f41d12d5b736a82f4c53e3c3f242560dfd800a24076186399dd695f3b493184b

Resubmissions

04/09/2024, 17:40

240904-v85jasthkj 9

04/09/2024, 17:32

240904-v4e3vavhkh 9

04/09/2024, 17:24

240904-vyq8xstgjr 9

Analysis

max time kernel
493s
max time network
499s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
04/09/2024, 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bootstrap_win.exe
Size

8.4MB
MD5

94bb92418bf395fa8d5ac86ab036f121
SHA1

2a62229615d627cd225a783079caff4f22f4005a
SHA256

f41d12d5b736a82f4c53e3c3f242560dfd800a24076186399dd695f3b493184b
SHA512

7205e4e6a67f2685669bb2262e6f3c459978e20bf80497714d1b67ede1731b92c0ed067181c703ee8cd43bf9d5780469eda00706f4b96dfc7ba18bbc688f099e
SSDEEP

196608:dDHArnQmQ6ikz8BnfVamqeDR9Loa8S/qErUfN40v62U+MG:tiVQ6inNqeDR9ca7SErUfJy2Uo

Score

9^/10

discovery evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	javaw.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bootstrap.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	javaw.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bootstrap.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bootstrap_win.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bootstrap.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	javaw.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	javaw.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	javaw.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	javaw.exe

Checks BIOS information in registry 2 TTPs 20 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bootstrap_win.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bootstrap_win.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bootstrap.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	javaw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	javaw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bootstrap.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bootstrap.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	javaw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	javaw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	javaw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	javaw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	javaw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bootstrap.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	javaw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bootstrap.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	javaw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bootstrap.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	javaw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	javaw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	javaw.exe

Executes dropped EXE 10 IoCs

pid	Process
860	bootstrap.exe
2268	javaw.exe
3708	javaw.exe
2032	bootstrap.exe
3948	javaw.exe
2628	javaw.exe
4136	soup.exe
2300	bootstrap.exe
4168	javaw.exe
1712	javaw.exe

Loads dropped DLL 61 IoCs

pid	Process
2268	javaw.exe
2268	javaw.exe
2268	javaw.exe
2268	javaw.exe
2268	javaw.exe
3708	javaw.exe
3708	javaw.exe
3708	javaw.exe
3708	javaw.exe
3708	javaw.exe
3708	javaw.exe
3708	javaw.exe
3708	javaw.exe
3708	javaw.exe
3708	javaw.exe
3708	javaw.exe
3708	javaw.exe
3948	javaw.exe
3948	javaw.exe
3708	javaw.exe
3948	javaw.exe
3948	javaw.exe
3708	javaw.exe
3948	javaw.exe
2628	javaw.exe
2628	javaw.exe
2628	javaw.exe
2628	javaw.exe
2628	javaw.exe
2628	javaw.exe
2628	javaw.exe
2628	javaw.exe
2628	javaw.exe
2628	javaw.exe
2628	javaw.exe
2628	javaw.exe
2628	javaw.exe
4168	javaw.exe
4168	javaw.exe
4168	javaw.exe
4168	javaw.exe
4168	javaw.exe
1712	javaw.exe
1712	javaw.exe
1712	javaw.exe
1712	javaw.exe
1712	javaw.exe
1712	javaw.exe
1712	javaw.exe
1712	javaw.exe
1712	javaw.exe
1712	javaw.exe
1712	javaw.exe
1712	javaw.exe
1712	javaw.exe
1712	javaw.exe
1712	javaw.exe
1712	javaw.exe
1712	javaw.exe
1712	javaw.exe
1712	javaw.exe

Themida packer 64 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1588-0-0x00000000002C0000-0x0000000001832000-memory.dmp	themida
behavioral1/memory/1588-2-0x00000000002C0000-0x0000000001832000-memory.dmp	themida
behavioral1/memory/1588-3-0x00000000002C0000-0x0000000001832000-memory.dmp	themida
behavioral1/memory/1588-5-0x00000000002C0000-0x0000000001832000-memory.dmp	themida
behavioral1/memory/1588-4-0x00000000002C0000-0x0000000001832000-memory.dmp	themida
behavioral1/memory/1588-6-0x00000000002C0000-0x0000000001832000-memory.dmp	themida
behavioral1/memory/1588-7-0x00000000002C0000-0x0000000001832000-memory.dmp	themida
behavioral1/memory/1588-8-0x00000000002C0000-0x0000000001832000-memory.dmp	themida
behavioral1/memory/1588-9-0x00000000002C0000-0x0000000001832000-memory.dmp	themida
behavioral1/memory/1588-10-0x00000000002C0000-0x0000000001832000-memory.dmp	themida
behavioral1/memory/1588-19-0x00000000002C0000-0x0000000001832000-memory.dmp	themida
behavioral1/files/0x000800000001aae6-51.dat	themida
behavioral1/memory/860-53-0x00000000008E0000-0x0000000001E52000-memory.dmp	themida
behavioral1/memory/1588-54-0x00000000002C0000-0x0000000001832000-memory.dmp	themida
behavioral1/memory/860-56-0x00000000008E0000-0x0000000001E52000-memory.dmp	themida
behavioral1/memory/860-57-0x00000000008E0000-0x0000000001E52000-memory.dmp	themida
behavioral1/memory/860-58-0x00000000008E0000-0x0000000001E52000-memory.dmp	themida
behavioral1/memory/860-59-0x00000000008E0000-0x0000000001E52000-memory.dmp	themida
behavioral1/memory/860-60-0x00000000008E0000-0x0000000001E52000-memory.dmp	themida
behavioral1/memory/860-62-0x00000000008E0000-0x0000000001E52000-memory.dmp	themida
behavioral1/memory/860-61-0x00000000008E0000-0x0000000001E52000-memory.dmp	themida
behavioral1/memory/860-63-0x00000000008E0000-0x0000000001E52000-memory.dmp	themida
behavioral1/memory/860-64-0x00000000008E0000-0x0000000001E52000-memory.dmp	themida
behavioral1/memory/860-65-0x00000000008E0000-0x0000000001E52000-memory.dmp	themida
behavioral1/memory/860-115-0x00000000008E0000-0x0000000001E52000-memory.dmp	themida
behavioral1/memory/860-131-0x00000000008E0000-0x0000000001E52000-memory.dmp	themida
behavioral1/memory/860-132-0x00000000008E0000-0x0000000001E52000-memory.dmp	themida
behavioral1/memory/860-133-0x00000000008E0000-0x0000000001E52000-memory.dmp	themida
behavioral1/memory/860-134-0x00000000008E0000-0x0000000001E52000-memory.dmp	themida
behavioral1/memory/860-135-0x00000000008E0000-0x0000000001E52000-memory.dmp	themida
behavioral1/memory/860-138-0x00000000008E0000-0x0000000001E52000-memory.dmp	themida
behavioral1/files/0x000700000001ab51-340.dat	themida
behavioral1/memory/2268-342-0x0000000008000000-0x0000000009975000-memory.dmp	themida
behavioral1/memory/860-343-0x00000000008E0000-0x0000000001E52000-memory.dmp	themida
behavioral1/memory/2268-344-0x0000000008000000-0x0000000009975000-memory.dmp	themida
behavioral1/memory/2268-345-0x0000000008000000-0x0000000009975000-memory.dmp	themida
behavioral1/memory/2268-346-0x0000000008000000-0x0000000009975000-memory.dmp	themida
behavioral1/memory/2268-347-0x0000000008000000-0x0000000009975000-memory.dmp	themida
behavioral1/files/0x000700000001ab1c-351.dat	themida
behavioral1/memory/2268-352-0x0000000180000000-0x0000000180CDB000-memory.dmp	themida
behavioral1/memory/860-353-0x00000000008E0000-0x0000000001E52000-memory.dmp	themida
behavioral1/memory/2268-355-0x0000000180000000-0x0000000180CDB000-memory.dmp	themida
behavioral1/memory/2268-354-0x0000000008000000-0x0000000009975000-memory.dmp	themida
behavioral1/memory/2268-356-0x0000000180000000-0x0000000180CDB000-memory.dmp	themida
behavioral1/memory/2268-357-0x0000000180000000-0x0000000180CDB000-memory.dmp	themida
behavioral1/memory/860-358-0x00000000008E0000-0x0000000001E52000-memory.dmp	themida
behavioral1/memory/2268-368-0x0000000180000000-0x0000000180CDB000-memory.dmp	themida
behavioral1/memory/2268-367-0x0000000008000000-0x0000000009975000-memory.dmp	themida
behavioral1/memory/2268-374-0x0000000180000000-0x0000000180CDB000-memory.dmp	themida
behavioral1/memory/2268-373-0x0000000008000000-0x0000000009975000-memory.dmp	themida
behavioral1/memory/860-375-0x00000000008E0000-0x0000000001E52000-memory.dmp	themida
behavioral1/memory/2268-376-0x0000000008000000-0x0000000009975000-memory.dmp	themida
behavioral1/memory/2268-379-0x0000000180000000-0x0000000180CDB000-memory.dmp	themida
behavioral1/memory/2268-378-0x0000000008000000-0x0000000009975000-memory.dmp	themida
behavioral1/memory/860-382-0x00000000008E0000-0x0000000001E52000-memory.dmp	themida
behavioral1/memory/860-389-0x00000000008E0000-0x0000000001E52000-memory.dmp	themida
behavioral1/memory/3708-391-0x0000000008000000-0x0000000009975000-memory.dmp	themida
behavioral1/memory/3708-390-0x0000000008000000-0x0000000009975000-memory.dmp	themida
behavioral1/memory/3708-393-0x0000000008000000-0x0000000009975000-memory.dmp	themida
behavioral1/memory/3708-392-0x0000000008000000-0x0000000009975000-memory.dmp	themida
behavioral1/memory/860-396-0x00000000008E0000-0x0000000001E52000-memory.dmp	themida
behavioral1/memory/3708-398-0x0000000180000000-0x0000000180CDB000-memory.dmp	themida
behavioral1/memory/3708-397-0x0000000008000000-0x0000000009975000-memory.dmp	themida
behavioral1/memory/3708-400-0x0000000180000000-0x0000000180CDB000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 10 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bootstrap.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	javaw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	javaw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	javaw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bootstrap_win.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bootstrap.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	javaw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	javaw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bootstrap.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	javaw.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
70	ip-api.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
3900	arp.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 25 IoCs

pid	Process
1588	bootstrap_win.exe
860	bootstrap.exe
2268	javaw.exe
2268	javaw.exe
2268	javaw.exe
3708	javaw.exe
3708	javaw.exe
3708	javaw.exe
3708	javaw.exe
2032	bootstrap.exe
3948	javaw.exe
3948	javaw.exe
3948	javaw.exe
2628	javaw.exe
2628	javaw.exe
2628	javaw.exe
2628	javaw.exe
2300	bootstrap.exe
4168	javaw.exe
4168	javaw.exe
4168	javaw.exe
1712	javaw.exe
1712	javaw.exe
1712	javaw.exe
1712	javaw.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	SearchUI.exe

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bootstrap_win.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bootstrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	soup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bootstrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whoami.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bootstrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4244	WMIC.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2180	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\GPU	SearchUI.exe

Modifies registry class 29 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\class_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\class_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "359"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "392"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\class_auto_file\shell\open\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "7678"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "359"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\class_auto_file\shell\edit\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\class_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "7645"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\.class\ = "class_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\class_auto_file\shell\edit	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\class_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "392"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\class_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\.class	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	bootstrap_win.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	bootstrap_win.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	bootstrap_win.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	bootstrap_win.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	bootstrap_win.exe

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
1588	bootstrap_win.exe
860	bootstrap.exe
2032	bootstrap.exe
2300	bootstrap.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1588	bootstrap_win.exe
1588	bootstrap_win.exe
860	bootstrap.exe
860	bootstrap.exe
2268	javaw.exe
2268	javaw.exe
3708	javaw.exe
3708	javaw.exe
2032	bootstrap.exe
2032	bootstrap.exe
3948	javaw.exe
3948	javaw.exe
2628	javaw.exe
2628	javaw.exe
2300	bootstrap.exe
2300	bootstrap.exe
4168	javaw.exe
4168	javaw.exe
1712	javaw.exe
1712	javaw.exe
2300	bootstrap.exe
2300	bootstrap.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2308	7zFM.exe
3816	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3256	wmic.exe
Token: SeSecurityPrivilege	3256	wmic.exe
Token: SeTakeOwnershipPrivilege	3256	wmic.exe
Token: SeLoadDriverPrivilege	3256	wmic.exe
Token: SeSystemProfilePrivilege	3256	wmic.exe
Token: SeSystemtimePrivilege	3256	wmic.exe
Token: SeProfSingleProcessPrivilege	3256	wmic.exe
Token: SeIncBasePriorityPrivilege	3256	wmic.exe
Token: SeCreatePagefilePrivilege	3256	wmic.exe
Token: SeBackupPrivilege	3256	wmic.exe
Token: SeRestorePrivilege	3256	wmic.exe
Token: SeShutdownPrivilege	3256	wmic.exe
Token: SeDebugPrivilege	3256	wmic.exe
Token: SeSystemEnvironmentPrivilege	3256	wmic.exe
Token: SeRemoteShutdownPrivilege	3256	wmic.exe
Token: SeUndockPrivilege	3256	wmic.exe
Token: SeManageVolumePrivilege	3256	wmic.exe
Token: 33	3256	wmic.exe
Token: 34	3256	wmic.exe
Token: 35	3256	wmic.exe
Token: 36	3256	wmic.exe
Token: SeIncreaseQuotaPrivilege	3256	wmic.exe
Token: SeSecurityPrivilege	3256	wmic.exe
Token: SeTakeOwnershipPrivilege	3256	wmic.exe
Token: SeLoadDriverPrivilege	3256	wmic.exe
Token: SeSystemProfilePrivilege	3256	wmic.exe
Token: SeSystemtimePrivilege	3256	wmic.exe
Token: SeProfSingleProcessPrivilege	3256	wmic.exe
Token: SeIncBasePriorityPrivilege	3256	wmic.exe
Token: SeCreatePagefilePrivilege	3256	wmic.exe
Token: SeBackupPrivilege	3256	wmic.exe
Token: SeRestorePrivilege	3256	wmic.exe
Token: SeShutdownPrivilege	3256	wmic.exe
Token: SeDebugPrivilege	3256	wmic.exe
Token: SeSystemEnvironmentPrivilege	3256	wmic.exe
Token: SeRemoteShutdownPrivilege	3256	wmic.exe
Token: SeUndockPrivilege	3256	wmic.exe
Token: SeManageVolumePrivilege	3256	wmic.exe
Token: 33	3256	wmic.exe
Token: 34	3256	wmic.exe
Token: 35	3256	wmic.exe
Token: 36	3256	wmic.exe
Token: SeRestorePrivilege	2308	7zFM.exe
Token: 35	2308	7zFM.exe
Token: SeSecurityPrivilege	2308	7zFM.exe
Token: SeIncreaseQuotaPrivilege	3884	wmic.exe
Token: SeSecurityPrivilege	3884	wmic.exe
Token: SeTakeOwnershipPrivilege	3884	wmic.exe
Token: SeLoadDriverPrivilege	3884	wmic.exe
Token: SeSystemProfilePrivilege	3884	wmic.exe
Token: SeSystemtimePrivilege	3884	wmic.exe
Token: SeProfSingleProcessPrivilege	3884	wmic.exe
Token: SeIncBasePriorityPrivilege	3884	wmic.exe
Token: SeCreatePagefilePrivilege	3884	wmic.exe
Token: SeBackupPrivilege	3884	wmic.exe
Token: SeRestorePrivilege	3884	wmic.exe
Token: SeShutdownPrivilege	3884	wmic.exe
Token: SeDebugPrivilege	3884	wmic.exe
Token: SeSystemEnvironmentPrivilege	3884	wmic.exe
Token: SeRemoteShutdownPrivilege	3884	wmic.exe
Token: SeUndockPrivilege	3884	wmic.exe
Token: SeManageVolumePrivilege	3884	wmic.exe
Token: 33	3884	wmic.exe
Token: 34	3884	wmic.exe

Suspicious use of FindShellTrayWindow 16 IoCs

pid	Process
3612	firefox.exe
3612	firefox.exe
3612	firefox.exe
3708	javaw.exe
3708	javaw.exe
3708	javaw.exe
3708	javaw.exe
2628	javaw.exe
2628	javaw.exe
2628	javaw.exe
2628	javaw.exe
2308	7zFM.exe
2308	7zFM.exe
1712	javaw.exe
1712	javaw.exe
1712	javaw.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
3612	firefox.exe
3612	firefox.exe
3708	javaw.exe
3708	javaw.exe
3708	javaw.exe
3708	javaw.exe
2628	javaw.exe
2628	javaw.exe
2628	javaw.exe
2628	javaw.exe
1712	javaw.exe
1712	javaw.exe
1712	javaw.exe

Suspicious use of SetWindowsHookEx 33 IoCs

pid	Process
3612	firefox.exe
4568	SearchUI.exe
3708	javaw.exe
3708	javaw.exe
2628	javaw.exe
2628	javaw.exe
3816	OpenWith.exe
3816	OpenWith.exe
3816	OpenWith.exe
3816	OpenWith.exe
3816	OpenWith.exe
3816	OpenWith.exe
3816	OpenWith.exe
3816	OpenWith.exe
3816	OpenWith.exe
3816	OpenWith.exe
3816	OpenWith.exe
3816	OpenWith.exe
3816	OpenWith.exe
1712	javaw.exe
3816	OpenWith.exe
3816	OpenWith.exe
3816	OpenWith.exe
3816	OpenWith.exe
3816	OpenWith.exe
3816	OpenWith.exe
3816	OpenWith.exe
3816	OpenWith.exe
3816	OpenWith.exe
3816	OpenWith.exe
3816	OpenWith.exe
3816	OpenWith.exe
1712	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4288 wrote to memory of 3612	4288	firefox.exe	72
PID 4288 wrote to memory of 3612	4288	firefox.exe	72
PID 4288 wrote to memory of 3612	4288	firefox.exe	72
PID 4288 wrote to memory of 3612	4288	firefox.exe	72
PID 4288 wrote to memory of 3612	4288	firefox.exe	72
PID 4288 wrote to memory of 3612	4288	firefox.exe	72
PID 4288 wrote to memory of 3612	4288	firefox.exe	72
PID 4288 wrote to memory of 3612	4288	firefox.exe	72
PID 4288 wrote to memory of 3612	4288	firefox.exe	72
PID 4288 wrote to memory of 3612	4288	firefox.exe	72
PID 4288 wrote to memory of 3612	4288	firefox.exe	72
PID 3612 wrote to memory of 3472	3612	firefox.exe	73
PID 3612 wrote to memory of 3472	3612	firefox.exe	73
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 4772	3612	firefox.exe	74
PID 3612 wrote to memory of 3552	3612	firefox.exe	75
PID 3612 wrote to memory of 3552	3612	firefox.exe	75
PID 3612 wrote to memory of 3552	3612	firefox.exe	75

C:\Users\Admin\AppData\Local\Temp\bootstrap_win.exe
"C:\Users\Admin\AppData\Local\Temp\bootstrap_win.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:1588
- C:\Users\Admin\AppData\Roaming\.sonoyuncu\bootstrap.exe
  C:\Users\Admin\AppData\Roaming\.sonoyuncu\bootstrap.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  PID:860
- - C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\bin\javaw.exe
    C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\bin\javaw.exe -version
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:2268
- - C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\bin\javaw.exe
    -XX:HeapDumpPath=MojangTricksIntelDriversForPerformance_javaw.exe_minecraft.exe.heapdump -Dcom.sun.net.ssl.checkRevocation=false -XX:+UseConcMarkSweepGC -XX:+CMSIncrementalMode -XX:-UseAdaptiveSizePolicy -XX:+DisableAttachMechanism -Dcom.ibm.tools.attach.enable=no -Djna.encoding=UTF-8 -Dlog4j2.formatMsgNoLookups=true -Dr=1 -Xmn256M -Xmx4096M -Djava.net.preferIPv4Stack=true -jar C:\Users\Admin\AppData\Roaming\.sonoyuncu\launcher.jar -95452474040 C:\Users\Admin\AppData\Roaming\.sonoyuncu\bootstrap.exe -nb:0.1.38
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:3708
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" DISKDRIVE get SerialNumber
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3256
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c start C:\Users\Admin\AppData\Roaming\.sonoyuncu\soup.exe
      4⤵
      PID:1832
    - - C:\Users\Admin\AppData\Roaming\.sonoyuncu\soup.exe
        
        C:\Users\Admin\AppData\Roaming\.sonoyuncu\soup.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4136
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c start bootstrap.exe
        6⤵
        
        PID:1252

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3612.0.1842988367\2144727442" -parentBuildID 20221007134813 -prefsHandle 1620 -prefMapHandle 1580 -prefsLen 20767 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5c067ab-1873-4aa8-b5be-e7142917bd4a} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" 1708 25a2ebd2b58 gpu
    3⤵
    PID:3472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3612.1.1900498800\1706029433" -parentBuildID 20221007134813 -prefsHandle 2072 -prefMapHandle 2068 -prefsLen 20848 -prefMapSize 233414 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {349f9414-456a-436f-b64e-b1307dd922f8} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" 2084 25a2e6e3558 socket
    3⤵
    - Checks processor information in registry
    PID:4772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3612.2.1068866344\2030235078" -childID 1 -isForBrowser -prefsHandle 3112 -prefMapHandle 3096 -prefsLen 20886 -prefMapSize 233414 -jsInitHandle 916 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1167f3a6-701e-4b72-92fa-c3997666ec42} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" 3124 25a32995b58 tab
    3⤵
    PID:3552

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4576

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4568

C:\Users\Admin\AppData\Roaming\.sonoyuncu\bootstrap.exe
"C:\Users\Admin\AppData\Roaming\.sonoyuncu\bootstrap.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:2032
- C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\bin\javaw.exe
  C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\bin\javaw.exe -version
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:3948
- C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\bin\javaw.exe
  -XX:HeapDumpPath=MojangTricksIntelDriversForPerformance_javaw.exe_minecraft.exe.heapdump -Dcom.sun.net.ssl.checkRevocation=false -XX:+UseConcMarkSweepGC -XX:+CMSIncrementalMode -XX:-UseAdaptiveSizePolicy -XX:+DisableAttachMechanism -Dcom.ibm.tools.attach.enable=no -Djna.encoding=UTF-8 -Dlog4j2.formatMsgNoLookups=true -Dr=1 -Xmn256M -Xmx4096M -Djava.net.preferIPv4Stack=true -jar C:\Users\Admin\AppData\Roaming\.sonoyuncu\launcher.jar -95452474040 C:\Users\Admin\AppData\Roaming\.sonoyuncu\bootstrap.exe -nb:0.1.38
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2628

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\.sonoyuncu\logs\latest.log
1⤵
PID:3852

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\.sonoyuncu\bootstrap\logs.txt
1⤵
PID:2804

C:\Users\Admin\AppData\Roaming\.sonoyuncu\bootstrap.exe
"C:\Users\Admin\AppData\Roaming\.sonoyuncu\bootstrap.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:2300
- C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\bin\javaw.exe
  C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\bin\javaw.exe -version
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:4168
- C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\bin\javaw.exe
  -XX:HeapDumpPath=MojangTricksIntelDriversForPerformance_javaw.exe_minecraft.exe.heapdump -Dcom.sun.net.ssl.checkRevocation=false -XX:+UseConcMarkSweepGC -XX:+CMSIncrementalMode -XX:-UseAdaptiveSizePolicy -XX:+DisableAttachMechanism -Dcom.ibm.tools.attach.enable=no -Djna.encoding=UTF-8 -Dlog4j2.formatMsgNoLookups=true -Dr=1 -Xmn256M -Xmx4096M -Djava.net.preferIPv4Stack=true -jar C:\Users\Admin\AppData\Roaming\.sonoyuncu\launcher.jar -95452474040 C:\Users\Admin\AppData\Roaming\.sonoyuncu\bootstrap.exe -nb:0.1.38
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1712
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" DISKDRIVE get SerialNumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3884
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe start ver
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1928
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2180
- C:\Windows\SysWOW64\arp.exe
  arp -a
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:3900
- C:\Windows\SysWOW64\whoami.exe
  whoami /user
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4300
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic path win32_VideoController get name,status,adapterram,driverversion,driverdate"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3280
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic path win32_VideoController get name,status,adapterram,driverversion,driverdate
    3⤵
    - System Location Discovery: System Language Discovery
    - Detects videocard installed
    PID:4244
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe start ver
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1444
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe start ver
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4764
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe start ver
  2⤵
  - System Location Discovery: System Language Discovery
  PID:476
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe start ver
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4388
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe start ver
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4132
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe start ver
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2264
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe start ver
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1012
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe start ver
  2⤵
  - System Location Discovery: System Language Discovery
  PID:932
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe start ver
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2316
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe start ver
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5088
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe start ver
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4916
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe start ver
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4028
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe start ver
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1316

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Roaming\.sonoyuncu\launcher.jar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2308

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3816
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\.sonoyuncu\v.class
  2⤵
  PID:3132

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\.sonoyuncu\logs\latest.log
1⤵
PID:4152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\+~JF4791903227545147053.tmp

Filesize
163KB

MD5
fdadc889ea3e80c1cb3e18ce50239c89

SHA1
2bf2e91e17c25cdc7a318ff44490835f89815cdb

SHA256
8e71886fbeae0197ac6f5b2dc8061b52e9a1f29789c4a6c47b862fc3e6846cce

SHA512
b1c5b85e09754a97f4835e15e72e70bad3df19d0ab74a299527ce37b6d688bf0bb8cafaa68d0f042267e6f0b24d7b67930401cc7824d2d8a0228f70f6979f8c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\+~JF5570322899448293433.tmp

Filesize
212KB

MD5
3912cf7e8700533c8476a5b85b69c9fd

SHA1
d743d67e2b845140b6f61f70da6535cfd1a54381

SHA256
d3a7c1194b21628fb9b835984f0e9f7a70c8caebe9772046b02b9fd1c6bb473f

SHA512
b5c8b6792ddc04a6770ce1c25487b0beb535df4a49436c579e152adf59901a781cce462a3c31fce22ec71c494e1b95abac52073a13082de26985c6681c57f155

Download Submit
C:\Users\Admin\AppData\Local\Temp\+~JF5608390947395762360.tmp

Filesize
211KB

MD5
742d296962364dd1371d29203e27d9ae

SHA1
89bcf7a0653a38c04ac777fa7fd6441e19561c42

SHA256
e4ae6a5edeaf815de988ef39d38c70df2769f763b921773ed8a9f9323ad1006a

SHA512
ad25252fc554e9356ca9d30451ab88d014a3d16253ca2e67a01ef51a394e51b9447b455d6b67529690f3fdcc93531911d0a08319340d56a1e65a1ec6b89a0f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\+~JF7104379151897512889.tmp

Filesize
178KB

MD5
023126bbcc33a9efc1a3aec851bbd5cf

SHA1
d38f2039fe62f9f30c4187a6b2d2984fe1ecdabc

SHA256
5140821cf5598ad0ed69682ce843735a345dc55bebc47563c9184c4c563f8d96

SHA512
cd2c28d90f125cb4121bcfc0765b5806c650635434934524f22d379a381bce0c2b1f8bc1b29c801ff6c36022456934938e8a09d4582fc103066c7f394aa643f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\+~JF7950337934207044440.tmp

Filesize
182KB

MD5
bab098a8fb11220a359001b349fa07dd

SHA1
caae60755a17b9f754a910bced367d28aa12082b

SHA256
23e6aad30f4eb959ebae111d374a24ec96185d69af4baf4659755b8c7368518c

SHA512
3430583cbd23e6233d2862f554baea4b2db048c1ffdd68591636c0c7083ac8982bd1c2eef541c36fc984dd5ccf0de7a2e7ca48e6c153998718be008f9a2c33b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\+~JF8027074108317922761.tmp

Filesize
181KB

MD5
e98021df0307ff71f580620f87091940

SHA1
b8eb63a5e9c4665101b04d4aed366c09a527a957

SHA256
d20aa02d7211ed84e14c6db14998c46d7eb49fbadd48b1667b35ab042c175452

SHA512
565db63aeda1f5d85b95eac82228a22ff170ec92979484153201cbd98a4ee8a7316acd2fdb96e7d368c5c6aa0d5cbc2c96cc1c9b26cb92ff8c537d11d702f953

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio1093279597581749899.tmp

Filesize
369B

MD5
87ca932467a996ac9ef120d87f9fd878

SHA1
e81c736ed3b416a3f1d07960f1074f9c27aaa930

SHA256
a4a4785fa3a1b5040627513b984f577507ef3aaf46e2344c3c0d80a220a97c7b

SHA512
dccae5e94bab271d4300ce9a3685b04725e579ca321ce41e7ac577d48c4c7c8b748f4b222be45a39a63c60e5bede5ba16fa91f7ce225807c7d22e4782cf4fb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio1105874677618881313.tmp

Filesize
479B

MD5
fef6919ad02386e9b0e72ddfe9d28065

SHA1
b62d15316d08a1ef083e3897b497c36b02b9caa8

SHA256
a265cd9802c8e21fb69bb37d60203e24f2878d74e1160c8cf111c7fe0af95a83

SHA512
276aaebc0987e474b880c1c6ea412dfdbe6bddfa19c029392736e4481bbb58bb5a3debe545d04accdee0db80b57824194dc743c91ecb4e965db1c7310f765aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio1349961806135528094.tmp

Filesize
2KB

MD5
22a18ad7fae3080c33155c0992a192c2

SHA1
9a4bc738925e8a620fdb97605ad5cba25f87c500

SHA256
b234c15fd5353fafc6b9992d6544775f31e257fafe7c4808372b0a16f9dbd46f

SHA512
d9e53f1e9ebd6f61a97fe19939edb6138655532a00332fdd6ed501483fa4b26744fe64a254974669dc74ce3a48da6404f9b9ceca95a7968436fc760f4d0d9426

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio1532946929590767412.tmp

Filesize
547B

MD5
166283214852b2861be989d77280773e

SHA1
cd351fedf429040c9bcc24c46f0cabb2a25343ff

SHA256
3fea10927bcfc274ac3568a7848de7bffee9d6fc2bd8d8fe259389799f1ca72d

SHA512
dc1fef76b0e1ceed6c2a909c84e6797466e281db4fe2337826b5908174235dd6350fcba1df7a6de2a314fe0645c7b5e6c6b74dee42c80bd20ce8052be42972bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio2005256800719578896.tmp

Filesize
930B

MD5
9b2a848bf2c434b3330a1a5f84ad67ef

SHA1
977c7356a3b82572c0f1f83170d7124c04c3e313

SHA256
d80c64e1609779247960c256104fa3a59efea42ecd658fd4be787542695e96e8

SHA512
f9d1b25d2e16be726e14fc2b8952e1443c6683d8b7b9d41cd00972c51406ec2de891447bc6fab500b5241906afdbe55fcb612b747622224b0bc95bdf7d5b1177

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio2086537213915971727.tmp

Filesize
20KB

MD5
4bd93e393ac68cca92e2808bef999ba8

SHA1
72992d9b9dc97f6b18519ffaca89913b28121d75

SHA256
f4ae721da67fc5f6c36a0c5076cc6111eb66aecab1a51d83cd50942846ad66c7

SHA512
d12960978399bda0699aa887bdedcdce04e4c6cb8fbdbc39e72110e056cfe0ea66d80524718f7f9edd8402e756bd8d4e21c9f1f0aefe8debe16a8e453ce7e9cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio2094417097322194043.tmp

Filesize
1KB

MD5
65f1728f056fd25191698f5294a04436

SHA1
22eda91ad728a84dceb1462479779691c85f1bba

SHA256
598924a8b8f4634eab28297e66ade5a23323b9553703408a5f29243e21ebfd9d

SHA512
eb9eb0deef7d7ae096b3269facf788d6c4853fb3d4045555e2c2e249606f6f097d1e88803a2662ffa9e4a6cf8c970250fea3645eaaab09129b04ff1ea7d2e45c

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio2170095584149055516.tmp

Filesize
156B

MD5
0b7e65599e627227cf7457fc6a7dbdc4

SHA1
06980962a41bb4530e92d39a453155959f0a5edb

SHA256
a75c06eb6d4b470de1a6a9a956132549a276ead6952c9a1f238b436eb6636b42

SHA512
26ac7e3a48a03b1d77d955d6a09775809522c0abcfe2790e8a9164729e9bcaaf88b0ecc7f530fdfdee2b669c689bc6de5cf8290d40fd47006cb6c10473f4628e

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio2320486883794294837.tmp

Filesize
212B

MD5
79e549f01afbd10c0e543088aed876fd

SHA1
36591e68751e9b4737d096a540463b0fbbe319df

SHA256
383da7f60ffc5c536ae63438bdc9aebf0f00979aac3dad91f672395106338365

SHA512
c4e32142577019639ec72421a52ba2b82a3e5be57f66e416077484c8567670dd90fb232835a2c13589e7866023da80d260ee81f4b23e8512a5329bf1cfd5431e

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio2533846950912034964.tmp

Filesize
713B

MD5
b518cdf7e0038b2723f4aac45a1a0520

SHA1
b1deb4d29b718d7e7ba6cb8bef13452ceef4a121

SHA256
9f59f74f765a11c6eb582904775cf7a052abf66a55adf817e6796045879568a5

SHA512
ad5aa2be5ee5eeebe5c18b40e5fffb49d4abbe0639a9c7e1871666ce3b04e58b150e2c0162cf8d60b9eefc7c51cc661c4d87a47d23dbd0d734b5b7580a2f7495

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio2586429549859850793.tmp

Filesize
767B

MD5
3d4b8f1ee53f4f06127b4ba02a3ee822

SHA1
051c1092c1be7919b23ccc6147d63d6d407806d5

SHA256
850368507f507fb2b921390142cba07c732b864a286356dac584bbe54e1b5dd7

SHA512
6b173acb7dc022ff6d0c3e70782c956d33004219d6ded7ebcaecdcb9246f8041a30d4a71f8e8c1a7c58d76ca6b0fac1a72c43eeb49e8869555db035b7f534152

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio2686344501343695233.tmp

Filesize
162B

MD5
71ed4bff97e17529733705855663f1d6

SHA1
2bad9b521a03315ad5fa7ffb1e25363686da60c1

SHA256
0d2ac5cfce4ac10bbd876655524276d93a657c22aa552a2120caecd47febc846

SHA512
2753687d2943ba9a2c0c12591cb161d3c4910b0f3702597383af5303f1234f30c31dad73788f591823bd108506a1c46372c5143c7b40ea767785ef081b2e9a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio3621132385553148820.tmp

Filesize
127B

MD5
1f77119ac6a12b6b1f440cc545ed169a

SHA1
4bd92f59d906ce2ce297304eb5113781a5e71340

SHA256
da845810bd4539170d398fe285e99a6ca642d56b7dbb28e96692bf1624aa33cf

SHA512
ca37ab84cd72cd8d1567a11f22870a1234c544e507ac8b0b924148962b60cc3da851f26a963ecfca3fcb1edabd08ccc1bb536a28d6e4acb1822d2a8e4dbc3e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio4028735958951562804.tmp

Filesize
689B

MD5
6284f8be33602dea74f717ad74c2f69f

SHA1
9bcffb851058da46a2243a6f1f2a80c31abc1f37

SHA256
3fc14dff77cb963a67b897c81f8d115a561d5e43dbe17fbeaf5b2bb504d3b292

SHA512
1a10fcd39891005e484f758b185a2d5fe37fe6e5618eac9faca2cb610a6b3dd4d27525c83b51cf6f6b33144f8e1a2633d846f1a754b6e3ecd7d810981f5b5416

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio4081327457002650358.tmp

Filesize
1KB

MD5
787e92472a675baff8dee162af98d665

SHA1
0f637c047e6b62bf04616ab9c2906f3e3e6eec3a

SHA256
acd653d79a45ab3f0d06bb9d6e2f0137a9d04c2a2885bd607a467de671168336

SHA512
be33dfb8e8c73095d5f62504ec56cd554e1384426b3ae24d11e288ebc65a0d948c1a8766aad6c68f14b9ecac5c71fc4a7544d60edbd1c75fbaa9533ba06183db

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio501414682072952384.tmp

Filesize
821B

MD5
e3e70efb4c5c770d59d918324bb37a59

SHA1
cf66dcc684fa0c02faf743b0447e081de98916f4

SHA256
51ddd5d22437b13f7f66c128dbfb1b51e0db31eae9b8128f4118969608d90cc2

SHA512
e1a08c6b8ecb78cdee8504183c651b5836beab72729612db5ee6901c022791eaac05e4684979a08c41cde6b18d741af5068c780b8ecf7bf1a148c3507a61ab45

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio5340952128261418296.tmp

Filesize
42KB

MD5
0d1d16c7f018391a4fc98ec6cdc52b20

SHA1
cdaab0b2e56c68f43f1251e0bdc2a329183b3e37

SHA256
1c2086648e7e4237ca49e0e32bd4456da1b7b10a0a833c55ca6d03cf7f8c4873

SHA512
b2e0c22561583baa3b8518d24333ba605201aad10f6597ea5547b590d0344c0e765d0366c240d145991187ea9ea0e51bcbe5d97257526efbc124e631f1a81b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio5641302641290899164.tmp

Filesize
641B

MD5
8958d6326731f24c898ebf3b355db856

SHA1
7d1a06616fd8cbf9bef03facc0683525a8357991

SHA256
efbb022e9b3460c1fb250e0780e4b2128e5142255ad04d51d4ddf3a4393888d2

SHA512
965708b62d388e4fd113ba6b47e71b8cc8d3a32295f2e34ef77c50d42f96810a7839517c2a645d6d7245c19a7ce214c2fff1c1035cdfeb4c7fff540a6dfee824

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio5786180047623182446.tmp

Filesize
407B

MD5
9dbb5f3d050ff30cda59f33fe3e07dc4

SHA1
dce67b89b711975d8f4d4ed69cb9adaa84fcbe5b

SHA256
503c571bd052725918a902b82baafc48818ffac93d768fda12d613b24fbc408f

SHA512
8612354010d68958a6a7e1ce8ee96b907412a59d48efdb759a18ca5093f525dfb2c8bf52be0d2cacdbcf6beb13446e5d2df611a873fc9e2e6185e8fedb973056

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio5964033249582717033.tmp

Filesize
178B

MD5
0ffa2bed1270aa8a775a471584162391

SHA1
ab21b1b62610ed70f2586993100e1dcb9022de27

SHA256
75c36f4e7a64dd40467d489b3bfc8f83c2f13de503cd7b793d3d9f4f355b7c54

SHA512
c403b15ac65a5a21a2a7d2973438d7cb0a2e2876243d5b49483366de48ac09bb826ba68095b050711f078d46062d93b127afcd1f63670f4f04c9ce605e337558

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio6317932235840577081.tmp

Filesize
5KB

MD5
f80b3491ccfd5b99dc22f10bc663f956

SHA1
a7ca917a0348cd507720de79b04197d7513c9e4e

SHA256
b8949fa86d766c6d892bd42fd555edc775ee23e20f11c1859d43ef5fcb89b5b0

SHA512
abe216d7fce65188dd66a5c3dda93c74d42c8b9cb3f50385426617bc2a646540d08aa5a7845c330546cacfd94a98f7745487f0c406a0daf2fcf82b81af17cfe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio7510791949830467143.tmp

Filesize
3KB

MD5
e14f32fb1bcba99f17091da9cf2c202a

SHA1
6a37b470ec928deb0715ddf30a76ca491065fc5d

SHA256
6d9ae59bf8f5dde70118914329a0c81a890672cd896a13b0ecafafd56add7080

SHA512
a796c479076f69d4658684cc1690292677d2f43fd7a7674db215807583a747f9a75bae75b0ff8142a6868b9efca2fa2fa1dcc4501e4408d5342c50b4f6593a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio7752023224494428342.tmp

Filesize
77B

MD5
4ea5a85607c8d79a40f34a83f9606d9f

SHA1
00ab8ad30d595235076f86df6e3176fd6bd4b565

SHA256
1e9f27000bcbdca00dd91a5f61990320de190a1466caeb7a74fd6405049d4185

SHA512
4c4cc2bc70864b61a62d8d9a6a386d28b09ad913086499961182ed62652c73244142606f8159c8668d2ccb4a6b97de31748bbf09781d30a0c7ce29c88ec6f73a

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio7769685811507476499.tmp

Filesize
26KB

MD5
7ffa0a701060817a293f0454c9b5e7ba

SHA1
480b111a104519de65dc9c0a76ffb38ca8bd04fc

SHA256
dc5c4d3c36073fd34b344c792bd7110460a7e13e793019a0e4751c5ae1504bc6

SHA512
57701b52bf49f1286bae8e88a2012d4b4aea2006fb07a1ae08447baf91e612bfdaccbe961013ff068fc9b67c24789a0aa15565a115bcde8df62396dca17d55b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio7809383346601916548.tmp

Filesize
786B

MD5
3199511bbeede7e3448edf52e2d4e72a

SHA1
985fa8d85b621a5f23390177c38f7fb4711a037e

SHA256
2aacb5a3c55d776aa23eb3f5d4cefa082e079c87b715bccbeb3d6e1af748c7eb

SHA512
b69790a69807950ac4c72f06beed96f843018d73c9af226a039479598afeb2be691235489c46aa208fb3e98450877200780ebc78f97f35b43aa230a1abcda86d

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio8181276834411240733.tmp

Filesize
50KB

MD5
3a263684d9a86fab49b3327e93c00cde

SHA1
aa0bc7cac8c8618491eeeb5367d1ea7ac5ebefc1

SHA256
25acc30c00f668adfda50b267fa0bd9a4d188cc9d0fbf7063a6d1a0087b7d197

SHA512
3f91f2e325ee1c08e4da56d6f9ba87eb7816f8a79a516133c8a6c966a51432191fddc6fd39d43506a15ae072c92c4fba36a1719191114d9b6c1b49afecca9f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio8396911824822889924.tmp

Filesize
541B

MD5
97c7d11432b812e1a6b38034e54e5e49

SHA1
b4154c81c468bb09b26b6b03c59dc04bdabed64a

SHA256
128198b74b225d4306b6daac162f8805435823c5c94883b2e6bb0134ccee5cb7

SHA512
0f74c46e769d99ce6102184d961a2e959d187e233c54cf9c00157c0652d123c1afb31cdbfc87d9cdc5c0c02a359447613012cf838fd71cd97bc4fabd28fd1d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio8756700543166385023.tmp

Filesize
276B

MD5
e341f7febe139cfc3b47f6d304755af4

SHA1
bcda63bff75d798e5e062181914e1ac869413e2e

SHA256
8588eedc8c376d6a5e9778aaaa4e6bb79c8cb43e85f21d3b9b7c750055a89008

SHA512
7ddfc70dd6ac5b87daf1392f232f6ddaf7fa8f651cad82f737033e5b558355cefc97cc45c87150cbfa02a55e2c6b6edc194ab887d406193b63392b9c35473b14

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio8786201403682555181.tmp

Filesize
3KB

MD5
e896142c774d2542b0ecf31c3404f469

SHA1
2d702e72860f4074c7308a76cc8cd51b67539cf3

SHA256
7cdd6149c47cb8f72ffe457e00ad1b15b11cc9415ef014ef368ef88320eebcac

SHA512
a6ed18370eb9dd432a26747946ad3b36456ccb7315ec1dc79719533356714e629bb5c7a1e0600c5c777beed255b940fad13d8a456c307d54f6415b9254a164a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio8865675821050807574.tmp

Filesize
9KB

MD5
6727e0e67d71006ac6fb4ad53e92e1c6

SHA1
45710da4892f4c77443d7935c5103087059681c7

SHA256
73a6daed5947fe976d15654f01e08d1648da4942413606d5532e3574fd2b4ad5

SHA512
ee5b2ad841920385f2a7abc4ab014ef6a46b01d789bfd3170798c838066a8bd877671fe32947ce160d6def019a6492d970eb6ccf954e93250902cc34c984f42a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna2669816178404111425.dll

Filesize
240KB

MD5
68bf293ed84fec43a17dbc830b6001c1

SHA1
e2841508e29f91c168c0a620c57cec387f681a6c

SHA256
19e394e5d7a64f1e5063043f6f8d23243db22ff87d67e9e930bd13f8b12bf275

SHA512
31679b608c01138c97dd0cb6692a00359e398623097650b72a8f4f2701955232657431df41dc3b1f5681de0c30ae6357d1d8343c6124532f2a067210bd1c9fb8

Download Submit
C:\Users\Admin\AppData\Roaming\.sonoyuncu\assets\objects\11\116d77384a049b109af9abc76f1802fa73063154

Filesize
175KB

MD5
d8640e275b34fd3ad8cd3182d768c33a

SHA1
116d77384a049b109af9abc76f1802fa73063154

SHA256
05df0c9e88cf2a263871236bfa36ed672668af18731dd7b33442f4a070d0dc70

SHA512
cd7be296bbb84019cabb2fe00bf6147708dc624db3752c2db3aa48937523230280c3532c2c262ea60bb1b2665a93eea554848511ef0355bace72f0aa55f90ae0

Download Submit
C:\Users\Admin\AppData\Roaming\.sonoyuncu\bootstrap.exe

Filesize
8.4MB

MD5
94bb92418bf395fa8d5ac86ab036f121

SHA1
2a62229615d627cd225a783079caff4f22f4005a

SHA256
f41d12d5b736a82f4c53e3c3f242560dfd800a24076186399dd695f3b493184b

SHA512
7205e4e6a67f2685669bb2262e6f3c459978e20bf80497714d1b67ede1731b92c0ed067181c703ee8cd43bf9d5780469eda00706f4b96dfc7ba18bbc688f099e

Download Submit
C:\Users\Admin\AppData\Roaming\.sonoyuncu\launcher.jar

Filesize
19.0MB

MD5
b00a8766b93cfae6eccc26d434038da7

SHA1
f8a7d4d29e7d8aca0f290e2f314b9a4aa2f5445f

SHA256
ed31de4b01e341277fbada0346e045d2a85ab414a4f3689561269e872eb99489

SHA512
530799d34bd57d5e475e4f56d745a4106af6b33a0fe7573a65d30a6fe4cbc5ccffefaf490263674e78fc1eadb2c5f4e7492df2599036f5c98ccec807729012a3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js

Filesize
6KB

MD5
b9464da3fd4de1087e9d55011ba3afd1

SHA1
2e1248299680fdfae684ab57e28dbe4b3dedaf9b

SHA256
f1f12aba32afe8c4a8daa900f42a5b71d2ab81c14e7467e374ce43a403a6008d

SHA512
ae185a755474bf3d96a4c8bd1d0ca7731fb7f33cc269194028eef74edc6c4071f9e7e492cdc64cc6f6afb6ac269bf78e67e144bc2b44285919c7820dd1751c5b

Download Submit
C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\bin\awt.dll

Filesize
1.5MB

MD5
0d34f6a9abbf9aec86cc475584182524

SHA1
eba676cb5eb7da28c2904f524259b04dcd01b11e

SHA256
0b7bec928f1562878e016a4fc08120633fa24f245b44cad7350a6be20bf75e39

SHA512
6b8568463bb27e9c1c832d1343c4ccdbffe373b966953db4f8b7ecf6eef08839c797c1f5abea45575fd1526760a4bee6509729d720e7e03ed28c7656e887a5fd

Download Submit
C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\bin\dcpr.dll

Filesize
156KB

MD5
191d85b926247a8aff45ee30808cd614

SHA1
71be1d2fb07860d22d0fab60c22523f9a95751e0

SHA256
9053f78ccf014cad648f65653a433c79390bfd9bc78ed902b1e11f122f9fb34f

SHA512
f2ec8574e1f22a1ce58a69c11445b308ea944415f78a7d1a00263f3433fdf2ca29773a5385485590d86ecbd2b78a681c8a0c186022351d95465f39a7297ac454

Download Submit
C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\bin\javaw.exe

Filesize
205KB

MD5
9a91a447a9ba1325705146836b1b3ad5

SHA1
e5fb01f24e39dcaf1ac966e508d1a574d0753d12

SHA256
2b1aa9ed931b7bf5579ef052b1c1da3b5c9d6d3ac62770c51ca971f9bbf0d75f

SHA512
b592a095261476f1da42978c6a5e91f49268beb36791b9e4d141d487587f5aa89c53aa0abc2b0a26ad9cae6c9d584d03f7d2ef75f86bd2377c98f76b23650608

Download Submit
C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\bin\management.dll

Filesize
40KB

MD5
78de2e1c593bc85411779bf511ca6cb6

SHA1
c2503a32846208fbcc5c0c9c8cea30a239a83839

SHA256
37f755d85d828614b849e6836df457c9a90561253c42a11416358701cb9c528e

SHA512
bd27aec321810a6e01499ad7eb605b794f7861d334aaa0ccac847ad1e61512212983b9a9f3d7504fea3f6fb1bf2d4e3f7d3a7677b2953d47d533bf15c822637d

Download Submit
C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\bin\msvcr100.dll

Filesize
808KB

MD5
aed6d63cfa5a3ef7021af9c457fee994

SHA1
f6ad746ef520b03df6cf0f5a2512d0df964c4688

SHA256
b4bfa27f677295b00a1df9a7e14db4b75cac2dd41b898d4e9a378eccce3699f0

SHA512
5573b17eb19d13cc96df5d66ef60cc8ff98e1ac9d8582a870ed2befa28ee271fb41741a92aa703234150fceadf4a436d10b8a6518c1816d0c804eb1261650d2d

Download Submit
C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\bin\server\jvm.dll

Filesize
9.5MB

MD5
18412921cbbdd815622564f9ba0f5501

SHA1
dbc6dd7ca1e5fd3a6b128f96f07652605ceed5b5

SHA256
8d105d0d627ce36798b2353f0092bbb937e05a35da44b01ae12c65e8ada8490f

SHA512
1575e22675be215d3e6dcfc7adbf8e0cb087fb91c1c7b560be5fe17f24fae83d55904a4ca4dc4d9f852b03e7f9a626ba6df59a4f0bd5527e5b59af4124045ee8

Download Submit
C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\bin\t2k.dll

Filesize
248KB

MD5
1077883868cb42ff899a085d0f948769

SHA1
0f71ee2c95671d3315a5e9e9388ab83f4e9b5f21

SHA256
3279a0ed45eeaa51f932b5255ccf709964f33ed7e4e5844a8f07ab4f2ba910dc

SHA512
7b7940e66cefd9f24a9efb6679c0d5da7d44679b36f9b92f555d626ce5dffeb6f7f5f47946730ef181fb94c0b400463a849eac9d4cb06381832ebba0854d49ad

Download Submit
C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\bin\verify.dll

Filesize
52KB

MD5
4cf2a998f46853ec44d3c4024794a14b

SHA1
001e6ce3a18288de976b2d3cea11e5e121953687

SHA256
69380ba5fbda75e2190b6d27e87deb2ca0ef6aff0a0fc252842e955e3455e669

SHA512
33459a54360e58888cd85e1f31ebc025e2de3b80a9a000ba1adbc693521b3242441451d2ed594e8a78ca3df4eedd6648da4dc127fea2c57cffb4a6e706d1db03

Download Submit
C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\lib\accessibility.properties

Filesize
155B

MD5
9e5e954bc0e625a69a0a430e80dcf724

SHA1
c29c1f37a2148b50a343db1a4aa9eb0512f80749

SHA256
a46372b05ce9f40f5d5a775c90d7aa60687cd91aaa7374c499f0221229bf344e

SHA512
18a8277a872fb9e070a1980eee3ddd096ed0bba755db9b57409983c1d5a860e9cbd3b67e66ff47852fe12324b84d4984e2f13859f65fabe2ff175725898f1b67

Download Submit
C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\lib\amd64\jvm.cfg

Filesize
634B

MD5
499f2a4e0a25a41c1ff80df2d073e4fd

SHA1
e2469cbe07e92d817637be4e889ebb74c3c46253

SHA256
80847ed146dbc5a9f604b07ec887737fc266699abba266177b553149487ce9eb

SHA512
7828f7b06d0f4309b9edd3aa71ae0bb7ee92d2f8df5642c13437bba2a3888e457dc9b24c16aa9e0f19231530cb44b8ccd955cbbdf5956ce8622cc208796b357d

Download Submit
C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\lib\content-types.properties

Filesize
5KB

MD5
f507712b379fdc5a8d539811faf51d02

SHA1
82bb25303cf6835ac4b076575f27e8486dab9511

SHA256
46f47b3883c7244a819ae1161113fe9d2375f881b75c9b3012d7a6b3497e030a

SHA512
cb3c99883336d04c42cea9c2401e81140ecbb7fc5b8ef3301b13268a45c1ac93fd62176ab8270b91528ac8e938c7c90cc9663d8598e224794354546139965dfe

Download Submit
C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\lib\currency.data

Filesize
3KB

MD5
d072fb69e4c180d6704a9da8ff64772e

SHA1
66e52daa2eee4f81644816b64289c459bd009400

SHA256
5a55dbb9f6dd2bd6024e9f9e81b26d7fa72e74c13a0e8b0a7d5c4715a08c5739

SHA512
2d152a5a475878850bd3cc28d032d19624ff1ade99465bf975bbcffc548006e9fb60971ba416f2e623750acf9dc266aa4b0c3a2a2761f63c00fcaef3181e9991

Download Submit
C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\lib\ext\cldrdata.jar

Filesize
3.7MB

MD5
5543565b726021564df52aa6616ed171

SHA1
bd03f645f8a642fb7a04aeeb0fe9d4747e6477db

SHA256
567f795a82704675905e6e9d6b9b6a90404f28f58541ca8a7ac15ac46c06e045

SHA512
815f75987f73d97a97c7cc0c25d98fe73d703c6f10e8252e5ecf35c53a0a5c6c593b45b2e3cf6c0bdaeef23e8017f139942ecc0e146320e1f09132bd04b9b715

Download Submit
C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\lib\ext\localedata.jar

Filesize
1.1MB

MD5
587a3e2bc8bb7e1be4520a786d773d45

SHA1
c252e1ac1399b2f07306ca4f9646aa39e8528c75

SHA256
ff7029571f96ceab43b3119bf44178d9c93456e21892b3d529a9dd61a7aca95d

SHA512
30f32866473ae51b29f63abae1fb0dedfdb6a1a53553f6b64bb75400dea3ca3c74c804b18286126400029c3eb50f67d28c5f6d2d55fd39194a7c51c92ed43f87

Download Submit
C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\lib\ext\meta-index

Filesize
1KB

MD5
005faac2118450bfcd46ae414da5f0e5

SHA1
9f5c887e0505e1bb06bd1fc7975a3219709d061d

SHA256
f0bce718f8d2b38247ce0ac814a1470c826602f4251d86369c2359ff60676bd8

SHA512
8b618c74b359ab3c9d3c8a4864f8e48fe4054514a396352a829a84c9b843a2028c6c31eb53e857e03c803294e05f69c5bf586e261312264e7607b2efd14f78a9

Download Submit
C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\lib\ext\nashorn.jar

Filesize
1.9MB

MD5
439b0106e258ed407bf998dd7612d595

SHA1
46bc278b333f00007c6d4fa14568600b06d8bb73

SHA256
350778d2529862a5e5e12bc9f6fb20f2dc5c4f02bf135f456307216bfe0a4034

SHA512
fcc2fd8152696e16118f23e978564fd113bd842649326bfdeb24ed741848c2c1c7a82ff36be673b33cce83616c4813f7cd20c902661137f04e6facc1872caa83

Download Submit
C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\lib\ext\sunec.jar

Filesize
38KB

MD5
3ad4cda8b1851da5d2a4b48cd95ea1bd

SHA1
5d36fe49a2bdb020f4ce7a71dd4566366759bb45

SHA256
d19170fbf1d3c5b296b87105d6eb6d5e8999393745f60414566c561ef261a841

SHA512
346c52e377d0183baa13a585748b8c49712a06852f82c877f71ad559b702f68260cb6e469d88af2ff41b7f4dab8290e9d4129f41447eabcb852450c15742bfd9

Download Submit
C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\lib\fontconfig.bfc

Filesize
3KB

MD5
e0e5428560288e685dbffc0d2776d4a6

SHA1
2ae70624762c163c8a1533f724aa5a511d8b208e

SHA256
aae23acc42f217a63d675f930d077939765b97e9c528b5659842515ca975111f

SHA512
c726cc2898399579afa70acace86bec4369d4541112243e51721568b4d25dcc6c66fa64ac475aff9ba9de07a630b24a9f221fa00426ad36845203ba809219e3c

Download Submit
C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\lib\fonts\LucidaBrightDemiBold.ttf

Filesize
73KB

MD5
af0c5c24ef340aea5ccac002177e5c09

SHA1
b5c97f985639e19a3b712193ee48b55dda581fd1

SHA256
72cee3e6df72ad577af49c59dca2d0541060f95a881845950595e5614c486244

SHA512
6ce87441e223543394b7242ac0cb63505888b503ec071bbf7db857b5c935b855719b818090305e17c1197de882ccc90612fb1e0a0e5d2731f264c663eb8da3f9

Download Submit
C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\lib\fonts\LucidaBrightDemiItalic.ttf

Filesize
73KB

MD5
793ae1ab32085c8de36541bb6b30da7c

SHA1
1fd1f757febf3e5f5fbb7fbf7a56587a40d57de7

SHA256
895c5262cdb6297c13725515f849ed70609dbd7c49974a382e8bbfe4a3d75f8c

SHA512
a92addd0163f6d81c3aeabd63ff5c293e71a323f4aedfb404f6f1cde7f84c2a995a30dfec84a9caf8ffaf8e274edd0d7822e6aabb2b0608696a360cabfc866c6

Download Submit
C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\lib\fonts\LucidaBrightItalic.ttf

Filesize
78KB

MD5
4d666869c97cdb9e1381a393ffe50a3a

SHA1
aa5c037865c563726ecd63d61ca26443589be425

SHA256
d68819a70b60ff68ca945ef5ad358c31829e43ec25024a99d17174c626575e06

SHA512
1d1f61e371e4a667c90c2ce315024ae6168e47fe8a5c02244dbf3df26e8ac79f2355ac7e36d4a81d82c52149197892daed1b4c19241575256bb4541f8b126ae2

Download Submit
C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\lib\fonts\LucidaBrightRegular.ttf

Filesize
336KB

MD5
630a6fa16c414f3de6110e46717aad53

SHA1
5d7ed564791c900a8786936930ba99385653139c

SHA256
0faaaca3c730857d3e50fba1bbad4ca2330add217b35e22b7e67f02809fac923

SHA512
0b7cde0face982b5867aebfb92918404adac7fb351a9d47dcd9fe86c441caca4dd4ec22e36b61025092220c0a8730d292da31e9cafd7808c56cdbf34ecd05035

Download Submit
C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\lib\fonts\LucidaSansDemiBold.ttf

Filesize
310KB

MD5
5dd099908b722236aa0c0047c56e5af2

SHA1
92b79fefc35e96190250c602a8fed85276b32a95

SHA256
53773357d739f89bc10087ab2a829ba057649784a9acbffee18a488b2dccb9ee

SHA512
440534eb2076004bea66cf9ac2ce2b37c10fbf5cc5e0dd8b8a8edea25e3613ce8a59ffcb2500f60528bbf871ff37f1d0a3c60396bc740ccdb4324177c38be97a

Download Submit
C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\lib\fonts\LucidaSansRegular.ttf

Filesize
681KB

MD5
b75309b925371b38997df1b25c1ea508

SHA1
39cc8bcb8d4a71d4657fc92ef0b9f4e3e9e67add

SHA256
f8d877b0b64600e736dfe436753e8e11acb022e59b5d7723d7d221d81dc2fcde

SHA512
9c792ef3116833c90103f27cfd26a175ab1eb11286959f77062893a2e15de44d79b27e5c47694cbba734cc05a9a5befa72e991c7d60eab1495aac14c5cad901d

Download Submit
C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\lib\fonts\LucidaTypewriterBold.ttf

Filesize
228KB

MD5
a0c96aa334f1aeaa799773db3e6cba9c

SHA1
a5da2eb49448f461470387c939f0e69119310e0b

SHA256
fc908259013b90f1cbc597a510c6dd7855bf9e7830abe3fc3612ab4092edcde2

SHA512
a43cf773a42b4cebf4170a6c94060ea2602d2d7fa7f6500f69758a20dc5cc3ed1793c7ceb9b44ce8640721ca919d2ef7f9568c5af58ba6e3cf88eae19a95e796

Download Submit
C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\lib\fonts\LucidaTypewriterRegular.ttf

Filesize
237KB

MD5
c1397e8d6e6abcd727c71fca2132e218

SHA1
c144dcafe4faf2e79cfd74d8134a631f30234db1

SHA256
d9d0aab0354c3856df81afac49bdc586e930a77428cb499007dde99ed31152ff

SHA512
da70826793c7023e61f272d37e2cc2983449f26926746605c550e9d614acbf618f73d03d0c6351b9537703b05007cd822e42e6dc74423cb5cc736b31458d33b1

Download Submit
C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\lib\jce.jar

Filesize
112KB

MD5
f023f78dd099f9dd75e45c2dba9c3552

SHA1
5772b0f1c6df6d3643792f788b3e76730e1695ac

SHA256
362308a654b1e7384ecc80547488eddf0d03db0424e576c38af57605dca44fb1

SHA512
8cecb50ea851f92eeab8ec0edc4246b0f0e833a93d65046dd6b53d8cc3d45ba7e1ce5d61db469fb09c0f477df6a33bd2d29cff0a50b9bab82dab4c2128dc8aa5

Download Submit
C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\lib\jsse.jar

Filesize
306KB

MD5
a51afd4becc6617c4ea288a99bb388d3

SHA1
33aae845d5965c9296b8ce90430b946d55882252

SHA256
75b78a2a58828cc63866e15a760ffed673002e61cedb2ec2199c87678c4f2ea1

SHA512
9b0851d6e8837cbb9339197cf522a4efa5183075119e46adbc2804b45e6731e21d0be1b5c6c0418e2e5ed2d5f04a02fd0c7d60c23eaad2cec4b5d3513d0d58de

Download Submit
C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\lib\logging.properties

Filesize
2KB

MD5
809c50033f825eff7fc70419aaf30317

SHA1
89da8094484891f9ec1fa40c6c8b61f94c5869d0

SHA256
ce1688fe641099954572ea856953035b5188e2ca228705001368250337b9b232

SHA512
c5aa71ad9e1d17472644eb43146edf87caa7bccf0a39e102e31e6c081cd017e01b39645f55ee87f4ea3556376f7cad3953ce3f3301b4b3af265b7b4357b67a5c

Download Submit
C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\lib\meta-index

Filesize
2KB

MD5
91aa6ea7320140f30379f758d626e59d

SHA1
3be2febe28723b1033ccdaa110eaf59bbd6d1f96

SHA256
4af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4

SHA512
03428803f1d644d89eb4c0dcbdea93acaac366d35fc1356ccabf83473f4fef7924edb771e44c721103cec22d94a179f092d1bfd1c0a62130f076eb82a826d7cb

Download Submit
C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\lib\rt.jar

Filesize
29.8MB

MD5
d4b3e17ac7c159eb8c622e5f62a75ecf

SHA1
28215cd105262d2982f757cec268e4e862e8bacc

SHA256
6325c86aef91f955d9e4e3d809ef8ea2cd528f3852e867759ea0a01471d330c7

SHA512
c3d46ef4102b8108b568b4942d0a6121544fc9e397488e127068a9bdc4fc3a483092cfaa192df56b4473a12b38ccaae46e0ac84ed00a8d88249196f307ced007

Download Submit
C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\lib\security\java.policy

Filesize
2KB

MD5
11340cd598a8517a0fd315a319716a08

SHA1
c0112209a567b3b523cfed7041709f9440227968

SHA256
b8582889b0df36065093c642ed0f9fa2a94cc0dc6fde366980cfd818ec957250

SHA512
2b6dadc555eeb28dc1c553ab429f0cb9e3ad9aa64dfa2b62910769a935a1e6030a7ff0dde2689f29c58d1b0720416d6b99ffa19bd23e6686efb1547afb7dccfd

Download Submit
C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\lib\security\java.security

Filesize
23KB

MD5
b7aba3dfea0468195be1256c959135e6

SHA1
8c30082493935efda5ba54489d8605199c976b29

SHA256
c50c923c2b0dc5a3c598671be2cd980f7f06e7254cce04a1fe498f6e17fce3ec

SHA512
c91e110a3f3fc74596d22ee9f59bfa952be75b1b87fdb0e7ca8f188671c8e1d22bf02bc0c0b9f1321ad4df0c8c8db6f660efbba513888686b5ba9f86d7c30b7d

Download Submit
C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\lib\tzdb.dat

Filesize
98KB

MD5
15587f96261d342f4195b7b5308e415a

SHA1
61ef3adae0d6565e80fdc5cb9e33791c211dbfb2

SHA256
79f315b59efa1c8eb1c43b8a56cf4b2efbfa7a0d8cd1f49ea3ff3c67ad095945

SHA512
746d464f40b6199500882af39b8ed2c36f41949afdffdfb55dd29e4cb6246e5ae799b00ca306d8ed812e810aaa8f35c9b117d5cd8dfe3fb746f2825470877e2d

Download Submit
C:\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\lib\tzmappings

Filesize
8KB

MD5
7d4abbcfb06d083f349e27d7e6972f3c

SHA1
eb91253590526f7be7415839ccbf702683639c8c

SHA256
d936ee24810b747c54192b4b5a279f21179fe3ceb42d113d025a368ebb7cb5a7

SHA512
e5c2fbbc07cd53baf14f3cc239b56b42b73de47f9b7904aabf7d97695d2ab8866d0c8179235cbf022245949b9b8e419985e328aa5ed333b14b8b4de2c82b225e

Download Submit
\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\bin\fontmanager.dll

Filesize
267KB

MD5
84a04b93034abab9d3f1bf9579c0573d

SHA1
9fed686fd40ba50c407d1ab4e76da4dd717117b9

SHA256
ebc7d009c0bee5a45efa60b0e74c6926fb57e583d3c4e8614442dbaa14f9a874

SHA512
7ff3e356e656d93cfbed3e7684917f6203222fcc9ead71970e19021937a546615ed32b530d48003b1de838c8881cdd00a1d4d64b4e6fffacdc7199173b0c5dbb

Download Submit
\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\bin\java.dll

Filesize
4.8MB

MD5
231e1e56a395fdb03a14d0877c52e576

SHA1
22fcbf83705ac9fdcea6aba3c0d9d0212106a613

SHA256
fd30b402c986164abce4ebb9ce278afa15d2f105e4836beed5a32bbc5781920f

SHA512
d8a361ae55bcb7e70e341d4b09c48a2370c9cdcaa412cff6f6d9002163227cd6fe0e007ddd5ec86ec7d4709c1031c75dbd24438ba7fcb55fd44bbceed2239835

Download Submit
\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\bin\net.dll

Filesize
95KB

MD5
f40dee8540dbf90b1fc9ec6a4e567b33

SHA1
9963f5e16e4073de25a6841b7f84314295099aa0

SHA256
2a3bc597c1dc24a8019fdf332363a9a2387a80095a761b2e2bd441cd19eecae1

SHA512
2b38489ac83335ce353f5cb58b3874f64d289978d0be64400243b6bdf3cc759e8427557b54857a5b629a6901092286c4515b2c5f6340201d7e50565d15828dd5

Download Submit
\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\bin\nio.dll

Filesize
62KB

MD5
3e856f0722ade03e259d27395900c6f6

SHA1
85c4e0eedac577c33d847addb526cfd6bfa06956

SHA256
67ad91a04b84020b2e3373286fb3d8c76bdf9655c9514c7c3badbc32d58f9e60

SHA512
168893082737827e138aa37e252f8276c5cb75e9d4cecc93b130106ad6d3be73d6faad58fbffb7e50813568cc9e28b0079122167d010783a2eb752d27f0711bd

Download Submit
\Users\Admin\runtime\so-x64\dd2225a1f05c9f56f0557c165601697e56050fee\bin\zip.dll

Filesize
79KB

MD5
398ca9a7ee83336d2bad8da4a6f4ed7d

SHA1
ab23f18757b21de9caac684a97bc178c3dbdf2eb

SHA256
d1bead6ed78fff843df232de0e7fb0c33119ec23cd93bc38ca29a05b9ac4dbbc

SHA512
0cfc401d2b894914b2d1da35e80b63ac88f49a02d1d45a20c8115236a851358b3fdea918dee28edb4b6f5485374c545a429f845bac0d48381f1ab6746f8eb62a

Download Submit
memory/860-343-0x00000000008E0000-0x0000000001E52000-memory.dmp

Filesize
21.4MB

Download
memory/860-62-0x00000000008E0000-0x0000000001E52000-memory.dmp

Filesize
21.4MB

Download
memory/860-134-0x00000000008E0000-0x0000000001E52000-memory.dmp

Filesize
21.4MB

Download
memory/860-412-0x00000000008E0000-0x0000000001E52000-memory.dmp

Filesize
21.4MB

Download
memory/860-135-0x00000000008E0000-0x0000000001E52000-memory.dmp

Filesize
21.4MB

Download
memory/860-138-0x00000000008E0000-0x0000000001E52000-memory.dmp

Filesize
21.4MB

Download
memory/860-58-0x00000000008E0000-0x0000000001E52000-memory.dmp

Filesize
21.4MB

Download
memory/860-1381-0x00000000008E0000-0x0000000001E52000-memory.dmp

Filesize
21.4MB

Download
memory/860-132-0x00000000008E0000-0x0000000001E52000-memory.dmp

Filesize
21.4MB

Download
memory/860-396-0x00000000008E0000-0x0000000001E52000-memory.dmp

Filesize
21.4MB

Download
memory/860-353-0x00000000008E0000-0x0000000001E52000-memory.dmp

Filesize
21.4MB

Download
memory/860-57-0x00000000008E0000-0x0000000001E52000-memory.dmp

Filesize
21.4MB

Download
memory/860-131-0x00000000008E0000-0x0000000001E52000-memory.dmp

Filesize
21.4MB

Download
memory/860-115-0x00000000008E0000-0x0000000001E52000-memory.dmp

Filesize
21.4MB

Download
memory/860-358-0x00000000008E0000-0x0000000001E52000-memory.dmp

Filesize
21.4MB

Download
memory/860-389-0x00000000008E0000-0x0000000001E52000-memory.dmp

Filesize
21.4MB

Download
memory/860-59-0x00000000008E0000-0x0000000001E52000-memory.dmp

Filesize
21.4MB

Download
memory/860-382-0x00000000008E0000-0x0000000001E52000-memory.dmp

Filesize
21.4MB

Download
memory/860-60-0x00000000008E0000-0x0000000001E52000-memory.dmp

Filesize
21.4MB

Download
memory/860-133-0x00000000008E0000-0x0000000001E52000-memory.dmp

Filesize
21.4MB

Download
memory/860-61-0x00000000008E0000-0x0000000001E52000-memory.dmp

Filesize
21.4MB

Download
memory/860-375-0x00000000008E0000-0x0000000001E52000-memory.dmp

Filesize
21.4MB

Download
memory/860-63-0x00000000008E0000-0x0000000001E52000-memory.dmp

Filesize
21.4MB

Download
memory/860-64-0x00000000008E0000-0x0000000001E52000-memory.dmp

Filesize
21.4MB

Download
memory/860-65-0x00000000008E0000-0x0000000001E52000-memory.dmp

Filesize
21.4MB

Download
memory/860-56-0x00000000008E0000-0x0000000001E52000-memory.dmp

Filesize
21.4MB

Download
memory/860-53-0x00000000008E0000-0x0000000001E52000-memory.dmp

Filesize
21.4MB

Download
memory/1588-3-0x00000000002C0000-0x0000000001832000-memory.dmp

Filesize
21.4MB

Download
memory/1588-9-0x00000000002C0000-0x0000000001832000-memory.dmp

Filesize
21.4MB

Download
memory/1588-19-0x00000000002C0000-0x0000000001832000-memory.dmp

Filesize
21.4MB

Download
memory/1588-10-0x00000000002C0000-0x0000000001832000-memory.dmp

Filesize
21.4MB

Download
memory/1588-1-0x0000000077C44000-0x0000000077C45000-memory.dmp

Filesize
4KB

Download
memory/1588-2-0x00000000002C0000-0x0000000001832000-memory.dmp

Filesize
21.4MB

Download
memory/1588-54-0x00000000002C0000-0x0000000001832000-memory.dmp

Filesize
21.4MB

Download
memory/1588-5-0x00000000002C0000-0x0000000001832000-memory.dmp

Filesize
21.4MB

Download
memory/1588-0-0x00000000002C0000-0x0000000001832000-memory.dmp

Filesize
21.4MB

Download
memory/1588-4-0x00000000002C0000-0x0000000001832000-memory.dmp

Filesize
21.4MB

Download
memory/1588-6-0x00000000002C0000-0x0000000001832000-memory.dmp

Filesize
21.4MB

Download
memory/1588-7-0x00000000002C0000-0x0000000001832000-memory.dmp

Filesize
21.4MB

Download
memory/1588-8-0x00000000002C0000-0x0000000001832000-memory.dmp

Filesize
21.4MB

Download
memory/2268-346-0x0000000008000000-0x0000000009975000-memory.dmp

Filesize
25.5MB

Download
memory/2268-342-0x0000000008000000-0x0000000009975000-memory.dmp

Filesize
25.5MB

Download
memory/2268-355-0x0000000180000000-0x0000000180CDB000-memory.dmp

Filesize
12.9MB

Download
memory/2268-354-0x0000000008000000-0x0000000009975000-memory.dmp

Filesize
25.5MB

Download
memory/2268-356-0x0000000180000000-0x0000000180CDB000-memory.dmp

Filesize
12.9MB

Download
memory/2268-357-0x0000000180000000-0x0000000180CDB000-memory.dmp

Filesize
12.9MB

Download
memory/2268-368-0x0000000180000000-0x0000000180CDB000-memory.dmp

Filesize
12.9MB

Download
memory/2268-367-0x0000000008000000-0x0000000009975000-memory.dmp

Filesize
25.5MB

Download
memory/2268-374-0x0000000180000000-0x0000000180CDB000-memory.dmp

Filesize
12.9MB

Download
memory/2268-344-0x0000000008000000-0x0000000009975000-memory.dmp

Filesize
25.5MB

Download
memory/2268-345-0x0000000008000000-0x0000000009975000-memory.dmp

Filesize
25.5MB

Download
memory/2268-373-0x0000000008000000-0x0000000009975000-memory.dmp

Filesize
25.5MB

Download
memory/2268-376-0x0000000008000000-0x0000000009975000-memory.dmp

Filesize
25.5MB

Download
memory/2268-379-0x0000000180000000-0x0000000180CDB000-memory.dmp

Filesize
12.9MB

Download
memory/2268-378-0x0000000008000000-0x0000000009975000-memory.dmp

Filesize
25.5MB

Download
memory/2268-352-0x0000000180000000-0x0000000180CDB000-memory.dmp

Filesize
12.9MB

Download
memory/2268-347-0x0000000008000000-0x0000000009975000-memory.dmp

Filesize
25.5MB

Download
memory/3708-392-0x0000000008000000-0x0000000009975000-memory.dmp

Filesize
25.5MB

Download
memory/3708-397-0x0000000008000000-0x0000000009975000-memory.dmp

Filesize
25.5MB

Download
memory/3708-391-0x0000000008000000-0x0000000009975000-memory.dmp

Filesize
25.5MB

Download
memory/3708-390-0x0000000008000000-0x0000000009975000-memory.dmp

Filesize
25.5MB

Download
memory/3708-393-0x0000000008000000-0x0000000009975000-memory.dmp

Filesize
25.5MB

Download
memory/3708-398-0x0000000180000000-0x0000000180CDB000-memory.dmp

Filesize
12.9MB

Download
memory/3708-410-0x0000000008000000-0x0000000009975000-memory.dmp

Filesize
25.5MB

Download
memory/3708-411-0x0000000180000000-0x0000000180CDB000-memory.dmp

Filesize
12.9MB

Download
memory/3708-399-0x0000000180000000-0x0000000180CDB000-memory.dmp

Filesize
12.9MB

Download
memory/3708-400-0x0000000180000000-0x0000000180CDB000-memory.dmp

Filesize
12.9MB

Download
memory/4568-69-0x00000215B0400000-0x00000215B0500000-memory.dmp

Filesize
1024KB

Download
memory/4568-96-0x00000215B0C80000-0x00000215B0CA0000-memory.dmp

Filesize
128KB

Download
memory/4568-72-0x00000215B0A60000-0x00000215B0A80000-memory.dmp

Filesize
128KB

Download
memory/4568-67-0x00000215B0400000-0x00000215B0500000-memory.dmp

Filesize
1024KB

Download
memory/4568-68-0x00000215B0400000-0x00000215B0500000-memory.dmp

Filesize
1024KB

Download