PID:2728

C:\Windows\SysWOW64\taskkill.exe
taskkill /im jpJ7mXch1LXAfNYvLgYHjOPi.exe /f
8⤵
- Kills process with taskkill
PID:2064

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:2928

C:\Users\Admin\Documents\hyu1EDdvA_Y3LboO0nCF4fwj.exe
"C:\Users\Admin\Documents\hyu1EDdvA_Y3LboO0nCF4fwj.exe"
6⤵
PID:2824

C:\Users\Admin\Documents\hyu1EDdvA_Y3LboO0nCF4fwj.exe
C:\Users\Admin\Documents\hyu1EDdvA_Y3LboO0nCF4fwj.exe
7⤵
PID:1936

C:\Users\Admin\Documents\YxDIZ_QP6ViP7CPWsTH5yugp.exe
"C:\Users\Admin\Documents\YxDIZ_QP6ViP7CPWsTH5yugp.exe"
6⤵
PID:2792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_6.exe
4⤵
- Loads dropped DLL
PID:1188

C:\Users\Admin\AppData\Local\Temp\7zS443E47D4\sonia_6.exe
sonia_6.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1204

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1104

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
- Executes dropped EXE
PID:2640

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
PID:2200

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
PID:2164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_7.exe
4⤵
PID:108

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1332

C:\Users\Admin\AppData\Local\Temp\9740.exe
C:\Users\Admin\AppData\Local\Temp\9740.exe
1⤵
PID:2496

C:\Users\Admin\AppData\Local\Temp\9740.exe
C:\Users\Admin\AppData\Local\Temp\9740.exe
2⤵
PID:2240

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\db832783-a613-4090-8008-2428b68f6d97" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:2908

C:\Users\Admin\AppData\Local\Temp\9740.exe
"C:\Users\Admin\AppData\Local\Temp\9740.exe" --Admin IsNotAutoStart IsNotTask
3⤵
PID:2876

C:\Users\Admin\AppData\Local\Temp\9740.exe
"C:\Users\Admin\AppData\Local\Temp\9740.exe" --Admin IsNotAutoStart IsNotTask
4⤵
PID:2256

C:\Users\Admin\AppData\Local\734f952b-2b92-413b-ac9a-abe0859e9741\build2.exe
"C:\Users\Admin\AppData\Local\734f952b-2b92-413b-ac9a-abe0859e9741\build2.exe"
5⤵
PID:1996

C:\Users\Admin\AppData\Local\734f952b-2b92-413b-ac9a-abe0859e9741\build2.exe
"C:\Users\Admin\AppData\Local\734f952b-2b92-413b-ac9a-abe0859e9741\build2.exe"
6⤵
PID:1380

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\734f952b-2b92-413b-ac9a-abe0859e9741\build2.exe" & del C:\ProgramData\*.dll & exit
7⤵
PID:1936

C:\Windows\SysWOW64\taskkill.exe
taskkill /im build2.exe /f
8⤵
- Kills process with taskkill
PID:2420

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:2976

C:\Windows\SysWOW64\explorer.exe
explorer https://iplogger.org/2LBCU6
1⤵
PID:2072

C:\Users\Admin\AppData\Local\Temp\B349.exe
C:\Users\Admin\AppData\Local\Temp\B349.exe
1⤵
PID:2372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im B349.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\B349.exe" & del C:\ProgramData\*.dll & exit
2⤵
PID:1568

C:\Windows\SysWOW64\taskkill.exe
taskkill /im B349.exe /f
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Kills process with taskkill
PID:1104

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
3⤵
- Delays execution with timeout.exe
PID:2332

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2924

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/2LBCU6
2⤵
PID:2808

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2808 CREDAT:275457 /prefetch:2
3⤵
- Executes dropped EXE
PID:2480

C:\Users\Admin\AppData\Local\Temp\123B.exe
C:\Users\Admin\AppData\Local\Temp\123B.exe
1⤵
PID:1976

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
- Executes dropped EXE
PID:1580

C:\Users\Admin\AppData\Local\Temp\4A2D.exe
C:\Users\Admin\AppData\Local\Temp\4A2D.exe
1⤵
PID:1980

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
2⤵
PID:2300

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
2⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
2⤵
PID:1928

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
2⤵
PID:1192

C:\Windows\system32\taskeng.exe
taskeng.exe {F6481D86-C9D8-4D84-9E65-129360371493} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
1⤵
PID:836

C:\Users\Admin\AppData\Local\db832783-a613-4090-8008-2428b68f6d97\9740.exe
C:\Users\Admin\AppData\Local\db832783-a613-4090-8008-2428b68f6d97\9740.exe --Task
2⤵
PID:1788

C:\Users\Admin\AppData\Local\db832783-a613-4090-8008-2428b68f6d97\9740.exe
C:\Users\Admin\AppData\Local\db832783-a613-4090-8008-2428b68f6d97\9740.exe --Task
3⤵
PID:2636

C:\Users\Admin\AppData\Roaming\rcvbecs
C:\Users\Admin\AppData\Roaming\rcvbecs
2⤵
- Executes dropped EXE
PID:2712

C:\Users\Admin\AppData\Local\db832783-a613-4090-8008-2428b68f6d97\9740.exe
C:\Users\Admin\AppData\Local\db832783-a613-4090-8008-2428b68f6d97\9740.exe --Task
2⤵
PID:964

C:\Users\Admin\AppData\Local\db832783-a613-4090-8008-2428b68f6d97\9740.exe
C:\Users\Admin\AppData\Local\db832783-a613-4090-8008-2428b68f6d97\9740.exe --Task
3⤵
PID:1280

C:\Users\Admin\AppData\Roaming\rcvbecs
C:\Users\Admin\AppData\Roaming\rcvbecs
2⤵
PID:960

C:\Users\Admin\AppData\Local\db832783-a613-4090-8008-2428b68f6d97\9740.exe
C:\Users\Admin\AppData\Local\db832783-a613-4090-8008-2428b68f6d97\9740.exe --Task
2⤵
PID:576

C:\Users\Admin\AppData\Local\Temp\4262.exe
C:\Users\Admin\AppData\Local\Temp\4262.exe
1⤵
PID:1732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

File Permissions Modification

T1222

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
2902de11e30dcc620b184e3bb0f0c1cb

SHA1
5d11d14a2558801a2688dc2d6dfad39ac294f222

SHA256
e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544

SHA512
efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
8c0ef5594de9bb542153212357c089e3

SHA1
1cf9a85ea934d9b54c8aefccdcb1b41c3136ca70

SHA256
5008ebf70cc7f99acf2eb41a3165fc4f682497e4a8b29f580b1d130506cf4dfa

SHA512
72dda800398807760efe387480a032e2019eec6f1b8fd3759cb4d469aa03addaabe596ae1cb5514882d652913edd098264ed5f4905f950549a9184803719aa0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443E47D4\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443E47D4\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443E47D4\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443E47D4\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443E47D4\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443E47D4\setup_install.exe
MD5
a3ca32ebdba2c07c2d386bb31cbd6d51

SHA1
e7841e1f475f922d5264b5ce5d123a1b3927f9e6

SHA256
0ab2a0bdb8e7a72b5eacb1af5325036266987c5d00b13a981c95754a94f55b1b

SHA512
c8abd3a0c8004c11462bf139a873311333cbe6c26046810844199f67d6dd9d7196a7e168261013c50bcb9f24a6bdd37879f617d7aa2089d2a067cb6ca09cbaea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443E47D4\setup_install.exe
MD5
a3ca32ebdba2c07c2d386bb31cbd6d51

SHA1
e7841e1f475f922d5264b5ce5d123a1b3927f9e6

SHA256
0ab2a0bdb8e7a72b5eacb1af5325036266987c5d00b13a981c95754a94f55b1b

SHA512
c8abd3a0c8004c11462bf139a873311333cbe6c26046810844199f67d6dd9d7196a7e168261013c50bcb9f24a6bdd37879f617d7aa2089d2a067cb6ca09cbaea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443E47D4\sonia_1.exe
MD5
6e43430011784cff369ea5a5ae4b000f

SHA1
5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f

SHA256
a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a

SHA512
33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443E47D4\sonia_1.txt
MD5
6e43430011784cff369ea5a5ae4b000f

SHA1
5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f

SHA256
a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a

SHA512
33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443E47D4\sonia_2.exe
MD5
18ffdaa7a2c9906db10ffc13f7c73d23

SHA1
f195661bc0f9735d02fbe0e937bfd80cf0bcb11f

SHA256
365bbeb36a288d829c8dc0f1bf7f70949dd10474586cfc7123c1503256b9e5c3

SHA512
db1f81c5b6cac59d6e58e8ab4020bdef7386fa1aa7297f57f693334b70d3dd553ab844f85f92e9903b667cae19f30f188f84939ac0bba2f5999d5bf89793ea34

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443E47D4\sonia_2.txt
MD5
18ffdaa7a2c9906db10ffc13f7c73d23

SHA1
f195661bc0f9735d02fbe0e937bfd80cf0bcb11f

SHA256
365bbeb36a288d829c8dc0f1bf7f70949dd10474586cfc7123c1503256b9e5c3

SHA512
db1f81c5b6cac59d6e58e8ab4020bdef7386fa1aa7297f57f693334b70d3dd553ab844f85f92e9903b667cae19f30f188f84939ac0bba2f5999d5bf89793ea34

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443E47D4\sonia_3.exe
MD5
ee658be7ea7269085f4004d68960e547

SHA1
979afc4726af14d9079b6cf288686b0e7e4a17e5

SHA256
d7e078e3e520767a92acb1eaadf4c7ef75f30e215be4dddfebe684c2504c6fe3

SHA512
fc77c079d152b595e249c13b9b0ca97d525407e228c416630a2565707eaacd6805fe1a1c6029b0032d493ae5b67c7d566cc19ab317d9c8e56dfdabc3646d5b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443E47D4\sonia_3.txt
MD5
ee658be7ea7269085f4004d68960e547

SHA1
979afc4726af14d9079b6cf288686b0e7e4a17e5

SHA256
d7e078e3e520767a92acb1eaadf4c7ef75f30e215be4dddfebe684c2504c6fe3

SHA512
fc77c079d152b595e249c13b9b0ca97d525407e228c416630a2565707eaacd6805fe1a1c6029b0032d493ae5b67c7d566cc19ab317d9c8e56dfdabc3646d5b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443E47D4\sonia_4.exe
MD5
6765fe4e4be8c4daf3763706a58f42d0

SHA1
cebb504bfc3097a95d40016f01123b275c97d58c

SHA256
755a4266245c52bcd0328044c8a0908b2daafbad140cee06830b991493f21f60

SHA512
c6b8d328768040b31aad0441258240ce8e99a80dba028462bd03ad9d5964d4877c296f25a5a2ca59bcafe0ad75297da39352c17f3df1bb79ec091e5ace3b5d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443E47D4\sonia_4.txt
MD5
6765fe4e4be8c4daf3763706a58f42d0

SHA1
cebb504bfc3097a95d40016f01123b275c97d58c

SHA256
755a4266245c52bcd0328044c8a0908b2daafbad140cee06830b991493f21f60

SHA512
c6b8d328768040b31aad0441258240ce8e99a80dba028462bd03ad9d5964d4877c296f25a5a2ca59bcafe0ad75297da39352c17f3df1bb79ec091e5ace3b5d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443E47D4\sonia_5.exe
MD5
0c3f670f496ffcf516fe77d2a161a6ee

SHA1
0c59d3494b38d768fe120e0a4ca2a1dca7567e6e

SHA256
8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0

SHA512
bce80fa77557683645480ec28bf5f3a4facb780728d709166890c18decb2095509f69c524e4ce5fbcb48788961554be0467dc78db70f1fd2d242dbd5922a1095

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443E47D4\sonia_5.txt
MD5
0c3f670f496ffcf516fe77d2a161a6ee

SHA1
0c59d3494b38d768fe120e0a4ca2a1dca7567e6e

SHA256
8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0

SHA512
bce80fa77557683645480ec28bf5f3a4facb780728d709166890c18decb2095509f69c524e4ce5fbcb48788961554be0467dc78db70f1fd2d242dbd5922a1095

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443E47D4\sonia_6.exe
MD5
2eb68e495e4eb18c86a443b2754bbab2

SHA1
82a535e1277ea7a80b809cfeb97dcfb5a5d48a37

SHA256
a9083c13dd04bf55cc8e29ab4fe8a0053edf3ffe9b1e5ec31db207a45a98aaaf

SHA512
f7dc8d9a8726a6da6226a059094fcaf45190b2b41e6fae7d2aa48eacbd1dfc3b871770c74b1504801f5e7a05f1e3b47ac13cffc8190089f3d07e5c55aa725898

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS443E47D4\sonia_6.txt
MD5
2eb68e495e4eb18c86a443b2754bbab2

SHA1
82a535e1277ea7a80b809cfeb97dcfb5a5d48a37

SHA256
a9083c13dd04bf55cc8e29ab4fe8a0053edf3ffe9b1e5ec31db207a45a98aaaf

SHA512
f7dc8d9a8726a6da6226a059094fcaf45190b2b41e6fae7d2aa48eacbd1dfc3b871770c74b1504801f5e7a05f1e3b47ac13cffc8190089f3d07e5c55aa725898

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
74231678f536a19b3016840f56b845c7

SHA1
a5645777558a7d5905e101e54d61b0c8c1120de3

SHA256
cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4

SHA512
4117ad2bcdca9104ca8a53df0f7de102509ba6eb264d025ab1facd7a7ca0c14a1c4dd17de130521c4169aaaaeb6e779579dcb16d63a58b77feebfdc32d983d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
74231678f536a19b3016840f56b845c7

SHA1
a5645777558a7d5905e101e54d61b0c8c1120de3

SHA256
cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4

SHA512
4117ad2bcdca9104ca8a53df0f7de102509ba6eb264d025ab1facd7a7ca0c14a1c4dd17de130521c4169aaaaeb6e779579dcb16d63a58b77feebfdc32d983d1f

Download Submit
\Users\Admin\AppData\Local\Temp\7zS443E47D4\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
\Users\Admin\AppData\Local\Temp\7zS443E47D4\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
\Users\Admin\AppData\Local\Temp\7zS443E47D4\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
\Users\Admin\AppData\Local\Temp\7zS443E47D4\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
\Users\Admin\AppData\Local\Temp\7zS443E47D4\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
\Users\Admin\AppData\Local\Temp\7zS443E47D4\setup_install.exe
MD5
a3ca32ebdba2c07c2d386bb31cbd6d51

SHA1
e7841e1f475f922d5264b5ce5d123a1b3927f9e6

SHA256
0ab2a0bdb8e7a72b5eacb1af5325036266987c5d00b13a981c95754a94f55b1b

SHA512
c8abd3a0c8004c11462bf139a873311333cbe6c26046810844199f67d6dd9d7196a7e168261013c50bcb9f24a6bdd37879f617d7aa2089d2a067cb6ca09cbaea

Download Submit
\Users\Admin\AppData\Local\Temp\7zS443E47D4\setup_install.exe
MD5
a3ca32ebdba2c07c2d386bb31cbd6d51

SHA1
e7841e1f475f922d5264b5ce5d123a1b3927f9e6

SHA256
0ab2a0bdb8e7a72b5eacb1af5325036266987c5d00b13a981c95754a94f55b1b

SHA512
c8abd3a0c8004c11462bf139a873311333cbe6c26046810844199f67d6dd9d7196a7e168261013c50bcb9f24a6bdd37879f617d7aa2089d2a067cb6ca09cbaea

Download Submit
\Users\Admin\AppData\Local\Temp\7zS443E47D4\setup_install.exe
MD5
a3ca32ebdba2c07c2d386bb31cbd6d51

SHA1
e7841e1f475f922d5264b5ce5d123a1b3927f9e6

SHA256
0ab2a0bdb8e7a72b5eacb1af5325036266987c5d00b13a981c95754a94f55b1b

SHA512
c8abd3a0c8004c11462bf139a873311333cbe6c26046810844199f67d6dd9d7196a7e168261013c50bcb9f24a6bdd37879f617d7aa2089d2a067cb6ca09cbaea

Download Submit
\Users\Admin\AppData\Local\Temp\7zS443E47D4\setup_install.exe
MD5
a3ca32ebdba2c07c2d386bb31cbd6d51

SHA1
e7841e1f475f922d5264b5ce5d123a1b3927f9e6

SHA256
0ab2a0bdb8e7a72b5eacb1af5325036266987c5d00b13a981c95754a94f55b1b

SHA512
c8abd3a0c8004c11462bf139a873311333cbe6c26046810844199f67d6dd9d7196a7e168261013c50bcb9f24a6bdd37879f617d7aa2089d2a067cb6ca09cbaea

Download Submit
\Users\Admin\AppData\Local\Temp\7zS443E47D4\setup_install.exe
MD5
a3ca32ebdba2c07c2d386bb31cbd6d51

SHA1
e7841e1f475f922d5264b5ce5d123a1b3927f9e6

SHA256
0ab2a0bdb8e7a72b5eacb1af5325036266987c5d00b13a981c95754a94f55b1b

SHA512
c8abd3a0c8004c11462bf139a873311333cbe6c26046810844199f67d6dd9d7196a7e168261013c50bcb9f24a6bdd37879f617d7aa2089d2a067cb6ca09cbaea

Download Submit
\Users\Admin\AppData\Local\Temp\7zS443E47D4\setup_install.exe
MD5
a3ca32ebdba2c07c2d386bb31cbd6d51

SHA1
e7841e1f475f922d5264b5ce5d123a1b3927f9e6

SHA256
0ab2a0bdb8e7a72b5eacb1af5325036266987c5d00b13a981c95754a94f55b1b

SHA512
c8abd3a0c8004c11462bf139a873311333cbe6c26046810844199f67d6dd9d7196a7e168261013c50bcb9f24a6bdd37879f617d7aa2089d2a067cb6ca09cbaea

Download Submit
\Users\Admin\AppData\Local\Temp\7zS443E47D4\sonia_1.exe
MD5
6e43430011784cff369ea5a5ae4b000f

SHA1
5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f

SHA256
a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a

SHA512
33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

Download Submit
\Users\Admin\AppData\Local\Temp\7zS443E47D4\sonia_1.exe
MD5
6e43430011784cff369ea5a5ae4b000f

SHA1
5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f

SHA256
a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a

SHA512
33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

Download Submit
\Users\Admin\AppData\Local\Temp\7zS443E47D4\sonia_2.exe
MD5
18ffdaa7a2c9906db10ffc13f7c73d23

SHA1
f195661bc0f9735d02fbe0e937bfd80cf0bcb11f

SHA256
365bbeb36a288d829c8dc0f1bf7f70949dd10474586cfc7123c1503256b9e5c3

SHA512
db1f81c5b6cac59d6e58e8ab4020bdef7386fa1aa7297f57f693334b70d3dd553ab844f85f92e9903b667cae19f30f188f84939ac0bba2f5999d5bf89793ea34

Download Submit
\Users\Admin\AppData\Local\Temp\7zS443E47D4\sonia_2.exe
MD5
18ffdaa7a2c9906db10ffc13f7c73d23

SHA1
f195661bc0f9735d02fbe0e937bfd80cf0bcb11f

SHA256
365bbeb36a288d829c8dc0f1bf7f70949dd10474586cfc7123c1503256b9e5c3

SHA512
db1f81c5b6cac59d6e58e8ab4020bdef7386fa1aa7297f57f693334b70d3dd553ab844f85f92e9903b667cae19f30f188f84939ac0bba2f5999d5bf89793ea34

Download Submit
\Users\Admin\AppData\Local\Temp\7zS443E47D4\sonia_2.exe
MD5
18ffdaa7a2c9906db10ffc13f7c73d23

SHA1
f195661bc0f9735d02fbe0e937bfd80cf0bcb11f

SHA256
365bbeb36a288d829c8dc0f1bf7f70949dd10474586cfc7123c1503256b9e5c3

SHA512
db1f81c5b6cac59d6e58e8ab4020bdef7386fa1aa7297f57f693334b70d3dd553ab844f85f92e9903b667cae19f30f188f84939ac0bba2f5999d5bf89793ea34

Download Submit
\Users\Admin\AppData\Local\Temp\7zS443E47D4\sonia_2.exe
MD5
18ffdaa7a2c9906db10ffc13f7c73d23

SHA1
f195661bc0f9735d02fbe0e937bfd80cf0bcb11f

SHA256
365bbeb36a288d829c8dc0f1bf7f70949dd10474586cfc7123c1503256b9e5c3

SHA512
db1f81c5b6cac59d6e58e8ab4020bdef7386fa1aa7297f57f693334b70d3dd553ab844f85f92e9903b667cae19f30f188f84939ac0bba2f5999d5bf89793ea34

Download Submit
\Users\Admin\AppData\Local\Temp\7zS443E47D4\sonia_3.exe
MD5
ee658be7ea7269085f4004d68960e547

SHA1
979afc4726af14d9079b6cf288686b0e7e4a17e5

SHA256
d7e078e3e520767a92acb1eaadf4c7ef75f30e215be4dddfebe684c2504c6fe3

SHA512
fc77c079d152b595e249c13b9b0ca97d525407e228c416630a2565707eaacd6805fe1a1c6029b0032d493ae5b67c7d566cc19ab317d9c8e56dfdabc3646d5b1e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS443E47D4\sonia_3.exe
MD5
ee658be7ea7269085f4004d68960e547

SHA1
979afc4726af14d9079b6cf288686b0e7e4a17e5

SHA256
d7e078e3e520767a92acb1eaadf4c7ef75f30e215be4dddfebe684c2504c6fe3

SHA512
fc77c079d152b595e249c13b9b0ca97d525407e228c416630a2565707eaacd6805fe1a1c6029b0032d493ae5b67c7d566cc19ab317d9c8e56dfdabc3646d5b1e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS443E47D4\sonia_3.exe
MD5
ee658be7ea7269085f4004d68960e547

SHA1
979afc4726af14d9079b6cf288686b0e7e4a17e5

SHA256
d7e078e3e520767a92acb1eaadf4c7ef75f30e215be4dddfebe684c2504c6fe3

SHA512
fc77c079d152b595e249c13b9b0ca97d525407e228c416630a2565707eaacd6805fe1a1c6029b0032d493ae5b67c7d566cc19ab317d9c8e56dfdabc3646d5b1e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS443E47D4\sonia_3.exe
MD5
ee658be7ea7269085f4004d68960e547

SHA1
979afc4726af14d9079b6cf288686b0e7e4a17e5

SHA256
d7e078e3e520767a92acb1eaadf4c7ef75f30e215be4dddfebe684c2504c6fe3

SHA512
fc77c079d152b595e249c13b9b0ca97d525407e228c416630a2565707eaacd6805fe1a1c6029b0032d493ae5b67c7d566cc19ab317d9c8e56dfdabc3646d5b1e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS443E47D4\sonia_4.exe
MD5
6765fe4e4be8c4daf3763706a58f42d0

SHA1
cebb504bfc3097a95d40016f01123b275c97d58c

SHA256
755a4266245c52bcd0328044c8a0908b2daafbad140cee06830b991493f21f60

SHA512
c6b8d328768040b31aad0441258240ce8e99a80dba028462bd03ad9d5964d4877c296f25a5a2ca59bcafe0ad75297da39352c17f3df1bb79ec091e5ace3b5d55

Download Submit
\Users\Admin\AppData\Local\Temp\7zS443E47D4\sonia_5.exe
MD5
0c3f670f496ffcf516fe77d2a161a6ee

SHA1
0c59d3494b38d768fe120e0a4ca2a1dca7567e6e

SHA256
8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0

SHA512
bce80fa77557683645480ec28bf5f3a4facb780728d709166890c18decb2095509f69c524e4ce5fbcb48788961554be0467dc78db70f1fd2d242dbd5922a1095

Download Submit
\Users\Admin\AppData\Local\Temp\7zS443E47D4\sonia_5.exe
MD5
0c3f670f496ffcf516fe77d2a161a6ee

SHA1
0c59d3494b38d768fe120e0a4ca2a1dca7567e6e

SHA256
8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0

SHA512
bce80fa77557683645480ec28bf5f3a4facb780728d709166890c18decb2095509f69c524e4ce5fbcb48788961554be0467dc78db70f1fd2d242dbd5922a1095

Download Submit
\Users\Admin\AppData\Local\Temp\7zS443E47D4\sonia_5.exe
MD5
0c3f670f496ffcf516fe77d2a161a6ee

SHA1
0c59d3494b38d768fe120e0a4ca2a1dca7567e6e

SHA256
8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0

SHA512
bce80fa77557683645480ec28bf5f3a4facb780728d709166890c18decb2095509f69c524e4ce5fbcb48788961554be0467dc78db70f1fd2d242dbd5922a1095

Download Submit
\Users\Admin\AppData\Local\Temp\7zS443E47D4\sonia_6.exe
MD5
2eb68e495e4eb18c86a443b2754bbab2

SHA1
82a535e1277ea7a80b809cfeb97dcfb5a5d48a37

SHA256
a9083c13dd04bf55cc8e29ab4fe8a0053edf3ffe9b1e5ec31db207a45a98aaaf

SHA512
f7dc8d9a8726a6da6226a059094fcaf45190b2b41e6fae7d2aa48eacbd1dfc3b871770c74b1504801f5e7a05f1e3b47ac13cffc8190089f3d07e5c55aa725898

Download Submit
\Users\Admin\AppData\Local\Temp\7zS443E47D4\sonia_6.exe
MD5
2eb68e495e4eb18c86a443b2754bbab2

SHA1
82a535e1277ea7a80b809cfeb97dcfb5a5d48a37

SHA256
a9083c13dd04bf55cc8e29ab4fe8a0053edf3ffe9b1e5ec31db207a45a98aaaf

SHA512
f7dc8d9a8726a6da6226a059094fcaf45190b2b41e6fae7d2aa48eacbd1dfc3b871770c74b1504801f5e7a05f1e3b47ac13cffc8190089f3d07e5c55aa725898

Download Submit
\Users\Admin\AppData\Local\Temp\7zS443E47D4\sonia_6.exe
MD5
2eb68e495e4eb18c86a443b2754bbab2

SHA1
82a535e1277ea7a80b809cfeb97dcfb5a5d48a37

SHA256
a9083c13dd04bf55cc8e29ab4fe8a0053edf3ffe9b1e5ec31db207a45a98aaaf

SHA512
f7dc8d9a8726a6da6226a059094fcaf45190b2b41e6fae7d2aa48eacbd1dfc3b871770c74b1504801f5e7a05f1e3b47ac13cffc8190089f3d07e5c55aa725898

Download Submit
\Users\Admin\AppData\Local\Temp\CC4F.tmp
MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
74231678f536a19b3016840f56b845c7

SHA1
a5645777558a7d5905e101e54d61b0c8c1120de3

SHA256
cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4

SHA512
4117ad2bcdca9104ca8a53df0f7de102509ba6eb264d025ab1facd7a7ca0c14a1c4dd17de130521c4169aaaaeb6e779579dcb16d63a58b77feebfdc32d983d1f

Download Submit
\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
74231678f536a19b3016840f56b845c7

SHA1
a5645777558a7d5905e101e54d61b0c8c1120de3

SHA256
cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4

SHA512
4117ad2bcdca9104ca8a53df0f7de102509ba6eb264d025ab1facd7a7ca0c14a1c4dd17de130521c4169aaaaeb6e779579dcb16d63a58b77feebfdc32d983d1f

Download Submit
\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
74231678f536a19b3016840f56b845c7

SHA1
a5645777558a7d5905e101e54d61b0c8c1120de3

SHA256
cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4

SHA512
4117ad2bcdca9104ca8a53df0f7de102509ba6eb264d025ab1facd7a7ca0c14a1c4dd17de130521c4169aaaaeb6e779579dcb16d63a58b77feebfdc32d983d1f

Download Submit
\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
74231678f536a19b3016840f56b845c7

SHA1
a5645777558a7d5905e101e54d61b0c8c1120de3

SHA256
cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4

SHA512
4117ad2bcdca9104ca8a53df0f7de102509ba6eb264d025ab1facd7a7ca0c14a1c4dd17de130521c4169aaaaeb6e779579dcb16d63a58b77feebfdc32d983d1f

Download Submit
\Users\Admin\Documents\bsXAAXp0rVhAYopR1FzfBWAX.exe
MD5
feae24e878230fff4bad62996c1d0325

SHA1
1191311e26f9909341da8982934863dfa3089992

SHA256
0afeecacdddfdd9a9609abba82f70ccfd06d668536b09220c34e807e5f3b8557

SHA512
0ae2dd7e3c95dbfe425eeb22e7ba4b0688f06df026513bac786fe9f60868594a316333f646128188e8b911c6682e7603670ee20673a9f8f320a2626ba7fe7575

Download Submit
memory/108-118-0x0000000000000000-mapping.dmp

Download
memory/112-127-0x0000000001280000-0x0000000001281000-memory.dmp

Filesize
4KB

Download
memory/112-120-0x0000000000000000-mapping.dmp

Download
memory/368-130-0x0000000000000000-mapping.dmp

Download
memory/368-158-0x0000000000400000-0x0000000000896000-memory.dmp

Filesize
4.6MB

Download
memory/368-157-0x00000000002C0000-0x00000000002C9000-memory.dmp

Filesize
36KB

Download
memory/744-184-0x0000000000000000-mapping.dmp

Download
memory/744-190-0x000007FEFB631000-0x000007FEFB633000-memory.dmp

Filesize
8KB

Download
memory/792-178-0x0000000000000000-mapping.dmp

Download
memory/824-113-0x0000000000000000-mapping.dmp

Download
memory/836-62-0x0000000000000000-mapping.dmp

Download
memory/928-110-0x0000000000000000-mapping.dmp

Download
memory/936-111-0x0000000000000000-mapping.dmp

Download
memory/960-434-0x0000000000400000-0x0000000000896000-memory.dmp

Filesize
4.6MB

Download
memory/1016-161-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/1016-140-0x0000000000000000-mapping.dmp

Download
memory/1016-160-0x0000000002270000-0x000000000230D000-memory.dmp

Filesize
628KB

Download
memory/1104-176-0x0000000000000000-mapping.dmp

Download
memory/1104-215-0x0000000004390000-0x0000000004391000-memory.dmp

Filesize
4KB

Download
memory/1104-164-0x0000000000000000-mapping.dmp

Download
memory/1104-195-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1164-397-0x0000000004C61000-0x0000000004C62000-memory.dmp

Filesize
4KB

Download
memory/1164-401-0x0000000004C64000-0x0000000004C66000-memory.dmp

Filesize
8KB

Download
memory/1164-400-0x0000000004C63000-0x0000000004C64000-memory.dmp

Filesize
4KB

Download
memory/1164-399-0x0000000004C62000-0x0000000004C63000-memory.dmp

Filesize
4KB

Download
memory/1164-393-0x00000000003A0000-0x00000000003CF000-memory.dmp

Filesize
188KB

Download
memory/1164-394-0x0000000000400000-0x00000000008A8000-memory.dmp

Filesize
4.7MB

Download
memory/1188-114-0x0000000000000000-mapping.dmp

Download
memory/1204-150-0x0000000000000000-mapping.dmp

Download
memory/1212-170-0x0000000002AE0000-0x0000000002AF5000-memory.dmp

Filesize
84KB

Download
memory/1212-426-0x0000000002B20000-0x0000000002B35000-memory.dmp

Filesize
84KB

Download
memory/1212-435-0x0000000002B40000-0x0000000002B55000-memory.dmp

Filesize
84KB

Download
memory/1280-295-0x0000000000000000-mapping.dmp

Download
memory/1300-290-0x0000000000000000-mapping.dmp

Download
memory/1332-185-0x0000000000000000-mapping.dmp

Download
memory/1348-177-0x0000000000000000-mapping.dmp

Download
memory/1380-405-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/1524-181-0x0000000000000000-mapping.dmp

Download
memory/1552-125-0x0000000000000000-mapping.dmp

Download
memory/1580-229-0x0000000002110000-0x000000000217F000-memory.dmp

Filesize
444KB

Download
memory/1580-182-0x0000000000000000-mapping.dmp

Download
memory/1580-379-0x0000000002630000-0x0000000002701000-memory.dmp

Filesize
836KB

Download
memory/1608-60-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/1644-108-0x0000000000000000-mapping.dmp

Download
memory/1712-91-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1712-98-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1712-92-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1712-93-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1712-97-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1712-96-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1712-72-0x0000000000000000-mapping.dmp

Download
memory/1712-94-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1712-95-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1712-100-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1712-90-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1712-89-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1712-99-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1720-406-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/1732-430-0x0000000000400000-0x00000000008D7000-memory.dmp

Filesize
4.8MB

Download
memory/1732-429-0x00000000002C0000-0x0000000000353000-memory.dmp

Filesize
588KB

Download
memory/1736-107-0x0000000000000000-mapping.dmp

Download
memory/1788-292-0x0000000000000000-mapping.dmp

Download
memory/1808-271-0x0000000000000000-mapping.dmp

Download
memory/1828-411-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/1828-410-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/1836-133-0x0000000000000000-mapping.dmp

Download
memory/1936-386-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/1936-263-0x0000000000417DFA-mapping.dmp

Download
memory/1976-297-0x0000000000000000-mapping.dmp

Download
memory/1980-402-0x00000000030B0000-0x0000000003181000-memory.dmp

Filesize
836KB

Download
memory/1996-404-0x00000000021A0000-0x000000000223E000-memory.dmp

Filesize
632KB

Download
memory/2012-183-0x0000000000000000-mapping.dmp

Download
memory/2016-175-0x0000000000000000-mapping.dmp

Download
memory/2016-223-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/2016-196-0x0000000001350000-0x0000000001351000-memory.dmp

Filesize
4KB

Download
memory/2064-279-0x0000000000000000-mapping.dmp

Download
memory/2124-275-0x0000000000000000-mapping.dmp

Download
memory/2140-201-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2140-191-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2140-193-0x000000000044003F-mapping.dmp

Download
memory/2188-420-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/2200-287-0x0000000000000000-mapping.dmp

Download
memory/2240-398-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2256-250-0x0000000000000000-mapping.dmp

Download
memory/2288-199-0x0000000000000000-mapping.dmp

Download
memory/2372-395-0x00000000008F0000-0x000000000098D000-memory.dmp

Filesize
628KB

Download
memory/2372-396-0x0000000000400000-0x00000000008EB000-memory.dmp

Filesize
4.9MB

Download
memory/2376-202-0x0000000000000000-mapping.dmp

Download
memory/2400-204-0x0000000000000000-mapping.dmp

Download
memory/2480-206-0x0000000000000000-mapping.dmp

Download
memory/2492-207-0x0000000000000000-mapping.dmp

Download
memory/2496-392-0x0000000000920000-0x0000000000A3B000-memory.dmp

Filesize
1.1MB

Download
memory/2504-257-0x0000000000000000-mapping.dmp

Download
memory/2508-285-0x0000000000000000-mapping.dmp

Download
memory/2520-210-0x0000000000000000-mapping.dmp

Download
memory/2520-378-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2580-273-0x0000000000000000-mapping.dmp

Download
memory/2592-212-0x0000000000000000-mapping.dmp

Download
memory/2640-216-0x0000000000000000-mapping.dmp

Download
memory/2648-387-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/2648-388-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2648-262-0x0000000000000000-mapping.dmp

Download
memory/2668-218-0x0000000000000000-mapping.dmp

Download
memory/2684-219-0x0000000000000000-mapping.dmp

Download
memory/2700-234-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2700-389-0x0000000001EB0000-0x0000000001EB2000-memory.dmp

Filesize
8KB

Download
memory/2700-221-0x0000000000000000-mapping.dmp

Download
memory/2712-222-0x0000000000000000-mapping.dmp

Download
memory/2712-425-0x0000000000400000-0x0000000000896000-memory.dmp

Filesize
4.6MB

Download
memory/2712-385-0x0000000000400000-0x00000000008EC000-memory.dmp

Filesize
4.9MB

Download
memory/2712-384-0x0000000000340000-0x00000000003DD000-memory.dmp

Filesize
628KB

Download
memory/2728-277-0x0000000000000000-mapping.dmp

Download
memory/2752-391-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2752-390-0x0000000002D50000-0x0000000003676000-memory.dmp

Filesize
9.1MB

Download
memory/2752-225-0x0000000000000000-mapping.dmp

Download
memory/2760-377-0x0000000000400000-0x000000000064F000-memory.dmp

Filesize
2.3MB

Download
memory/2760-242-0x0000000000400000-0x000000000064F000-memory.dmp

Filesize
2.3MB

Download
memory/2760-226-0x0000000000000000-mapping.dmp

Download
memory/2776-380-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/2776-227-0x0000000000000000-mapping.dmp

Download
memory/2776-239-0x0000000001000000-0x0000000001001000-memory.dmp

Filesize
4KB

Download
memory/2780-281-0x0000000000000000-mapping.dmp

Download
memory/2792-228-0x0000000000000000-mapping.dmp

Download
memory/2792-403-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/2824-381-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/2824-230-0x0000000000000000-mapping.dmp

Download
memory/2824-243-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/2872-251-0x0000000000417DEA-mapping.dmp

Download
memory/2872-249-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2872-383-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/2924-238-0x0000000000000000-mapping.dmp

Download
memory/2928-283-0x0000000000000000-mapping.dmp

Download
memory/3024-246-0x0000000000000000-mapping.dmp

Download
memory/3024-382-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/3056-261-0x0000000000417DEE-mapping.dmp

Download