onlylogger | 3818c30f96f88511eb089b3ab8eb72df824d401a581cd60ea144fd93095d4831

Analysis

max time kernel
185s
max time network
200s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
22-02-2022 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3818c30f96f88511eb089b3ab8eb72df824d401a581cd60ea144fd93095d4831.exe
Size

3.7MB
MD5

a77e8b8a974aebe44edb88c94ca4385d
SHA1

9672032721b99b03a4a6ebe97ed21b5cf747fdf5
SHA256

3818c30f96f88511eb089b3ab8eb72df824d401a581cd60ea144fd93095d4831
SHA512

3c0215451cfce76c1ace8ed2678028685914bde6ca4b81a8060026532e0e36dd660402faaf205a8a8eee015e25192913db43fabf4d96c50946bec0901b311337

Score

10^/10

onlylogger raccoon redline smokeloader tofsee vidar 1c0fad6805a0f65d7b597130eb9f089ffbe9857d 933 aspackv2 backdoor evasion infostealer loader persistence spyware stealer suricata trojan upx

Malware Config

Extracted

Family

smokeloader

Version

2020

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

rc4.i32

Extracted

Family

vidar

Version

39.6

Botnet

933

https://sslamlssa1.tumblr.com/

Attributes

profile_id
933

Extracted

Family

tofsee

patmushta.info

ovicrush.cn

Extracted

Family

raccoon

Botnet

1c0fad6805a0f65d7b597130eb9f089ffbe9857d

Attributes

url4cnc
http://194.180.191.241/capibar
http://103.155.93.35/capibar
https://t.me/capibar

rc4.plain

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3044 1536 rUNdlL32.eXe
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	1536	rUNdlL32.eXe

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2152-226-0x0000000000BA0000-0x0000000000DD1000-memory.dmp	family_redline
behavioral2/memory/2152-225-0x0000000000BA0000-0x0000000000DD1000-memory.dmp	family_redline
behavioral2/memory/2152-212-0x0000000000BA0000-0x0000000000DD1000-memory.dmp	family_redline
behavioral2/memory/2152-247-0x0000000000BA2000-0x0000000000BD8000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateProcessExOtherParentProcess 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 3668 created 2336	3668	WerFault.exe	rundll32.exe
PID 3276 created 2024	3276	WerFault.exe	setup_install.exe
PID 1144 created 2068	1144	WerFault.exe	sonia_3.exe
PID 4176 created 3232	4176	WerFault.exe	sTJ7AAnhMrSs7JBLfYhkdD9F.exe
PID 4356 created 3988	4356	WerFault.exe	z1LW4SihUjAKWSDCr1PUTWkT.exe
PID 4724 created 3004	4724	WerFault.exe	IMTq73UypD29iufMRtJyzNaf.exe
PID 4672 created 3780	4672	WerFault.exe	uTvOG1a67A81Q1Nqyh3FbDw_.exe
PID 4688 created 540	4688	WerFault.exe	9T5cPEihSV5EGRvIUBy1hcXL.exe
PID 4696 created 760	4696	WerFault.exe	kfHZulsHrcUzDYNwQq0j2GCf.exe
PID 4716 created 1516	4716	WerFault.exe	_mxx2DUdHjkMc6CbA3eM7SIl.exe
PID 4944 created 1516	4944	WerFault.exe	_mxx2DUdHjkMc6CbA3eM7SIl.exe
PID 4864 created 3780	4864	WerFault.exe	uTvOG1a67A81Q1Nqyh3FbDw_.exe
PID 4880 created 540	4880	WerFault.exe	9T5cPEihSV5EGRvIUBy1hcXL.exe
PID 4908 created 760	4908	WerFault.exe	kfHZulsHrcUzDYNwQq0j2GCf.exe
PID 5052 created 3988	5052	WerFault.exe	z1LW4SihUjAKWSDCr1PUTWkT.exe

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata

OnlyLogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3988-258-0x00000000019F0000-0x0000000001A34000-memory.dmp	family_onlylogger
behavioral2/memory/3988-259-0x0000000000400000-0x0000000000447000-memory.dmp	family_onlylogger

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/2068-244-0x00000000009C0000-0x0000000000A5D000-memory.dmp	family_vidar
behavioral2/memory/2068-248-0x0000000000400000-0x00000000004A1000-memory.dmp	family_vidar

ASPack v2.12-2.42 8 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\libstdc++-6.dll	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 32 IoCs

Processes:

setup_install.exesonia_2.exesonia_4.exesonia_5.exesonia_6.exesonia_1.exesonia_3.exesonia_7.exesonia_8.exesonia_1.exejfiag3g_gg.exejfiag3g_gg.exeyYNlo1a0UrlIgU9isC2dPEOW.exez1LW4SihUjAKWSDCr1PUTWkT.exeY923FDJPtCYRf_WTs5DOb6mK.exetmw2HvFckoiHtVF3ZLtnftwW.exeRSRslU4OracSmf84uzPzSb7I.exeElKiY0cipi2SiTjcIAppxW7C.exesTJ7AAnhMrSs7JBLfYhkdD9F.exe1ws1RgJciphqYvgEhqLpf2Ww.exeisf4hT8PkkoWK_6S3y0QbYmj.exe9T5cPEihSV5EGRvIUBy1hcXL.exekfHZulsHrcUzDYNwQq0j2GCf.exeuTvOG1a67A81Q1Nqyh3FbDw_.exeEe9dOi_oUfYVzKZpuK9qYtap.exeqhNz1GtezkmNCjAMsiQG2jH9.exeIMTq73UypD29iufMRtJyzNaf.exe_mxx2DUdHjkMc6CbA3eM7SIl.exeLrvVe_I6dPZe2op0W6rIC7f5.exeJUSjUjm8rmOWjpRHvNkUkaLp.exeRSRslU4OracSmf84uzPzSb7I.exeInstall.exe

pid	process
2024	setup_install.exe
3556	sonia_2.exe
2612	sonia_4.exe
3732	sonia_5.exe
3572	sonia_6.exe
1928	sonia_1.exe
2068	sonia_3.exe
2448	sonia_7.exe
3488	sonia_8.exe
3976	sonia_1.exe
2132	jfiag3g_gg.exe
2268	jfiag3g_gg.exe
2152	yYNlo1a0UrlIgU9isC2dPEOW.exe
3988	z1LW4SihUjAKWSDCr1PUTWkT.exe
4008	Y923FDJPtCYRf_WTs5DOb6mK.exe
3728	tmw2HvFckoiHtVF3ZLtnftwW.exe
3464	RSRslU4OracSmf84uzPzSb7I.exe
1664	ElKiY0cipi2SiTjcIAppxW7C.exe
3232	sTJ7AAnhMrSs7JBLfYhkdD9F.exe
3768	1ws1RgJciphqYvgEhqLpf2Ww.exe
1884	isf4hT8PkkoWK_6S3y0QbYmj.exe
540	9T5cPEihSV5EGRvIUBy1hcXL.exe
760	kfHZulsHrcUzDYNwQq0j2GCf.exe
3780	uTvOG1a67A81Q1Nqyh3FbDw_.exe
2540	Ee9dOi_oUfYVzKZpuK9qYtap.exe
2512	qhNz1GtezkmNCjAMsiQG2jH9.exe
3004	IMTq73UypD29iufMRtJyzNaf.exe
1516	_mxx2DUdHjkMc6CbA3eM7SIl.exe
4160	LrvVe_I6dPZe2op0W6rIC7f5.exe
4372	JUSjUjm8rmOWjpRHvNkUkaLp.exe
4380	RSRslU4OracSmf84uzPzSb7I.exe
4664	Install.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\Documents\isf4hT8PkkoWK_6S3y0QbYmj.exe	upx
C:\Users\Admin\Documents\isf4hT8PkkoWK_6S3y0QbYmj.exe	upx

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3818c30f96f88511eb089b3ab8eb72df824d401a581cd60ea144fd93095d4831.exesonia_1.exesonia_6.exetmw2HvFckoiHtVF3ZLtnftwW.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	3818c30f96f88511eb089b3ab8eb72df824d401a581cd60ea144fd93095d4831.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	sonia_1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	sonia_6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	tmw2HvFckoiHtVF3ZLtnftwW.exe

Loads dropped DLL 8 IoCs

Processes:

setup_install.exesonia_2.exerundll32.exe

pid	process
2024	setup_install.exe
2024	setup_install.exe
2024	setup_install.exe
2024	setup_install.exe
2024	setup_install.exe
2024	setup_install.exe
3556	sonia_2.exe
2336	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

sonia_7.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	sonia_7.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

66 ip-api.com
67 ipinfo.io
68 ipinfo.io
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

yYNlo1a0UrlIgU9isC2dPEOW.exe

pid process

2152 yYNlo1a0UrlIgU9isC2dPEOW.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

RSRslU4OracSmf84uzPzSb7I.exe

description pid process target process

PID 3464 set thread context of 4380 3464 RSRslU4OracSmf84uzPzSb7I.exe RSRslU4OracSmf84uzPzSb7I.exe

flow	ioc
66	ip-api.com
67	ipinfo.io
68	ipinfo.io

pid	process
2152	yYNlo1a0UrlIgU9isC2dPEOW.exe

description	pid	process	target process
PID 3464 set thread context of 4380	3464	RSRslU4OracSmf84uzPzSb7I.exe	RSRslU4OracSmf84uzPzSb7I.exe

Drops file in Windows directory 4 IoCs

Processes:

svchost.exeTiWorker.exeWerFault.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2884	2024	WerFault.exe	setup_install.exe
3976	2336	WerFault.exe	rundll32.exe
1212	2024	WerFault.exe	setup_install.exe
904	2068	WerFault.exe	sonia_3.exe
3068	2336	WerFault.exe	rundll32.exe
4248	3232	WerFault.exe	sTJ7AAnhMrSs7JBLfYhkdD9F.exe
4448	3988	WerFault.exe	z1LW4SihUjAKWSDCr1PUTWkT.exe
4772	3004	WerFault.exe	IMTq73UypD29iufMRtJyzNaf.exe
5072	3988	WerFault.exe	z1LW4SihUjAKWSDCr1PUTWkT.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

sonia_2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sonia_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sonia_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sonia_2.exe

Checks processor information in registry 2 TTPs 20 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeMusNotifyIcon.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Modifies data under HKEY_USERS 49 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "11.721794"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4308"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132901508852844131"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4104"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "8.961970"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.126243"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

sonia_3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	sonia_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	sonia_3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sonia_2.exe

pid	process
3556	sonia_2.exe
3556	sonia_2.exe
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2460
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

sonia_2.exe

pid process

3556 sonia_2.exe

pid	process
2460

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

TiWorker.exesonia_4.exesonia_5.exe

description	pid	process
Token: SeSecurityPrivilege	484	TiWorker.exe
Token: SeRestorePrivilege	484	TiWorker.exe
Token: SeBackupPrivilege	484	TiWorker.exe
Token: SeDebugPrivilege	2612	sonia_4.exe
Token: SeBackupPrivilege	484	TiWorker.exe
Token: SeRestorePrivilege	484	TiWorker.exe
Token: SeSecurityPrivilege	484	TiWorker.exe
Token: SeBackupPrivilege	484	TiWorker.exe
Token: SeRestorePrivilege	484	TiWorker.exe
Token: SeSecurityPrivilege	484	TiWorker.exe
Token: SeBackupPrivilege	484	TiWorker.exe
Token: SeRestorePrivilege	484	TiWorker.exe
Token: SeSecurityPrivilege	484	TiWorker.exe
Token: SeBackupPrivilege	484	TiWorker.exe
Token: SeRestorePrivilege	484	TiWorker.exe
Token: SeSecurityPrivilege	484	TiWorker.exe
Token: SeBackupPrivilege	484	TiWorker.exe
Token: SeRestorePrivilege	484	TiWorker.exe
Token: SeSecurityPrivilege	484	TiWorker.exe
Token: SeBackupPrivilege	484	TiWorker.exe
Token: SeRestorePrivilege	484	TiWorker.exe
Token: SeSecurityPrivilege	484	TiWorker.exe
Token: SeDebugPrivilege	3732	sonia_5.exe
Token: SeShutdownPrivilege	2460
Token: SeCreatePagefilePrivilege	2460
Token: SeShutdownPrivilege	2460
Token: SeCreatePagefilePrivilege	2460
Token: SeShutdownPrivilege	2460
Token: SeCreatePagefilePrivilege	2460
Token: SeBackupPrivilege	484	TiWorker.exe
Token: SeRestorePrivilege	484	TiWorker.exe
Token: SeSecurityPrivilege	484	TiWorker.exe
Token: SeBackupPrivilege	484	TiWorker.exe
Token: SeRestorePrivilege	484	TiWorker.exe
Token: SeSecurityPrivilege	484	TiWorker.exe
Token: SeBackupPrivilege	484	TiWorker.exe
Token: SeRestorePrivilege	484	TiWorker.exe
Token: SeSecurityPrivilege	484	TiWorker.exe
Token: SeBackupPrivilege	484	TiWorker.exe
Token: SeRestorePrivilege	484	TiWorker.exe
Token: SeSecurityPrivilege	484	TiWorker.exe
Token: SeBackupPrivilege	484	TiWorker.exe
Token: SeRestorePrivilege	484	TiWorker.exe
Token: SeSecurityPrivilege	484	TiWorker.exe
Token: SeBackupPrivilege	484	TiWorker.exe
Token: SeRestorePrivilege	484	TiWorker.exe
Token: SeSecurityPrivilege	484	TiWorker.exe
Token: SeBackupPrivilege	484	TiWorker.exe
Token: SeRestorePrivilege	484	TiWorker.exe
Token: SeSecurityPrivilege	484	TiWorker.exe
Token: SeBackupPrivilege	484	TiWorker.exe
Token: SeRestorePrivilege	484	TiWorker.exe
Token: SeSecurityPrivilege	484	TiWorker.exe
Token: SeBackupPrivilege	484	TiWorker.exe
Token: SeRestorePrivilege	484	TiWorker.exe
Token: SeSecurityPrivilege	484	TiWorker.exe
Token: SeBackupPrivilege	484	TiWorker.exe
Token: SeRestorePrivilege	484	TiWorker.exe
Token: SeSecurityPrivilege	484	TiWorker.exe
Token: SeBackupPrivilege	484	TiWorker.exe
Token: SeRestorePrivilege	484	TiWorker.exe
Token: SeSecurityPrivilege	484	TiWorker.exe
Token: SeBackupPrivilege	484	TiWorker.exe
Token: SeRestorePrivilege	484	TiWorker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3818c30f96f88511eb089b3ab8eb72df824d401a581cd60ea144fd93095d4831.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exesonia_1.exesonia_7.exerUNdlL32.eXe

description	pid	process	target process
PID 448 wrote to memory of 2024	448	3818c30f96f88511eb089b3ab8eb72df824d401a581cd60ea144fd93095d4831.exe	setup_install.exe
PID 448 wrote to memory of 2024	448	3818c30f96f88511eb089b3ab8eb72df824d401a581cd60ea144fd93095d4831.exe	setup_install.exe
PID 448 wrote to memory of 2024	448	3818c30f96f88511eb089b3ab8eb72df824d401a581cd60ea144fd93095d4831.exe	setup_install.exe
PID 2024 wrote to memory of 1752	2024	setup_install.exe	cmd.exe
PID 2024 wrote to memory of 1752	2024	setup_install.exe	cmd.exe
PID 2024 wrote to memory of 1752	2024	setup_install.exe	cmd.exe
PID 2024 wrote to memory of 2536	2024	setup_install.exe	cmd.exe
PID 2024 wrote to memory of 2536	2024	setup_install.exe	cmd.exe
PID 2024 wrote to memory of 2536	2024	setup_install.exe	cmd.exe
PID 2024 wrote to memory of 2136	2024	setup_install.exe	cmd.exe
PID 2024 wrote to memory of 2136	2024	setup_install.exe	cmd.exe
PID 2024 wrote to memory of 2136	2024	setup_install.exe	cmd.exe
PID 2024 wrote to memory of 3652	2024	setup_install.exe	cmd.exe
PID 2024 wrote to memory of 3652	2024	setup_install.exe	cmd.exe
PID 2024 wrote to memory of 3652	2024	setup_install.exe	cmd.exe
PID 2024 wrote to memory of 3744	2024	setup_install.exe	cmd.exe
PID 2024 wrote to memory of 3744	2024	setup_install.exe	cmd.exe
PID 2024 wrote to memory of 3744	2024	setup_install.exe	cmd.exe
PID 2024 wrote to memory of 968	2024	setup_install.exe	cmd.exe
PID 2024 wrote to memory of 968	2024	setup_install.exe	cmd.exe
PID 2024 wrote to memory of 968	2024	setup_install.exe	cmd.exe
PID 2024 wrote to memory of 3960	2024	setup_install.exe	cmd.exe
PID 2024 wrote to memory of 3960	2024	setup_install.exe	cmd.exe
PID 2024 wrote to memory of 3960	2024	setup_install.exe	cmd.exe
PID 2024 wrote to memory of 1680	2024	setup_install.exe	cmd.exe
PID 2024 wrote to memory of 1680	2024	setup_install.exe	cmd.exe
PID 2024 wrote to memory of 1680	2024	setup_install.exe	cmd.exe
PID 2536 wrote to memory of 3556	2536	cmd.exe	sonia_2.exe
PID 2536 wrote to memory of 3556	2536	cmd.exe	sonia_2.exe
PID 2536 wrote to memory of 3556	2536	cmd.exe	sonia_2.exe
PID 3652 wrote to memory of 2612	3652	cmd.exe	sonia_4.exe
PID 3652 wrote to memory of 2612	3652	cmd.exe	sonia_4.exe
PID 3744 wrote to memory of 3732	3744	cmd.exe	sonia_5.exe
PID 3744 wrote to memory of 3732	3744	cmd.exe	sonia_5.exe
PID 968 wrote to memory of 3572	968	cmd.exe	sonia_6.exe
PID 968 wrote to memory of 3572	968	cmd.exe	sonia_6.exe
PID 968 wrote to memory of 3572	968	cmd.exe	sonia_6.exe
PID 1752 wrote to memory of 1928	1752	cmd.exe	sonia_1.exe
PID 1752 wrote to memory of 1928	1752	cmd.exe	sonia_1.exe
PID 1752 wrote to memory of 1928	1752	cmd.exe	sonia_1.exe
PID 2136 wrote to memory of 2068	2136	cmd.exe	sonia_3.exe
PID 2136 wrote to memory of 2068	2136	cmd.exe	sonia_3.exe
PID 2136 wrote to memory of 2068	2136	cmd.exe	sonia_3.exe
PID 3960 wrote to memory of 2448	3960	cmd.exe	sonia_7.exe
PID 3960 wrote to memory of 2448	3960	cmd.exe	sonia_7.exe
PID 3960 wrote to memory of 2448	3960	cmd.exe	sonia_7.exe
PID 1680 wrote to memory of 3488	1680	cmd.exe	sonia_8.exe
PID 1680 wrote to memory of 3488	1680	cmd.exe	sonia_8.exe
PID 1680 wrote to memory of 3488	1680	cmd.exe	sonia_8.exe
PID 1928 wrote to memory of 3976	1928	sonia_1.exe	sonia_1.exe
PID 1928 wrote to memory of 3976	1928	sonia_1.exe	sonia_1.exe
PID 1928 wrote to memory of 3976	1928	sonia_1.exe	sonia_1.exe
PID 2448 wrote to memory of 2132	2448	sonia_7.exe	jfiag3g_gg.exe
PID 2448 wrote to memory of 2132	2448	sonia_7.exe	jfiag3g_gg.exe
PID 2448 wrote to memory of 2132	2448	sonia_7.exe	jfiag3g_gg.exe
PID 2024 wrote to memory of 2884	2024	setup_install.exe	WerFault.exe
PID 2024 wrote to memory of 2884	2024	setup_install.exe	WerFault.exe
PID 2024 wrote to memory of 2884	2024	setup_install.exe	WerFault.exe
PID 3044 wrote to memory of 2336	3044	rUNdlL32.eXe	rundll32.exe
PID 3044 wrote to memory of 2336	3044	rUNdlL32.eXe	rundll32.exe
PID 3044 wrote to memory of 2336	3044	rUNdlL32.eXe	rundll32.exe
PID 2448 wrote to memory of 2268	2448	sonia_7.exe	jfiag3g_gg.exe
PID 2448 wrote to memory of 2268	2448	sonia_7.exe	jfiag3g_gg.exe
PID 2448 wrote to memory of 2268	2448	sonia_7.exe	jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\3818c30f96f88511eb089b3ab8eb72df824d401a581cd60ea144fd93095d4831.exe
"C:\Users\Admin\AppData\Local\Temp\3818c30f96f88511eb089b3ab8eb72df824d401a581cd60ea144fd93095d4831.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:448

C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\setup_install.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_1.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\sonia_1.exe
sonia_1.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1928

C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\sonia_1.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\sonia_1.exe" -a
5⤵
- Executes dropped EXE
PID:3976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_3.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2136

C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\sonia_3.exe
sonia_3.exe
4⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 1168
5⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_2.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2536

C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\sonia_2.exe
sonia_2.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_4.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3652

C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\sonia_4.exe
sonia_4.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_8.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\sonia_8.exe
sonia_8.exe
4⤵
- Executes dropped EXE
PID:3488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_7.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3960

C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\sonia_7.exe
sonia_7.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2448

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:2132

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:2268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_6.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:968

C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\sonia_6.exe
sonia_6.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:3572

C:\Users\Admin\Documents\RSRslU4OracSmf84uzPzSb7I.exe
"C:\Users\Admin\Documents\RSRslU4OracSmf84uzPzSb7I.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3464

C:\Users\Admin\Documents\RSRslU4OracSmf84uzPzSb7I.exe
"C:\Users\Admin\Documents\RSRslU4OracSmf84uzPzSb7I.exe"
6⤵
- Executes dropped EXE
PID:4380

C:\Users\Admin\Documents\tmw2HvFckoiHtVF3ZLtnftwW.exe
"C:\Users\Admin\Documents\tmw2HvFckoiHtVF3ZLtnftwW.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:3728

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ekopypv\
6⤵
PID:4680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ydyxvzrq.exe" C:\Windows\SysWOW64\ekopypv\
6⤵
PID:4976

C:\Users\Admin\Documents\Y923FDJPtCYRf_WTs5DOb6mK.exe
"C:\Users\Admin\Documents\Y923FDJPtCYRf_WTs5DOb6mK.exe"
5⤵
- Executes dropped EXE
PID:4008

C:\Users\Admin\Documents\z1LW4SihUjAKWSDCr1PUTWkT.exe
"C:\Users\Admin\Documents\z1LW4SihUjAKWSDCr1PUTWkT.exe"
5⤵
- Executes dropped EXE
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 624
6⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 632
6⤵
- Program crash
PID:5072

C:\Users\Admin\Documents\yYNlo1a0UrlIgU9isC2dPEOW.exe
"C:\Users\Admin\Documents\yYNlo1a0UrlIgU9isC2dPEOW.exe"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2152

C:\Users\Admin\Documents\ElKiY0cipi2SiTjcIAppxW7C.exe
"C:\Users\Admin\Documents\ElKiY0cipi2SiTjcIAppxW7C.exe"
5⤵
- Executes dropped EXE
PID:1664

C:\Users\Admin\Documents\sTJ7AAnhMrSs7JBLfYhkdD9F.exe
"C:\Users\Admin\Documents\sTJ7AAnhMrSs7JBLfYhkdD9F.exe"
5⤵
- Executes dropped EXE
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 412
6⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4248

C:\Users\Admin\Documents\1ws1RgJciphqYvgEhqLpf2Ww.exe
"C:\Users\Admin\Documents\1ws1RgJciphqYvgEhqLpf2Ww.exe"
5⤵
- Executes dropped EXE
PID:3768

C:\Users\Admin\Documents\qhNz1GtezkmNCjAMsiQG2jH9.exe
"C:\Users\Admin\Documents\qhNz1GtezkmNCjAMsiQG2jH9.exe"
5⤵
- Executes dropped EXE
PID:2512

C:\Users\Admin\Documents\isf4hT8PkkoWK_6S3y0QbYmj.exe
"C:\Users\Admin\Documents\isf4hT8PkkoWK_6S3y0QbYmj.exe"
5⤵
- Executes dropped EXE
PID:1884

C:\Users\Admin\Documents\uTvOG1a67A81Q1Nqyh3FbDw_.exe
"C:\Users\Admin\Documents\uTvOG1a67A81Q1Nqyh3FbDw_.exe"
5⤵
- Executes dropped EXE
PID:3780

C:\Users\Admin\Documents\IMTq73UypD29iufMRtJyzNaf.exe
"C:\Users\Admin\Documents\IMTq73UypD29iufMRtJyzNaf.exe"
5⤵
- Executes dropped EXE
PID:3004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 460
6⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4772

C:\Users\Admin\Documents\_mxx2DUdHjkMc6CbA3eM7SIl.exe
"C:\Users\Admin\Documents\_mxx2DUdHjkMc6CbA3eM7SIl.exe"
5⤵
- Executes dropped EXE
PID:1516

C:\Users\Admin\Documents\LrvVe_I6dPZe2op0W6rIC7f5.exe
"C:\Users\Admin\Documents\LrvVe_I6dPZe2op0W6rIC7f5.exe"
5⤵
- Executes dropped EXE
PID:4160

C:\Users\Admin\AppData\Local\Temp\7zSBC69.tmp\Install.exe
.\Install.exe
6⤵
- Executes dropped EXE
PID:4664

C:\Users\Admin\Documents\Ee9dOi_oUfYVzKZpuK9qYtap.exe
"C:\Users\Admin\Documents\Ee9dOi_oUfYVzKZpuK9qYtap.exe"
5⤵
- Executes dropped EXE
PID:2540

C:\Users\Admin\Documents\kfHZulsHrcUzDYNwQq0j2GCf.exe
"C:\Users\Admin\Documents\kfHZulsHrcUzDYNwQq0j2GCf.exe"
5⤵
- Executes dropped EXE
PID:760

C:\Users\Admin\Documents\9T5cPEihSV5EGRvIUBy1hcXL.exe
"C:\Users\Admin\Documents\9T5cPEihSV5EGRvIUBy1hcXL.exe"
5⤵
- Executes dropped EXE
PID:540

C:\Users\Admin\Documents\JUSjUjm8rmOWjpRHvNkUkaLp.exe
"C:\Users\Admin\Documents\JUSjUjm8rmOWjpRHvNkUkaLp.exe"
5⤵
- Executes dropped EXE
PID:4372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_5.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3744

C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\sonia_5.exe
sonia_5.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 576
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 576
3⤵
- Program crash
PID:1212

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:4088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1892

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:484

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 616
3⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 616
3⤵
- Program crash
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2024 -ip 2024
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2068 -ip 2068
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2336 -ip 2336
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3232 -ip 3232
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3988 -ip 3988
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3780 -ip 3780
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 540 -ip 540
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 760 -ip 760
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1516 -ip 1516
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3004 -ip 3004
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 540 -ip 540
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3780 -ip 3780
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 760 -ip 760
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1516 -ip 1516
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3988 -ip 3988
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
71b3d3aff7419f41f7079d6a98dd4b71

SHA1
46c5002b862f917a6ff36057a8393b5508c05ac0

SHA256
696d67be311db74819d6d248c45c2c679bd0cfa8386cc108a108eadfe822d3f5

SHA512
da5264913642a39532f9148b2c25c9dae6219ad5bef854081b69a2d049aa1426060dc1f6ac4834317d6e8f61f87e5330656ae4870f53215177e563ee39d2e62f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
3c70c46b9af8e86608a0f07f739ad1fb

SHA1
6cccb3e7efa6d30cd5bdb65df467e5fb7eafd10b

SHA256
78ad0aeab10e564b9f845a3483a2065b65753b300649081851d3e2d7e610d897

SHA512
59a950c6bb2271b2b8bcd0d9e736ce6af4074a097b1658f9cd5c816dc60c6624cf61a37bc18a9f05bf33842300010b535959b1a93315dfe7566ccacfaf59f34a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
c0cb4dcf5510208dc88aa2eb5a7cc0c0

SHA1
5366c6dc86bfe1bfd8199e3beb858e1176bf3970

SHA256
6b90216beb385f21b973d7ec8383faae6d6c75bda5ca6eed6f17a00427f1c46a

SHA512
0ce567b5efb92ae32dde8bfb498145efcbf8ec0073e51bbb6f0fed50702b45efcd5da5f7dce3ca5b68e21ae6f47998dc7a135d9f27948b9307a372f158f5b9e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
c09ca63645a4cb75ce9552e55e388788

SHA1
a4afa8c7b6d25e810bf35e8e2fc18b7183b2c742

SHA256
e40474fab3f0b6e20ca9404454a2d7bd261c5ab7c5499dfffec2c62c5fe3b423

SHA512
5f792b46b236ac08dab6ea29a3522ca37c2417f7e0bbe3e0198c8e3517d5ce07f1ce7f8a3b7ed1f7429484d5797f87502446a5d09df93641ec591567a002acf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\setup_install.exe
MD5
86eb4601a81e1549a4b0b9f90e763295

SHA1
b59c2d6b9489bab04cc3fef8833c7f99f2225484

SHA256
dece6c4d44e07bce5a564e48d6504939aa41fae261ed43cccf708a4746e61dbf

SHA512
2a014fa8b009c5396c3aa1fba7a7cfbd65965df918bd42f4eba8c58e11babb43719608f908f039c4ec92dee8c66cb8a52673ca285ec3f1df8f6eaa4ebc6b26ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\setup_install.exe
MD5
86eb4601a81e1549a4b0b9f90e763295

SHA1
b59c2d6b9489bab04cc3fef8833c7f99f2225484

SHA256
dece6c4d44e07bce5a564e48d6504939aa41fae261ed43cccf708a4746e61dbf

SHA512
2a014fa8b009c5396c3aa1fba7a7cfbd65965df918bd42f4eba8c58e11babb43719608f908f039c4ec92dee8c66cb8a52673ca285ec3f1df8f6eaa4ebc6b26ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\sonia_1.exe
MD5
6e43430011784cff369ea5a5ae4b000f

SHA1
5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f

SHA256
a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a

SHA512
33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\sonia_1.exe
MD5
6e43430011784cff369ea5a5ae4b000f

SHA1
5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f

SHA256
a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a

SHA512
33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\sonia_1.txt
MD5
6e43430011784cff369ea5a5ae4b000f

SHA1
5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f

SHA256
a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a

SHA512
33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\sonia_2.exe
MD5
a4b857565a7642e89087e62178c00fc2

SHA1
c44e9bce953173bccfe53e19c56f586d285c6dc6

SHA256
4707d1632c39246df01da9218cfbce99b0ff099cfc33934b210e422adf049268

SHA512
17dedbe2faa17e68021e7ad540fe1b2e1ed6072e16ea0d55fce0c1195732d7cb5611dea3067d5b43c70f689fa99af859cd014e101bfebfb3f017a2dde3a97996

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\sonia_2.txt
MD5
a4b857565a7642e89087e62178c00fc2

SHA1
c44e9bce953173bccfe53e19c56f586d285c6dc6

SHA256
4707d1632c39246df01da9218cfbce99b0ff099cfc33934b210e422adf049268

SHA512
17dedbe2faa17e68021e7ad540fe1b2e1ed6072e16ea0d55fce0c1195732d7cb5611dea3067d5b43c70f689fa99af859cd014e101bfebfb3f017a2dde3a97996

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\sonia_3.exe
MD5
5b7ce3e5035f4a4c59a2e7681d012b42

SHA1
15f42e7402ef97a3a985ba36f6a9c8ddcb22b761

SHA256
8162d3bac46dc24a12ad3398bafa12c0d17ce702baaec55a4114799ad50b9d6d

SHA512
c1e7aa8a172d3c824b5f319f6a282ff2f6a17a34f76cfff25bbd622e9fa85a777f4b6bb5ca2990ae68d6f9de489c8e8ea7b4ed9772b60685c1dd087b94eafa05

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\sonia_3.txt
MD5
5b7ce3e5035f4a4c59a2e7681d012b42

SHA1
15f42e7402ef97a3a985ba36f6a9c8ddcb22b761

SHA256
8162d3bac46dc24a12ad3398bafa12c0d17ce702baaec55a4114799ad50b9d6d

SHA512
c1e7aa8a172d3c824b5f319f6a282ff2f6a17a34f76cfff25bbd622e9fa85a777f4b6bb5ca2990ae68d6f9de489c8e8ea7b4ed9772b60685c1dd087b94eafa05

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\sonia_4.exe
MD5
aebba1a56e0d716d2e4b6676888084c8

SHA1
fb0fc0de54c2f740deb8323272ff0180e4b89d99

SHA256
6529c1eb48d6a4ffe24e91bb65cab349436408048d403edf9fcfa38ac617d38b

SHA512
914fbff3f840d7dbde470514c9f8916112bbccce4f427b84c395c870b7194b3f6f453f583fc1081c6e896e3af3b89d5fdf0999a9a766e41a8f0448e6f06e6b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\sonia_4.txt
MD5
aebba1a56e0d716d2e4b6676888084c8

SHA1
fb0fc0de54c2f740deb8323272ff0180e4b89d99

SHA256
6529c1eb48d6a4ffe24e91bb65cab349436408048d403edf9fcfa38ac617d38b

SHA512
914fbff3f840d7dbde470514c9f8916112bbccce4f427b84c395c870b7194b3f6f453f583fc1081c6e896e3af3b89d5fdf0999a9a766e41a8f0448e6f06e6b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\sonia_5.exe
MD5
f9de3cedf6902c9b1d4794c8af41663e

SHA1
0439964dbcfa9ecd68b0f10557018098dcb6d126

SHA256
ce745112067479db4711a5f2c67706b9ab6423e5b5ffe58037e72286aabef338

SHA512
aa5f010a5decb5b2a620fe567f891984a3c7bdd2962cb452e3edda7ecc1ef742ab58cdbe7f1d7d5b28b39b606ccd52b66ad21d2cb2a22ea34ef50202854d2c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\sonia_5.txt
MD5
f9de3cedf6902c9b1d4794c8af41663e

SHA1
0439964dbcfa9ecd68b0f10557018098dcb6d126

SHA256
ce745112067479db4711a5f2c67706b9ab6423e5b5ffe58037e72286aabef338

SHA512
aa5f010a5decb5b2a620fe567f891984a3c7bdd2962cb452e3edda7ecc1ef742ab58cdbe7f1d7d5b28b39b606ccd52b66ad21d2cb2a22ea34ef50202854d2c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\sonia_6.exe
MD5
0c3f670f496ffcf516fe77d2a161a6ee

SHA1
0c59d3494b38d768fe120e0a4ca2a1dca7567e6e

SHA256
8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0

SHA512
bce80fa77557683645480ec28bf5f3a4facb780728d709166890c18decb2095509f69c524e4ce5fbcb48788961554be0467dc78db70f1fd2d242dbd5922a1095

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\sonia_6.txt
MD5
0c3f670f496ffcf516fe77d2a161a6ee

SHA1
0c59d3494b38d768fe120e0a4ca2a1dca7567e6e

SHA256
8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0

SHA512
bce80fa77557683645480ec28bf5f3a4facb780728d709166890c18decb2095509f69c524e4ce5fbcb48788961554be0467dc78db70f1fd2d242dbd5922a1095

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\sonia_7.exe
MD5
2eb68e495e4eb18c86a443b2754bbab2

SHA1
82a535e1277ea7a80b809cfeb97dcfb5a5d48a37

SHA256
a9083c13dd04bf55cc8e29ab4fe8a0053edf3ffe9b1e5ec31db207a45a98aaaf

SHA512
f7dc8d9a8726a6da6226a059094fcaf45190b2b41e6fae7d2aa48eacbd1dfc3b871770c74b1504801f5e7a05f1e3b47ac13cffc8190089f3d07e5c55aa725898

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\sonia_7.txt
MD5
2eb68e495e4eb18c86a443b2754bbab2

SHA1
82a535e1277ea7a80b809cfeb97dcfb5a5d48a37

SHA256
a9083c13dd04bf55cc8e29ab4fe8a0053edf3ffe9b1e5ec31db207a45a98aaaf

SHA512
f7dc8d9a8726a6da6226a059094fcaf45190b2b41e6fae7d2aa48eacbd1dfc3b871770c74b1504801f5e7a05f1e3b47ac13cffc8190089f3d07e5c55aa725898

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\sonia_8.exe
MD5
c04d390489ac28e849ca9159224822af

SHA1
5b0c9e7b4a95d4729e62d106dbf89cb72919e64a

SHA256
d22e667e3f813d044ab2f69ba255c01cc847e7104760bff7a404875bc3ba67df

SHA512
25a4dc0f77293e90c08576b8066d0fb9238763eed0451b96b0e4c3b2daeb51935d699f256c1e505b7cfa986abfde840ba07543d944ab1c79adde91fb5726e3af

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C1AA6EE\sonia_8.txt
MD5
c04d390489ac28e849ca9159224822af

SHA1
5b0c9e7b4a95d4729e62d106dbf89cb72919e64a

SHA256
d22e667e3f813d044ab2f69ba255c01cc847e7104760bff7a404875bc3ba67df

SHA512
25a4dc0f77293e90c08576b8066d0fb9238763eed0451b96b0e4c3b2daeb51935d699f256c1e505b7cfa986abfde840ba07543d944ab1c79adde91fb5726e3af

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC4F.tmp
MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
99ab358c6f267b09d7a596548654a6ba

SHA1
d5a643074b69be2281a168983e3f6bef7322f676

SHA256
586339f93c9c0eed8a42829ab307f2c5381a636edbcf80df3770c27555034380

SHA512
952040785a3c1dcaea613d2e0d46745d5b631785d26de018fd9f85f8485161d056bf67b19c96ae618d35de5d5991a0dd549d749949faea7a2e0f9991a1aa2b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
80b52b1c8a0e142b9d097c0fb9e7763a

SHA1
c65c29b01cac914bcb6f10035d5699a40ae9b9d8

SHA256
ae614ecc140c17950a3e1714e27183da7704871f5a2fb13d9e5adcabb85cdf38

SHA512
2e9d717d9d3d0b91584cee42af80655131845382a8b7f13303b2a75eebbbb122d44cd9e26e402eaceb18b5c2fcdce9b830c53302545c9598babf8dee99aff6f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\Documents\1ws1RgJciphqYvgEhqLpf2Ww.exe
MD5
d7f42fad55e84ab59664980f6c196ae8

SHA1
8923443c74e7973e7738f9b402c8e6e75707663a

SHA256
7cf4f598e7262f55aadece6df8bed6656cbfa97274ca2f2ab4b6cb961c809fc6

SHA512
9d3956a8f01f27c7e43d61f767b1edaf103884eab14ada7bd5d7c73218aa7b5b63e085e90a3d33bbf3d63f04da322fa0ca4ba5373b0aa9ac8e21709361f01a4f

Download Submit
C:\Users\Admin\Documents\1ws1RgJciphqYvgEhqLpf2Ww.exe
MD5
d7f42fad55e84ab59664980f6c196ae8

SHA1
8923443c74e7973e7738f9b402c8e6e75707663a

SHA256
7cf4f598e7262f55aadece6df8bed6656cbfa97274ca2f2ab4b6cb961c809fc6

SHA512
9d3956a8f01f27c7e43d61f767b1edaf103884eab14ada7bd5d7c73218aa7b5b63e085e90a3d33bbf3d63f04da322fa0ca4ba5373b0aa9ac8e21709361f01a4f

Download Submit
C:\Users\Admin\Documents\9T5cPEihSV5EGRvIUBy1hcXL.exe
MD5
514e86294848f090a193d0441cb8144f

SHA1
497d366b776396ceb85b660b7f54215c7a093f0a

SHA256
93f5ca124d4d6b2ce21517af52614e5d95e7a2884d17b4e53aa10504fed0054a

SHA512
199d0201a2fbb0aa85b6d828f298537fa97206395c8b1ed22916e764332661978b7ed0de98359d27168e26b2393a63d1a9de33df7d727aa90bf12c2bad020eaa

Download Submit
C:\Users\Admin\Documents\ElKiY0cipi2SiTjcIAppxW7C.exe
MD5
6817e893a00b534fb3d936a2a16da2b1

SHA1
b91f5ff23a27cfda0f57e788913942183ce45772

SHA256
e53845a73c55f86fe6fc276f97bfeb8b366bf1e7b8cb72e55fc8472362ab7c5c

SHA512
c174e4b31f4742c764a9fd25bad12ed35aa941d6ac0ece9bfb90767f890d9520eebf78e83c40a68274ca0f8987fd0574856b8975aab8160ec3fb4690f78b54db

Download Submit
C:\Users\Admin\Documents\ElKiY0cipi2SiTjcIAppxW7C.exe
MD5
6817e893a00b534fb3d936a2a16da2b1

SHA1
b91f5ff23a27cfda0f57e788913942183ce45772

SHA256
e53845a73c55f86fe6fc276f97bfeb8b366bf1e7b8cb72e55fc8472362ab7c5c

SHA512
c174e4b31f4742c764a9fd25bad12ed35aa941d6ac0ece9bfb90767f890d9520eebf78e83c40a68274ca0f8987fd0574856b8975aab8160ec3fb4690f78b54db

Download Submit
C:\Users\Admin\Documents\RSRslU4OracSmf84uzPzSb7I.exe
MD5
b5786ba43f74847fb464f3e4c61b2f1a

SHA1
18a1cdbe72301c40b8c7edcf93f988ffbd96d4af

SHA256
548ba1f0793f18ad70fa7efaf7295d97c68e44094de7c1cd20d850fe968401a0

SHA512
c9392c4e66c17b1efc1732ed43a2b71688b9dd36003dee368db8aabd06043846bb9305873b1e1bbabecc22a58912071d4743d0923cd053b1843f11f164cc0a00

Download Submit
C:\Users\Admin\Documents\RSRslU4OracSmf84uzPzSb7I.exe
MD5
b5786ba43f74847fb464f3e4c61b2f1a

SHA1
18a1cdbe72301c40b8c7edcf93f988ffbd96d4af

SHA256
548ba1f0793f18ad70fa7efaf7295d97c68e44094de7c1cd20d850fe968401a0

SHA512
c9392c4e66c17b1efc1732ed43a2b71688b9dd36003dee368db8aabd06043846bb9305873b1e1bbabecc22a58912071d4743d0923cd053b1843f11f164cc0a00

Download Submit
C:\Users\Admin\Documents\Y923FDJPtCYRf_WTs5DOb6mK.exe
MD5
3248c854d0ce37bcd1b2a40b69c2ec22

SHA1
f13fa21ea3f894a3167c581c20010a659a7a8747

SHA256
8bf1a1e986909730a5c262579337bbe975a6d329ebc71edd370720b9488ac0a3

SHA512
4ebc13d4dadd4366c15c0393ae1a467714730fc3525bb6bd8fbbb444a3cd88b2e3e3d7a10be7decbcbc0106409c3603f3699a7abdcfa5e03318011b5f15b19a8

Download Submit
C:\Users\Admin\Documents\Y923FDJPtCYRf_WTs5DOb6mK.exe
MD5
3248c854d0ce37bcd1b2a40b69c2ec22

SHA1
f13fa21ea3f894a3167c581c20010a659a7a8747

SHA256
8bf1a1e986909730a5c262579337bbe975a6d329ebc71edd370720b9488ac0a3

SHA512
4ebc13d4dadd4366c15c0393ae1a467714730fc3525bb6bd8fbbb444a3cd88b2e3e3d7a10be7decbcbc0106409c3603f3699a7abdcfa5e03318011b5f15b19a8

Download Submit
C:\Users\Admin\Documents\isf4hT8PkkoWK_6S3y0QbYmj.exe
MD5
266a1335f73ff12584a5d1d2e65b8be7

SHA1
35a6d1593a0ff74f209de0f294cd7b7cd067c14c

SHA256
316a7cea264e8cc29efe6dc3def98eeff7c42138ceba126127dc8228a119cfee

SHA512
35bdc71211656abaf05cde978594b5d0ad11d154851d90adc80fb96e1c737682561e82615024453bf6f483cb7bf451bd604993343e3bfb2d369deef25d1e4361

Download Submit
C:\Users\Admin\Documents\isf4hT8PkkoWK_6S3y0QbYmj.exe
MD5
266a1335f73ff12584a5d1d2e65b8be7

SHA1
35a6d1593a0ff74f209de0f294cd7b7cd067c14c

SHA256
316a7cea264e8cc29efe6dc3def98eeff7c42138ceba126127dc8228a119cfee

SHA512
35bdc71211656abaf05cde978594b5d0ad11d154851d90adc80fb96e1c737682561e82615024453bf6f483cb7bf451bd604993343e3bfb2d369deef25d1e4361

Download Submit
C:\Users\Admin\Documents\kfHZulsHrcUzDYNwQq0j2GCf.exe
MD5
f58a4a3e29618ab505e21f365a431b35

SHA1
b8c799d77ed942afc7ad3e6b09e7b4f4969d28e6

SHA256
82c261830fa232ffb2f4fae07feef14df9f257358519aff0fed0c8fff470abb8

SHA512
31765baf243256a33a2ed600099aa8c8852b3ef40de60c876d3c8836eba9b5c6c83ff5a51c36c599d59a66b775ff10ba193527aa1334371887a6a7642b40a44e

Download Submit
C:\Users\Admin\Documents\sTJ7AAnhMrSs7JBLfYhkdD9F.exe
MD5
c4729b22af5fddb503601f0819709e32

SHA1
0d27d046eb78c188c1eccfd1d0654a8262d97aab

SHA256
fb2b6caaeb56477df79dc728f7e4f5547f2c29d9bbf1d4c230da23c5603f22b4

SHA512
83d434b1e6265097462807536811dae19f9fb7c3760bff11e6da7715208846f4d06c5aec6434ff9159be7e8ec8b0bebac8de9d58a490fe13312ab1f81aaef4c0

Download Submit
C:\Users\Admin\Documents\tmw2HvFckoiHtVF3ZLtnftwW.exe
MD5
21edac2888fcab387eddd89cd40d56b7

SHA1
2e2fb7f73652851e4d4d62b67f79b2cc168c06ce

SHA256
140aa420dd32f38c48beb6b329c5aa4eea17d8d28a422773efb36f8d74b884f2

SHA512
2b79bd7722918bdb7a92c3c57ec3bb87a385ec3de2fb485db2b9a3aed9194c961da64db996b3fc574f213e8b92abec02acd9dabdb33a6b35d1fbbf99d6831887

Download Submit
C:\Users\Admin\Documents\tmw2HvFckoiHtVF3ZLtnftwW.exe
MD5
21edac2888fcab387eddd89cd40d56b7

SHA1
2e2fb7f73652851e4d4d62b67f79b2cc168c06ce

SHA256
140aa420dd32f38c48beb6b329c5aa4eea17d8d28a422773efb36f8d74b884f2

SHA512
2b79bd7722918bdb7a92c3c57ec3bb87a385ec3de2fb485db2b9a3aed9194c961da64db996b3fc574f213e8b92abec02acd9dabdb33a6b35d1fbbf99d6831887

Download Submit
C:\Users\Admin\Documents\uTvOG1a67A81Q1Nqyh3FbDw_.exe
MD5
870a75bcc5a216328555d10c05af4811

SHA1
424bf703e27445cb76ccc1ddc6bb6c4034e5a911

SHA256
4eca865f3bee640098363bf55f90dcfe936db969bbc6a5074ddae5814f57b45c

SHA512
0f421158947b70f6bc91b7ad1b074ed478e3d1cba2d97102d3d397d4a1377543ffcd95eac663ded5b97b04027785855cf1348040a86e2f1835ebfb2d35c3133a

Download Submit
C:\Users\Admin\Documents\yYNlo1a0UrlIgU9isC2dPEOW.exe
MD5
89d23a186c49efb69750227d23674b48

SHA1
221e7b4682805e23cbb54c2d9d687408467f164b

SHA256
605e1096b60089c456e10be716364cf051d6409ac82d69f128594eb92b66d0db

SHA512
3cbcb52e9be11997c33cd5065705ecb35a8557f930cac0057648055958b0020b3f6edd45af6b878cca7191d5ebfbbfeaafa1b72427d5566a8bd47dc437d9cd64

Download Submit
C:\Users\Admin\Documents\yYNlo1a0UrlIgU9isC2dPEOW.exe
MD5
89d23a186c49efb69750227d23674b48

SHA1
221e7b4682805e23cbb54c2d9d687408467f164b

SHA256
605e1096b60089c456e10be716364cf051d6409ac82d69f128594eb92b66d0db

SHA512
3cbcb52e9be11997c33cd5065705ecb35a8557f930cac0057648055958b0020b3f6edd45af6b878cca7191d5ebfbbfeaafa1b72427d5566a8bd47dc437d9cd64

Download Submit
C:\Users\Admin\Documents\z1LW4SihUjAKWSDCr1PUTWkT.exe
MD5
1c98778c8a84ccff1e053e8ca3b5d07c

SHA1
6271555b2e5afdea9b34c4a57503d7e6f140deb0

SHA256
261568b0fc903d0ee4cbe7db03549f8bd4d5c3e8f4704dd41d2d58a0ea8b19f0

SHA512
584aeb46e933c38211203a211f88c6a44bada3e3cc938dc61fe1704b049216efdad2524868a9bdd01561c345f6667ec03b3b82188fe8dddecef22dc53eb2c3aa

Download Submit
C:\Users\Admin\Documents\z1LW4SihUjAKWSDCr1PUTWkT.exe
MD5
1c98778c8a84ccff1e053e8ca3b5d07c

SHA1
6271555b2e5afdea9b34c4a57503d7e6f140deb0

SHA256
261568b0fc903d0ee4cbe7db03549f8bd4d5c3e8f4704dd41d2d58a0ea8b19f0

SHA512
584aeb46e933c38211203a211f88c6a44bada3e3cc938dc61fe1704b049216efdad2524868a9bdd01561c345f6667ec03b3b82188fe8dddecef22dc53eb2c3aa

Download Submit
memory/540-255-0x00000000026E0000-0x0000000002740000-memory.dmp

Filesize
384KB

Download
memory/760-254-0x0000000002700000-0x0000000002760000-memory.dmp

Filesize
384KB

Download
memory/1516-253-0x0000000002700000-0x0000000002760000-memory.dmp

Filesize
384KB

Download
memory/1664-268-0x0000000005770000-0x0000000005D14000-memory.dmp

Filesize
5.6MB

Download
memory/1664-243-0x00000000728EE000-0x00000000728EF000-memory.dmp

Filesize
4KB

Download
memory/1664-221-0x0000000000860000-0x000000000092E000-memory.dmp

Filesize
824KB

Download
memory/2024-237-0x000000006494C000-0x000000006494F000-memory.dmp

Filesize
12KB

Download
memory/2024-150-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2024-144-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2024-145-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2024-155-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2024-154-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2024-153-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2024-152-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2024-151-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2024-191-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2024-236-0x000000006494A000-0x000000006494F000-memory.dmp

Filesize
20KB

Download
memory/2024-235-0x0000000064941000-0x000000006494F000-memory.dmp

Filesize
56KB

Download
memory/2024-234-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2024-143-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2024-146-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2024-233-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2024-147-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2024-149-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2024-148-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2024-156-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2024-232-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2068-242-0x0000000000C22000-0x0000000000C86000-memory.dmp

Filesize
400KB

Download
memory/2068-248-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2068-173-0x0000000000C22000-0x0000000000C86000-memory.dmp

Filesize
400KB

Download
memory/2068-244-0x00000000009C0000-0x0000000000A5D000-memory.dmp

Filesize
628KB

Download
memory/2152-212-0x0000000000BA0000-0x0000000000DD1000-memory.dmp

Filesize
2.2MB

Download
memory/2152-227-0x00000000743D0000-0x0000000074459000-memory.dmp

Filesize
548KB

Download
memory/2152-247-0x0000000000BA2000-0x0000000000BD8000-memory.dmp

Filesize
216KB

Download
memory/2152-251-0x00000000728EE000-0x00000000728EF000-memory.dmp

Filesize
4KB

Download
memory/2152-225-0x0000000000BA0000-0x0000000000DD1000-memory.dmp

Filesize
2.2MB

Download
memory/2152-226-0x0000000000BA0000-0x0000000000DD1000-memory.dmp

Filesize
2.2MB

Download
memory/2152-223-0x0000000076E30000-0x0000000077045000-memory.dmp

Filesize
2.1MB

Download
memory/2152-219-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2152-250-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/2152-238-0x00000000023D0000-0x0000000002416000-memory.dmp

Filesize
280KB

Download
memory/2460-241-0x0000000000C40000-0x0000000000C55000-memory.dmp

Filesize
84KB

Download
memory/2540-249-0x00000000728EE000-0x00000000728EF000-memory.dmp

Filesize
4KB

Download
memory/2540-224-0x00000000007F0000-0x00000000007FC000-memory.dmp

Filesize
48KB

Download
memory/2612-245-0x0000000002D00000-0x0000000002D02000-memory.dmp

Filesize
8KB

Download
memory/2612-239-0x00007FFA2C4F3000-0x00007FFA2C4F5000-memory.dmp

Filesize
8KB

Download
memory/2612-174-0x0000000000C60000-0x0000000000C68000-memory.dmp

Filesize
32KB

Download
memory/3004-252-0x00000000026A0000-0x0000000002700000-memory.dmp

Filesize
384KB

Download
memory/3232-272-0x0000000002C70000-0x0000000002C71000-memory.dmp

Filesize
4KB

Download
memory/3232-273-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/3232-281-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/3232-280-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/3232-279-0x0000000003980000-0x0000000003981000-memory.dmp

Filesize
4KB

Download
memory/3232-278-0x0000000003990000-0x0000000003991000-memory.dmp

Filesize
4KB

Download
memory/3232-277-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

Filesize
4KB

Download
memory/3232-276-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

Filesize
4KB

Download
memory/3232-275-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

Filesize
4KB

Download
memory/3232-274-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/3232-271-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/3232-270-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

Filesize
4KB

Download
memory/3232-269-0x0000000002890000-0x00000000028EF000-memory.dmp

Filesize
380KB

Download
memory/3232-282-0x0000000002950000-0x0000000002951000-memory.dmp

Filesize
4KB

Download
memory/3464-230-0x0000000002360000-0x00000000023F6000-memory.dmp

Filesize
600KB

Download
memory/3464-229-0x00000000021C0000-0x0000000002231000-memory.dmp

Filesize
452KB

Download
memory/3488-192-0x00000000000E0000-0x00000000001B2000-memory.dmp

Filesize
840KB

Download
memory/3488-240-0x00000000728EE000-0x00000000728EF000-memory.dmp

Filesize
4KB

Download
memory/3556-166-0x0000000000A22000-0x0000000000A2B000-memory.dmp

Filesize
36KB

Download
memory/3556-179-0x0000000000A22000-0x0000000000A2B000-memory.dmp

Filesize
36KB

Download
memory/3556-180-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/3556-181-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3728-261-0x0000000000770000-0x0000000000783000-memory.dmp

Filesize
76KB

Download
memory/3728-260-0x0000000000760000-0x000000000076D000-memory.dmp

Filesize
52KB

Download
memory/3728-262-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3732-177-0x00000000000A0000-0x00000000000DE000-memory.dmp

Filesize
248KB

Download
memory/3780-256-0x00000000027E0000-0x0000000002840000-memory.dmp

Filesize
384KB

Download
memory/3988-257-0x00000000019B0000-0x00000000019D7000-memory.dmp

Filesize
156KB

Download
memory/3988-258-0x00000000019F0000-0x0000000001A34000-memory.dmp

Filesize
272KB

Download
memory/3988-259-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4008-246-0x00000000728EE000-0x00000000728EF000-memory.dmp

Filesize
4KB

Download
memory/4008-213-0x00000000001F0000-0x0000000000270000-memory.dmp

Filesize
512KB

Download
memory/4380-267-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/4380-228-0x0000000000400000-0x0000000000893000-memory.dmp

Filesize
4.6MB

Download
memory/4380-266-0x0000000002510000-0x00000000025A2000-memory.dmp

Filesize
584KB

Download
memory/4380-265-0x000000000095C000-0x00000000009AC000-memory.dmp

Filesize
320KB

Download
memory/4380-263-0x0000000000400000-0x0000000000893000-memory.dmp

Filesize
4.6MB

Download
memory/4380-231-0x000000000095C000-0x00000000009AC000-memory.dmp

Filesize
320KB

Download