nullmixer | 165df9744a81b49e06c73c67d51ff795c2747d0d1bac65d7ebad5c8f01d23910

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13-03-2024 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c507477d882e153632bd9e260f33876e.exe
Size

2.8MB
MD5

c507477d882e153632bd9e260f33876e
SHA1

8860494283d5107508459b0fc2011608d87a49ed
SHA256

165df9744a81b49e06c73c67d51ff795c2747d0d1bac65d7ebad5c8f01d23910
SHA512

f6cea3182c908ef5635cd66e4d1295eb1fa01cda96d23bf44a3ca1ab7bba5dddc447e5c1471c7f5f377043ee47ee72219cb1f57ec1b24aaaf79245c5d90598ad
SSDEEP

49152:EgQ7qcBvjb5GPa0afe4AI2q9n8s5NdbzwzCd1N0U2JjPyP0gvs2XqOE0+j+tKUng:JQ7quhEa/W4z2qB8s5NdbT7N0U2JjP0W

Score

10^/10

nullmixer privateloader risepro smokeloader pub5 aspackv2 backdoor dropper loader spyware stealer trojan

Malware Config

Extracted

Family

nullmixer

http://watira.xyz/

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

smokeloader

Version

2020

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

rc4.i32

Signatures

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

ASPack v2.12-2.42 9 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0006000000016c8a-38.dat	aspack_v212_v242
behavioral1/files/0x0006000000016c8a-40.dat	aspack_v212_v242
behavioral1/files/0x0006000000016c8a-48.dat	aspack_v212_v242
behavioral1/files/0x0020000000015c73-57.dat	aspack_v212_v242
behavioral1/files/0x0020000000015c73-55.dat	aspack_v212_v242
behavioral1/files/0x0006000000016c12-61.dat	aspack_v212_v242
behavioral1/files/0x0006000000016c8a-66.dat	aspack_v212_v242
behavioral1/files/0x0006000000016c12-62.dat	aspack_v212_v242
behavioral1/files/0x0006000000016bf1-54.dat	aspack_v212_v242

Executes dropped EXE 13 IoCs

pid	Process
1960	setup_installer.exe
2552	setup_install.exe
2728	sonia_7.exe
2708	sonia_1.exe
1256	sonia_2.exe
1344	sonia_3.exe
2168	sonia_4.exe
2744	sonia_5.exe
308	sonia_1.exe
696	sonia_6.exe
2200	Triste.exe.com
2908	Triste.exe.com
1876	RegAsm.exe

Loads dropped DLL 47 IoCs

pid	Process
2504	c507477d882e153632bd9e260f33876e.exe
1960	setup_installer.exe
1960	setup_installer.exe
1960	setup_installer.exe
1960	setup_installer.exe
1960	setup_installer.exe
1960	setup_installer.exe
2552	setup_install.exe
2552	setup_install.exe
2552	setup_install.exe
2552	setup_install.exe
2552	setup_install.exe
2552	setup_install.exe
2552	setup_install.exe
2552	setup_install.exe
2820	cmd.exe
2628	cmd.exe
2628	cmd.exe
2708	sonia_1.exe
2708	sonia_1.exe
2596	cmd.exe
2596	cmd.exe
2696	cmd.exe
2696	cmd.exe
1256	sonia_2.exe
1256	sonia_2.exe
2812	cmd.exe
1344	sonia_3.exe
1344	sonia_3.exe
2800	cmd.exe
2744	sonia_5.exe
2744	sonia_5.exe
2836	cmd.exe
2708	sonia_1.exe
696	sonia_6.exe
696	sonia_6.exe
308	sonia_1.exe
308	sonia_1.exe
2128	cmd.exe
2200	Triste.exe.com
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1256	sonia_2.exe
1940	WerFault.exe
2908	Triste.exe.com
1876	RegAsm.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
14	iplogger.org
21	iplogger.org
45	pastebin.com
46	pastebin.com
13	iplogger.org

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipinfo.io
7	ipinfo.io
29	api.db-ip.com
30	api.db-ip.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2908 set thread context of 1876	2908	Triste.exe.com	57

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1940	2552	WerFault.exe	29

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sonia_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sonia_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sonia_2.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	sonia_4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	sonia_4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	sonia_4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	sonia_4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	sonia_5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	sonia_5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	sonia_5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	sonia_5.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2284	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1256	sonia_2.exe
1256	sonia_2.exe
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1256	sonia_2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2168	sonia_4.exe
Token: SeDebugPrivilege	1876	RegAsm.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1220	Process not Found
1220	Process not Found

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1220	Process not Found
1220	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 1960	2504	c507477d882e153632bd9e260f33876e.exe	28
PID 2504 wrote to memory of 1960	2504	c507477d882e153632bd9e260f33876e.exe	28
PID 2504 wrote to memory of 1960	2504	c507477d882e153632bd9e260f33876e.exe	28
PID 2504 wrote to memory of 1960	2504	c507477d882e153632bd9e260f33876e.exe	28
PID 2504 wrote to memory of 1960	2504	c507477d882e153632bd9e260f33876e.exe	28
PID 2504 wrote to memory of 1960	2504	c507477d882e153632bd9e260f33876e.exe	28
PID 2504 wrote to memory of 1960	2504	c507477d882e153632bd9e260f33876e.exe	28
PID 1960 wrote to memory of 2552	1960	setup_installer.exe	29
PID 1960 wrote to memory of 2552	1960	setup_installer.exe	29
PID 1960 wrote to memory of 2552	1960	setup_installer.exe	29
PID 1960 wrote to memory of 2552	1960	setup_installer.exe	29
PID 1960 wrote to memory of 2552	1960	setup_installer.exe	29
PID 1960 wrote to memory of 2552	1960	setup_installer.exe	29
PID 1960 wrote to memory of 2552	1960	setup_installer.exe	29
PID 2552 wrote to memory of 2628	2552	setup_install.exe	31
PID 2552 wrote to memory of 2628	2552	setup_install.exe	31
PID 2552 wrote to memory of 2628	2552	setup_install.exe	31
PID 2552 wrote to memory of 2628	2552	setup_install.exe	31
PID 2552 wrote to memory of 2628	2552	setup_install.exe	31
PID 2552 wrote to memory of 2628	2552	setup_install.exe	31
PID 2552 wrote to memory of 2628	2552	setup_install.exe	31
PID 2552 wrote to memory of 2696	2552	setup_install.exe	32
PID 2552 wrote to memory of 2696	2552	setup_install.exe	32
PID 2552 wrote to memory of 2696	2552	setup_install.exe	32
PID 2552 wrote to memory of 2696	2552	setup_install.exe	32
PID 2552 wrote to memory of 2696	2552	setup_install.exe	32
PID 2552 wrote to memory of 2696	2552	setup_install.exe	32
PID 2552 wrote to memory of 2696	2552	setup_install.exe	32
PID 2552 wrote to memory of 2596	2552	setup_install.exe	33
PID 2552 wrote to memory of 2596	2552	setup_install.exe	33
PID 2552 wrote to memory of 2596	2552	setup_install.exe	33
PID 2552 wrote to memory of 2596	2552	setup_install.exe	33
PID 2552 wrote to memory of 2596	2552	setup_install.exe	33
PID 2552 wrote to memory of 2596	2552	setup_install.exe	33
PID 2552 wrote to memory of 2596	2552	setup_install.exe	33
PID 2552 wrote to memory of 2812	2552	setup_install.exe	34
PID 2552 wrote to memory of 2812	2552	setup_install.exe	34
PID 2552 wrote to memory of 2812	2552	setup_install.exe	34
PID 2552 wrote to memory of 2812	2552	setup_install.exe	34
PID 2552 wrote to memory of 2812	2552	setup_install.exe	34
PID 2552 wrote to memory of 2812	2552	setup_install.exe	34
PID 2552 wrote to memory of 2812	2552	setup_install.exe	34
PID 2552 wrote to memory of 2800	2552	setup_install.exe	35
PID 2552 wrote to memory of 2800	2552	setup_install.exe	35
PID 2552 wrote to memory of 2800	2552	setup_install.exe	35
PID 2552 wrote to memory of 2800	2552	setup_install.exe	35
PID 2552 wrote to memory of 2800	2552	setup_install.exe	35
PID 2552 wrote to memory of 2800	2552	setup_install.exe	35
PID 2552 wrote to memory of 2800	2552	setup_install.exe	35
PID 2552 wrote to memory of 2836	2552	setup_install.exe	36
PID 2552 wrote to memory of 2836	2552	setup_install.exe	36
PID 2552 wrote to memory of 2836	2552	setup_install.exe	36
PID 2552 wrote to memory of 2836	2552	setup_install.exe	36
PID 2552 wrote to memory of 2836	2552	setup_install.exe	36
PID 2552 wrote to memory of 2836	2552	setup_install.exe	36
PID 2552 wrote to memory of 2836	2552	setup_install.exe	36
PID 2552 wrote to memory of 2820	2552	setup_install.exe	37
PID 2552 wrote to memory of 2820	2552	setup_install.exe	37
PID 2552 wrote to memory of 2820	2552	setup_install.exe	37
PID 2552 wrote to memory of 2820	2552	setup_install.exe	37
PID 2552 wrote to memory of 2820	2552	setup_install.exe	37
PID 2552 wrote to memory of 2820	2552	setup_install.exe	37
PID 2552 wrote to memory of 2820	2552	setup_install.exe	37
PID 2820 wrote to memory of 2728	2820	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\c507477d882e153632bd9e260f33876e.exe
"C:\Users\Admin\AppData\Local\Temp\c507477d882e153632bd9e260f33876e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Users\Admin\AppData\Local\Temp\7zS8A748566\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS8A748566\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_1.exe
      4⤵
      Loads dropped DLL
      PID:2628
    - - C:\Users\Admin\AppData\Local\Temp\7zS8A748566\sonia_1.exe
        
        sonia_1.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2708
      - C:\Users\Admin\AppData\Local\Temp\7zS8A748566\sonia_1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS8A748566\sonia_1.exe" -a
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_2.exe
      4⤵
      Loads dropped DLL
      PID:2696
    - - C:\Users\Admin\AppData\Local\Temp\7zS8A748566\sonia_2.exe
        
        sonia_2.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1256
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_3.exe
      4⤵
      Loads dropped DLL
      PID:2596
    - - C:\Users\Admin\AppData\Local\Temp\7zS8A748566\sonia_3.exe
        
        sonia_3.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1344
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_4.exe
      4⤵
      Loads dropped DLL
      PID:2812
    - - C:\Users\Admin\AppData\Local\Temp\7zS8A748566\sonia_4.exe
        
        sonia_4.exe
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_5.exe
      4⤵
      Loads dropped DLL
      PID:2800
    - - C:\Users\Admin\AppData\Local\Temp\7zS8A748566\sonia_5.exe
        
        sonia_5.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        
        PID:2744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_6.exe
      4⤵
      Loads dropped DLL
      PID:2836
    - - C:\Users\Admin\AppData\Local\Temp\7zS8A748566\sonia_6.exe
        
        sonia_6.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:696
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c cmd < Compatto.rtf
        6⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd
        7⤵
        Loads dropped DLL
        
        PID:2128
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^jvMDwkwydQdmnxGPmMOjYlbIlopECWXOZojRKCmISYgoKPYfXOyLKoMeYraSevCxTCAdoOyWjyxqVfYxlTHNQkrRvpTHpGGccUgofIipJpnFNMuJyYIpPPDHnITYVnMGn$" Oggi.rtf
        8⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com
        
        Triste.exe.com n
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com n
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 30
        8⤵
        Runs ping.exe
        
        PID:2284
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_7.exe
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Users\Admin\AppData\Local\Temp\7zS8A748566\sonia_7.exe
        
        sonia_7.exe
        5⤵
        Executes dropped EXE
        
        PID:2728
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 412
      4⤵
      Loads dropped DLL
      Program crash
      PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
458b49ad7941beaae223a688215c111a

SHA1
b6c6eb423b647519c300ca2fabbd5b7532560450

SHA256
17fffaad79f35b07e069a201840bb513a685736633403121be20ed5eaa1ab8ff

SHA512
53f06a766df54921e5599d49caf819654108552b18b37177031794f51c946961af7815199699050f13c72d9caadf982d122e40ca415835a01bbec03701bbdbe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Compatto.rtf

Filesize
478B

MD5
b96b1288ce038869fb15d4353f760613

SHA1
5a6f01cb0546a6dd4ae1e90279aaa82bdd672b60

SHA256
2c1458ecd2cc31a6d798a1c6396926cb99a66481832f774dbdbc19594ff9bd40

SHA512
36a72a5cac8b1aaa395d9efc2fc79b4525e408c57cebaaf2f00c1ba5b51bc08ee22e5676055cdcc961197c05e41d020c8d74b0d95426095d1a5b04fb14d3b04e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.rtf

Filesize
141KB

MD5
c9fe1272b0624ee616b38ce674f31a28

SHA1
abf71235b4be4230d015ba3ecf318d711341534d

SHA256
cd3a87e295f7a30f5b1754db8f30c17df16884b08637f664f5fc2a3e2d64cebe

SHA512
c83331df7af3db9a4d9e7d74b68be690ff940443ae8db6d4990f7892a9cf5a73ef559a70da62f3e18292230becbf00c593be3aa6c1c4c710ab361e0e3c8ccfb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A748566\libcurl.dll

Filesize
142KB

MD5
f936449459cafea6b3f45a590bb59fe0

SHA1
6c9d1d452b366083bc35003d6487f46f8af3c179

SHA256
712648639c8d6b2166effa45e4203a3476f75de02f7884e0265ba77b02fe824c

SHA512
e591ee92d8bcf7257da8aeb81abeb207203d266a4615b90831dead439851661b84ee649b484804e3773caf506a56c89381dc4b915b4e98d9a94e721e1999ce75

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A748566\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A748566\libstdc++-6.dll

Filesize
162KB

MD5
4552b6457520035c852f2783dc25af34

SHA1
29463082574c919913a278cb6f3c58c1617dec97

SHA256
20a8d156cdb67dd90f686a973f910d79681cf99c74503f24d5c480aa80178392

SHA512
2850059d1cd2760748c65a7c1ce991c8b601e24ab33fdaef44a03c4a7ff22bf2d2d5d2372891136f570d7eb69b1d6493be172d84bd4932501cdd5f01eb7d96e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A748566\setup_install.exe

Filesize
166KB

MD5
708a2c1440debff0c2c69dc49b2c3bf5

SHA1
4a4a1d79d1d956bfc495426a8e8b7de9cee5b76d

SHA256
08fd1afa02db94ee793348cb5f01a252da9454a89c6880f2be71bf27ddd2a668

SHA512
9d9b31b306d41db9c7ee49ed29ef24fd2171c0162029940a19ea532141595de5911fb5b042ac70c91c92b8ade3e17cda5a88a4d9a871447e62c55bb635566dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A748566\setup_install.exe

Filesize
287KB

MD5
f067ca4e599dc56f13ff3144fe928e02

SHA1
80c73006bd0698894e60f36005d2cd9d002ac6e9

SHA256
622fbeff10d455986088a15a44fa3d39c6353dcf1235986d1cde06df5d968c23

SHA512
bcc8273d7c20e7395b3f2e22ca43692034912c92097085834b8a7350c878300faa6af52eb5e539581bae03016d6ef827f70f99a82938e6fb186521d3ad243cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A748566\sonia_1.exe

Filesize
56KB

MD5
c0d18a829910babf695b4fdaea21a047

SHA1
236a19746fe1a1063ebe077c8a0553566f92ef0f

SHA256
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98

SHA512
cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A748566\sonia_3.exe

Filesize
249KB

MD5
59bea8f0706ca8b5c244210d649fdbd0

SHA1
9739879e6531edd15827c55dc1320ce84306aeeb

SHA256
fd475922c0b45db7555ddad6b9c9a16e688960aa73f81d844c1fffd6f8a3ef12

SHA512
a4b6f222e4bb944476d09db1151f1036529d07b8bab7b07cff319ccfb1cfdc2ce4945d5d74901bd5d114306e187f4dd224070e79614c4f3e20daac92a417efb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A748566\sonia_3.txt

Filesize
463KB

MD5
2617eeabe8a8b0683b72f852103a9576

SHA1
c9e8137eb4264ab724d3e62f3219de9dad372c02

SHA256
ae5db73794a0671b00e622bb7cba2515f0ac2b3f05b45c865fa4614738f409be

SHA512
2af6cf646a7bd8cbd0cbeba716df9fbea9403492a9667da12acb06d75d1e56cf7a2967b9decf0120004ba73cc4ec2e22740c5021bf3d603665bbc729172662a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A748566\sonia_4.exe

Filesize
163KB

MD5
42dc414ad93aedff28455e25d60b4df6

SHA1
31dde71a4c21dd94be43c933853109220b7e1616

SHA256
b1163ae3dd10e7d4be79da063e84bd46bec5acb82013df4e8dab8896d8c22f20

SHA512
8e008da0f23b8e04032e105c1efa4a2cfe7b04015eeb9dc65ad3482d0b5685d9d8c99b63b61d759091a1bc2a77a17e4851e0e60e394a999fcb9c35bedf4376ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A748566\sonia_5.exe

Filesize
307KB

MD5
b7e5f599ad53f5ecc75967fd3b27a02f

SHA1
795880c6e6aa66acea97a2c8f17804cad7506fa2

SHA256
e7c2783ca917d154181de09d1033e2c145e5362f5de032034954778697db966f

SHA512
ae5dfb14cb40e157b8f7f8f34927f83abd2585f81b94904c7da6c60fb691c1c5a66eecc0227016435821ff17b2bbd659addd33a1480c5f7089f753153290aa4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A748566\sonia_5.txt

Filesize
532KB

MD5
508ca4c03ef599bf51e1f6d9ef0f09ee

SHA1
a7356755e9172fb9ef7287d610d8240ecaa04843

SHA256
53538595999813d2eb9fe9df4371ea665e4cec8385ca08857cddf3ec5e886544

SHA512
6c0bdd66063719409d23d35e5cc7788d12a22a650676eedd062594314e29f7b332809c52863fde78484409d9c75c65b7b5e4d5343def3da1359577da007dab6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A748566\sonia_6.exe

Filesize
153KB

MD5
f8b9aa5f46468c5f2565411db16fad15

SHA1
419a88995abd280456272800ff9c5c1d64f2a8d2

SHA256
fa1c7355c625a30f520b86bc9e1924ae3fd11fd13218780eaca15f19cf571ebf

SHA512
f6601aad39877a1356f9d5e4a69a87bdaef92184d2c0af82ddd3220c38823a98a4a9f5e444eee7ce46020027ee89d4a75f4f9bfddeb49e5b87e26724c11366f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A748566\sonia_6.txt

Filesize
467KB

MD5
1e1bce80c74094fe185d23db3f1af73f

SHA1
5ae9a6aa4a6b3b1583a6951a4fdf69fea6043d3d

SHA256
3003600a9e5f130489a230e60b0b5a5f1cd82a5335dcb78fe908e3cd40eaef82

SHA512
2fecd1ff4072f5067fc29a10fee8cdfed31859a6408183d38d8f2736393e8c200d94c39dfc9470aae77567860d8ab01486ad42e328c0a0c239aec580d896135f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A748566\sonia_7.exe

Filesize
239KB

MD5
4b22d93b15716c78574359822631a650

SHA1
2e5ad91cd4de7b91a21beaebb1b138a0e302433a

SHA256
a14fbc80257bbb603ac8cb0694f2587e60e2be4c4e79d39e7945d986b02c37b8

SHA512
85703a351512f040194225b069b803a6d266a08c956ec7ccb544833f82a661eaf0cb2d37696c97e4a79f2f7242ed68b2166f8c105bb476f6cecdc1df1818eb29

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A748566\sonia_7.txt

Filesize
227KB

MD5
742a3e0e99ba761ab4204afcbbd4a98c

SHA1
26dc99457b42e2bbdebf234b0da40ddbb2265ba5

SHA256
b2d224010a7156d797001322c9d4701ec67410d922ee038cc1ddbd9b3f214e1b

SHA512
e3280bccc65f8d1dc6875620061e05a0df7aa6309c76b5a752ced5aec00a649dad40d02c78fce293006953bc68b03b77fa6d68b33d49b3255cb5aded47ecf83a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5D2F.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6013.tmp

Filesize
119KB

MD5
bfdf3872e50c6d976d1344a992f1bb53

SHA1
ccca75746d405f54d9a735d5916b1f131d96ca53

SHA256
5f58eb6c61439c7f7aacf1e7d87a7e95aacafa75a7468e8b8a82edfcc6638233

SHA512
0a640bca70c409f1128e724bc2acbce9483aaba95bd326dc9b5423410e320cd06af6b8f3647cb9b3b939a9f87e90d7b696d5ca8562f853cfb995f5a4e2f329c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
509KB

MD5
fa06578d0ac315799a0d77a6a5516b05

SHA1
e139611221a990983408d408ad0812f90e2016c3

SHA256
2650518d32e59d7d6702084155b1ef38c625a20d55b81d6aaee8ed14545f3691

SHA512
ee6a52f6a35ff79319adb0e084d4346dfc7e0e90cb6ad251412ed7f37e5856d603901feb8533b2d34ad5aad51f4577568ba298b0ee36fb4f7146a83597d76b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
340KB

MD5
f67801e0ec62c17dd7699c70db9a2768

SHA1
fe847d13fc29b23b07b388b94c7b7e736c137fef

SHA256
42546d682316f89ae5fb0e0615d37800eac848f49506738382a7c14f25c90978

SHA512
f74ddf03b60bfa487f615fa0357e5dce010f0684fb8e90c8d3386d70e956b8d4602240fa2321ec86392d3a84f840019fbfc2321ad8903d56b6e67210c34daf8e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8A748566\libcurl.dll

Filesize
96KB

MD5
c034b8d2d293e340fba88b6dc2cf8e37

SHA1
bd1b043502991690a5a6be83433787673c3219dd

SHA256
17dbb9822b54676de729cdc71340e72a576669474186c2911c57982d1d4072f2

SHA512
d5c784d9b88686dbbb7fbda4f7ce8cbc3a552dfd556e54550cf4bf4f7ce4b5d396488f3da2c456abdee781e9837862784cead0530c26751d5e81d40e80f71640

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8A748566\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8A748566\libgcc_s_dw2-1.dll

Filesize
64KB

MD5
4cbe6faf53b6ad9c5784e794080c948e

SHA1
8fe51b03c7deb52add43ec9afd0d7615bf39516f

SHA256
a822846684a82cbee25039136b09d46452c8dd20faa16507ff37a1960e9ee415

SHA512
5d8b5bd6e83c0ecf1d27ca221d9e4752e7a33c468ea0abd72a6ca789e9d3a0b0545fc2ec901c1ce66c696a151a46fe96fe9f16bb6e404e59b2951b774c37531e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8A748566\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8A748566\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8A748566\setup_install.exe

Filesize
204KB

MD5
818f43a2682622bf8c8642d1d0c8ca82

SHA1
1675ed3ae0f99ba4df96c0727e5dd38e482d5ae1

SHA256
51d67be46d1cb9d57973020c3443785ef50bb4acb18921984ec1c3cbe552703d

SHA512
316b042f3b0801ea0161fc15a22eeebff6f42949d47a1485b9bfc38775cb2921e1c6555f161ff4ac3515970665a0c4c59c5d5d23f784254258a35e39c3e9b72e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8A748566\setup_install.exe

Filesize
67KB

MD5
407fb84d338fce32c3be5b03b1a815ab

SHA1
b3c315999fe5dda0ca07bbfd08e0513d08e6e453

SHA256
9cb9ebf34877b65f44517f41324e6ee3379dd39613e511037a90344e55683ec1

SHA512
d3fc6863e3bdda113d8b080c80465b12f8cdf162bc53103806f41c291219c4767c093944cd14dd26b43fd47159c0d8beb19bf37211a0955e3f50c9d4f344c0f2

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8A748566\sonia_2.exe

Filesize
326KB

MD5
149bdf01964f2c62ea21b2eb86f7fdca

SHA1
b648f67ce5718ba2d82b003c1d92b7006151ac82

SHA256
886a957df2ff12c151388b562f42fe773aa882e99ee0008c4289da70092bba93

SHA512
6e9f64a657f649f27ad5ad222ddd937490222d5f4c10382de19d5fe6eff3c91c3ce3ef78b8ddf4959bc6d8018f0b2b3ecbd32e8fdc1321bce285b9fd3d4f80c2

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8A748566\sonia_2.exe

Filesize
168KB

MD5
642218d7459f744ce37621d0b20be273

SHA1
a2f3cb1440054504dcdc79911762b89d60a280da

SHA256
9cfe8f20a857ce944b935ee98ca78a93e55fbf4967519fdb53860a44eeb7b13e

SHA512
7d6650588b9dcdeb7c4ed3468e4e78cbd22526a11ecb81bf737e213d7c072a5f8cf85726e3174b2c08f83592932f4fc59a287a9ede6b5efa0f782ae2bd6facac

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8A748566\sonia_3.exe

Filesize
350KB

MD5
b12d3d542e001f677d555975f8736cfb

SHA1
dd777a0735e10943f6ffc345cea5655d3a856e3d

SHA256
e84ad3843aecc8229a6345ce7cbecaa0c8a74aac2f6ed7cd329b538add8aac14

SHA512
3f7efbb2727449c716b7fa148ddef3954707997ce58e0782ddcf248a9dc996660576984d6516d9ea8981e678edc934cbb458dd8df1b0e89b99320bb1015d5bdc

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8A748566\sonia_3.exe

Filesize
337KB

MD5
d51bd223eb78c653439b704a39f6844c

SHA1
b9866cff900f7f4b183f207a2c7cb724e5acc8d8

SHA256
ea353f8806124c006e2da2267f231ef407b6a5369426ca999014753036c6f5c6

SHA512
130defc2a869931f2b4f2d461403c69a63762b8124af340d3d8db8d15f760eb28844982372512c5ab41f65b2e56ae4ec3471e253aa25d3d32860895a040cf209

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8A748566\sonia_3.exe

Filesize
364KB

MD5
04fe920c30cea283a62e7aae36d1fd66

SHA1
4d2a38aaa8229e347cceaceec533e6bf27fba78d

SHA256
316dfcb5fddc4a4336da780664c7b5f9b18cb3ae38be8857a9db51c91e5d9aee

SHA512
27519acd11969105f5f46d7196204e1ca4cb4d279ca54e69a4cd694d74163d9dc218d23a69f29a83205e2e5bbc580b93089ac0cf7e699698d024c752fd0e08c4

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8A748566\sonia_3.exe

Filesize
222KB

MD5
d1717bed3b8847d469959bbea9a6e7f9

SHA1
785181eb29a496921841daef7709c06f3ba77a10

SHA256
18ae4ce47820a0357b5c6f1922b9f47bdae1102480011ef682e9faedfad0bcd4

SHA512
aae4a5cc98827a7668af3c846105bef110f5b0a60415a32aa0e99d6c59d1bde6618f06d8d8ab7ad884e4c0796b06eb3dc2217d248c8871e242f863f5db21d9bf

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8A748566\sonia_4.exe

Filesize
170KB

MD5
fa595cebce68c02fd46ada1fe8c737b4

SHA1
8b6a06173339d171ea2011f128b274b7649bd439

SHA256
17232aff76e3b361355b110d77cc1e2942f2b004485706f38995db15808f7d4a

SHA512
36cb2d5edce78419134939a8293bee2bd6ab34a2ae14f77eac2b815dd3cfc7834f88d573af63d0a8a7167dce69e7f8f5237fe73029e66deb571d22471dbc40fb

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8A748566\sonia_5.exe

Filesize
25KB

MD5
3a5b06753696bc24f5cf4629ea438eb2

SHA1
ccfafd40e7a150d5ef85f47ee1589fde314cac7a

SHA256
f14139f04cda1d536ffb3e7c7acde23942e22458bc1f79d6fbd62e30dd7541d2

SHA512
6a5f1d8feea52c993a79852996872e54fe166070a6ba1e45c526fb7ec77ce0185b641d1f749dc7d468ca036f6714c719d758cbefcae25cef40eced0e859e6026

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8A748566\sonia_5.exe

Filesize
249KB

MD5
cd79eeaacbab8d40a0ca8a9a80fa5847

SHA1
73f5e49ca4d499e736204419fcf02e0839dadb8b

SHA256
bb4cbe91a5da6e4136a3df5030e7d1745778f5d784ecb03bc5f0dbaff47a1b3f

SHA512
30cfee6513d8c30a0a17215d1faf3d4f60e733cdd08aff158f6a87fbc56696a409d28b3d09bc92983d2d5e0e2ee6c1283753b3985ef0302453dad1f157b5853e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8A748566\sonia_5.exe

Filesize
337KB

MD5
1eb27e531db712ab720f01d8d76d2238

SHA1
f3fafa4c6f1ac44a6e12c471637cd12307f7076a

SHA256
7c8132258711373195d60e83b9e0cabe01e34cf34b06885d7d7695adbf9507b7

SHA512
39e219411987dc20b03c2417a08053a17827d60211918945d183c76391995deb0efd177b99a834fba7f1bc81bb4ac6c974347882641749f2ae355bd325cf9bb0

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8A748566\sonia_6.exe

Filesize
56KB

MD5
6c2b067247217a3d09f2876540a62358

SHA1
bc264dfa7403dea5be268306159e167ffd41b1dc

SHA256
b96141f481b23b7319292f11ec7528167ae93154debe449facae6b24d37ecd07

SHA512
6fcfdfece08c4b2dce45ca50ba5685515eb1b6621d2b417575f52fa99cd9d89c113ea353ad8f9e75b07c3c36121e96866bbee56c2ab15b9f9cf6b4c255833eb1

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8A748566\sonia_6.exe

Filesize
68KB

MD5
e88e8e7422fc8897e57e6c6d42f7b28b

SHA1
a62ac695685b11202bd8bea92937b8dcad297dd1

SHA256
65b218e9b99ccd90ea2683a87497af071616985f11fe9f5609823d19026e59cf

SHA512
0aecc9c860a5c7293d23ca06b21ed1856ad03bf27a1e7afe9db88b863e8b104681b2431bcc10bb29ac6f21561876f65465a2ae6ddee332e36b44442274ba0c4d

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8A748566\sonia_6.exe

Filesize
312KB

MD5
75c4dcc58198f2088f3204d09c7f8cee

SHA1
5ecc08384cc2a678953efd8bc181a269682a8eaf

SHA256
dd65deedb7e4bde9a68aea9b7e14aad72ff30ca9f916c4640d7dddf75b72f796

SHA512
144dc3dbac7c88cea61d7e12793d10ad448c633b7f09f68542a4351d61af1fbb1ec2c37ab9643793eca34c970bd8851fc088575d9d8b5529be3550c0f8cd16aa

Download Submit
\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
382KB

MD5
aac24e5569e1d3b0419177c540f31271

SHA1
0ce593050f7896bb02ef79377c561d3ed497223b

SHA256
b1a9cbe11cd3e813eb2cfb280fdff52668068dab0902fa9216659cb5687f6a41

SHA512
f6fb4661d637bce2376e3df779c1e8df1feafc2183ab2889c23b8eeca33b562f407ea3bdf495aa4b692459c668c4abbca1119107683bd8325dce6d68361051be

Download Submit
\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
410KB

MD5
3beca358d15e75a2dec7a0603b0b486b

SHA1
117e4957eab3c66a18bb39563f43b9ffb7cc2665

SHA256
62d193e2e44dd2c5a8615b611424a048138645caca52e11cb66da5ca5abfcbfc

SHA512
a7c660f61f8b6c07a5f0f8b6229588f9cc8a5a9e29b835b39d991fbb15e98f98eaea8106a5f6ccab3f8871c53817d6315f62645018855cfefe0045638ffa2999

Download Submit
\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
508KB

MD5
6ccc6e5886aafdf70eb8b4bba969dbbf

SHA1
25467f199635b2c2ce5d2326a01ad0ea575c8a59

SHA256
b8db9f7714e6aba871c2adf1fe39e368b09c9611a7a66e4cb2e0cfe06c68e315

SHA512
cf3d12370cac16ae3d4d68d4cae9c10546e049040a4e0a043de99fe80d16cadfb3bdff86d86656ba712c75d5c436c35e156c337e9f8dee822b707af444f886b7

Download Submit
\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
327KB

MD5
c6537a35fdc992eb419e0f70b60d8b65

SHA1
10ee590c430005447952a75f614ddc15fbbb297d

SHA256
03f1f8cc9df5205517131f827b847fb774d69644a019fb419d1c4123ad5ce154

SHA512
1f128aeedfe4ca7b46c34f2f2b13ab273d7dbbf2be01601f7f7bece466bd81c00603983f1e50279df740c6c892303b89abbb2a472c1d717c5011331956f74d88

Download Submit
memory/1220-258-0x0000000002A40000-0x0000000002A55000-memory.dmp

Filesize
84KB

Download
memory/1256-259-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1256-149-0x0000000000240000-0x0000000000249000-memory.dmp

Filesize
36KB

Download
memory/1256-151-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/1256-150-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1876-304-0x00000000000B0000-0x00000000000B8000-memory.dmp

Filesize
32KB

Download
memory/1876-307-0x00000000000B0000-0x00000000000B8000-memory.dmp

Filesize
32KB

Download
memory/1876-295-0x00000000000B0000-0x00000000000B8000-memory.dmp

Filesize
32KB

Download
memory/1876-309-0x00000000000B0000-0x00000000000B8000-memory.dmp

Filesize
32KB

Download
memory/1876-303-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1960-49-0x0000000002840000-0x000000000295D000-memory.dmp

Filesize
1.1MB

Download
memory/1960-47-0x0000000002830000-0x000000000294D000-memory.dmp

Filesize
1.1MB

Download
memory/2168-153-0x00000000003E0000-0x0000000000404000-memory.dmp

Filesize
144KB

Download
memory/2168-154-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/2168-152-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download
memory/2168-155-0x0000000002290000-0x0000000002310000-memory.dmp

Filesize
512KB

Download
memory/2168-148-0x000007FEF5F20000-0x000007FEF690C000-memory.dmp

Filesize
9.9MB

Download
memory/2168-147-0x0000000000D80000-0x0000000000DB2000-memory.dmp

Filesize
200KB

Download
memory/2168-284-0x000007FEF5F20000-0x000007FEF690C000-memory.dmp

Filesize
9.9MB

Download
memory/2552-74-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2552-84-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2552-80-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2552-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2552-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2552-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2552-68-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2552-85-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2552-59-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2552-87-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2552-88-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2552-86-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2552-82-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2552-81-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2552-78-0x0000000000C70000-0x0000000000D8D000-memory.dmp

Filesize
1.1MB

Download
memory/2552-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2552-262-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2552-264-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2552-265-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2552-267-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2552-266-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/2552-263-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2552-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2552-72-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2552-70-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2552-67-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2552-56-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2552-50-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download