Malware Analysis Report

2024-09-11 02:36

Sample ID 220306-hmq3kabhhn
Target d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78
SHA256 d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78
Tags
strongpity persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78

Threat Level: Known bad

The file d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78 was found to be: Known bad.

Malicious Activity Summary

strongpity persistence spyware stealer

StrongPity

StrongPity Spyware

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V6

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Registry Run Keys / Startup Folder
T1060
Privilege Escalation
TA0004
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040

Analysis: static1

Detonation Overview

Reported

2022-03-06 06:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-06 06:51

Reported

2022-03-06 06:55

Platform

win7-20220223-en

Max time kernel

4294200s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe"

Signatures

StrongPity

stealer spyware strongpity

StrongPity Spyware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-2G25K.tmp\fnmsetup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-2G25K.tmp\fnmsetup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-2G25K.tmp\fnmsetup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeyStoreUpdater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndaData\\nvwmisrv.exe" C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-2G25K.tmp\fnmsetup.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1236 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe
PID 1236 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe
PID 1236 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe
PID 1236 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe
PID 1236 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe
PID 1236 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe
PID 1236 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe
PID 528 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe C:\Users\Admin\AppData\Local\Temp\is-2G25K.tmp\fnmsetup.tmp
PID 528 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe C:\Users\Admin\AppData\Local\Temp\is-2G25K.tmp\fnmsetup.tmp
PID 528 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe C:\Users\Admin\AppData\Local\Temp\is-2G25K.tmp\fnmsetup.tmp
PID 528 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe C:\Users\Admin\AppData\Local\Temp\is-2G25K.tmp\fnmsetup.tmp
PID 528 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe C:\Users\Admin\AppData\Local\Temp\is-2G25K.tmp\fnmsetup.tmp
PID 528 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe C:\Users\Admin\AppData\Local\Temp\is-2G25K.tmp\fnmsetup.tmp
PID 528 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe C:\Users\Admin\AppData\Local\Temp\is-2G25K.tmp\fnmsetup.tmp
PID 1236 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe
PID 1236 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe
PID 1236 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe
PID 1236 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe
PID 1544 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe
PID 1544 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe
PID 1544 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe
PID 1544 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe

"C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe"

C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe

"C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe"

C:\Users\Admin\AppData\Local\Temp\is-2G25K.tmp\fnmsetup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-2G25K.tmp\fnmsetup.tmp" /SL5="$40152,1480519,54272,C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe"

C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe

"C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe"

C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe

"C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 uppertrainingtool.com udp

Files

\Users\Admin\AppData\Local\Temp\fnmsetup.exe

MD5 65689075a82a08bb797bb9a5cc2932c9
SHA1 a13b3baeedc3456bf8a03e6f7fd43b8ccfabc7e2
SHA256 803b09f5863b583114d4db7d19ac0c5f64163c0075992bcfc289d27feea3a3ab
SHA512 20a1ac3df849e09fe361d0de8c04f9d8598457e95427a30df9ab74316c2644aa30f782b88b171ffadd7be4b6fc85970ec539d003aa1244434be6a12bbb9b6ee6

C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe

MD5 65689075a82a08bb797bb9a5cc2932c9
SHA1 a13b3baeedc3456bf8a03e6f7fd43b8ccfabc7e2
SHA256 803b09f5863b583114d4db7d19ac0c5f64163c0075992bcfc289d27feea3a3ab
SHA512 20a1ac3df849e09fe361d0de8c04f9d8598457e95427a30df9ab74316c2644aa30f782b88b171ffadd7be4b6fc85970ec539d003aa1244434be6a12bbb9b6ee6

memory/528-56-0x0000000075F71000-0x0000000075F73000-memory.dmp

memory/528-57-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe

MD5 65689075a82a08bb797bb9a5cc2932c9
SHA1 a13b3baeedc3456bf8a03e6f7fd43b8ccfabc7e2
SHA256 803b09f5863b583114d4db7d19ac0c5f64163c0075992bcfc289d27feea3a3ab
SHA512 20a1ac3df849e09fe361d0de8c04f9d8598457e95427a30df9ab74316c2644aa30f782b88b171ffadd7be4b6fc85970ec539d003aa1244434be6a12bbb9b6ee6

memory/528-59-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-2G25K.tmp\fnmsetup.tmp

MD5 8f144bcbcad0417e7823dd8e60218530
SHA1 9df092a764b8ad278ed574f00d1c065683eef6ac
SHA256 39dfa032878743bba8244c73173c263e669131f0084a38f22c52b1383f627ba0
SHA512 e093f69030fee17d8b55bde8337d409e8dfb583c97a81ed37425fb72122318d4c1f996d0d1bca28f24182ff5c8afe2be25eadc27951463ddca5c0abceca2a72d

C:\Users\Admin\AppData\Local\Temp\is-2G25K.tmp\fnmsetup.tmp

MD5 8f144bcbcad0417e7823dd8e60218530
SHA1 9df092a764b8ad278ed574f00d1c065683eef6ac
SHA256 39dfa032878743bba8244c73173c263e669131f0084a38f22c52b1383f627ba0
SHA512 e093f69030fee17d8b55bde8337d409e8dfb583c97a81ed37425fb72122318d4c1f996d0d1bca28f24182ff5c8afe2be25eadc27951463ddca5c0abceca2a72d

\Users\Admin\AppData\Local\Temp\is-1PVDJ.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-1PVDJ.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/1488-65-0x0000000000240000-0x0000000000241000-memory.dmp

\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe

MD5 81390ce601d34f384bff9198eef793a9
SHA1 6067bb07169464ca2261fb7b9f3a50868a8d412f
SHA256 1185998fd595936708c1fc5a3ddeadbdd46b88e216419597da0b461e136ddfa7
SHA512 48eab568a08b20c5046d12b2a061bef562cbd1e2e2de692d805873bc6ae7bc5c47adb5a3b3c5ccd818aff12c2be8becd70314e59e16b2d598d14711111e8a33a

C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe

MD5 81390ce601d34f384bff9198eef793a9
SHA1 6067bb07169464ca2261fb7b9f3a50868a8d412f
SHA256 1185998fd595936708c1fc5a3ddeadbdd46b88e216419597da0b461e136ddfa7
SHA512 48eab568a08b20c5046d12b2a061bef562cbd1e2e2de692d805873bc6ae7bc5c47adb5a3b3c5ccd818aff12c2be8becd70314e59e16b2d598d14711111e8a33a

\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe

MD5 81390ce601d34f384bff9198eef793a9
SHA1 6067bb07169464ca2261fb7b9f3a50868a8d412f
SHA256 1185998fd595936708c1fc5a3ddeadbdd46b88e216419597da0b461e136ddfa7
SHA512 48eab568a08b20c5046d12b2a061bef562cbd1e2e2de692d805873bc6ae7bc5c47adb5a3b3c5ccd818aff12c2be8becd70314e59e16b2d598d14711111e8a33a

C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe

MD5 8c24dd49d037121212985c722e1c7d03
SHA1 6080cf16925c33fb0edbeeaf2a549a3749d99c9b
SHA256 9b499b3945d8f979fdbb46342e1fd3dd5b2b5aa4322e9447df13598817c670e1
SHA512 3790a519b479a2c7718cfd51d408563043bc745918e92dc7bfbdc82e61444b719669123568e7dab8142699d350dd66287eb6512fbcaf6f0b35d1e9376d5379d8

\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe

MD5 8c24dd49d037121212985c722e1c7d03
SHA1 6080cf16925c33fb0edbeeaf2a549a3749d99c9b
SHA256 9b499b3945d8f979fdbb46342e1fd3dd5b2b5aa4322e9447df13598817c670e1
SHA512 3790a519b479a2c7718cfd51d408563043bc745918e92dc7bfbdc82e61444b719669123568e7dab8142699d350dd66287eb6512fbcaf6f0b35d1e9376d5379d8

C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe

MD5 8c24dd49d037121212985c722e1c7d03
SHA1 6080cf16925c33fb0edbeeaf2a549a3749d99c9b
SHA256 9b499b3945d8f979fdbb46342e1fd3dd5b2b5aa4322e9447df13598817c670e1
SHA512 3790a519b479a2c7718cfd51d408563043bc745918e92dc7bfbdc82e61444b719669123568e7dab8142699d350dd66287eb6512fbcaf6f0b35d1e9376d5379d8

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3497749202_0306065333690_0.sft

MD5 0376246e13bfcae23d599b41291cc4c8
SHA1 ac67f8280a162d46f4a12b940e3a2c24938a1feb
SHA256 56f50ce97248840e34b2fa229b0f89319bcdc5670df8a90f5ff133efe016224e
SHA512 2dc7b079f1c8835b6b661896e3f625e6195815e39c29b6422a99889651b6727f52af882e9e6fd1025a50f02c450e42797855972efc00f5baa4b9da6a3a86345a

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3497749202_0306065333690_1.sft

MD5 798b98c3e772318a25ef35daf824d1d5
SHA1 557d78453e7889f4dfeb2f93c3608dc0d341172c
SHA256 383f0e3f2822d055c218e8a55959af60ec269416c2984025a20116eb359f0024
SHA512 bbd8d5059f0906dce7b9e2909e37ee68d6ce79bf8c6b873422ccceb027923203e08da8768363daa99e780d1b985d253f19b7dfa6f5a8d3d9ff89fcc27d37a379

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3497749202_0306065333690_2.sft

MD5 c980849df151c0f89e30ee6812b40459
SHA1 112db0aaae5e33c48c08ff3708df61b5b73ee3a4
SHA256 94df864fba5e752581d198c5a52360daef0c0db3b62f00166dccc37f42c78b09
SHA512 e4d648738dc49c5ae9fc49f84171f498351a4b71e5a67e588ca398c8633f999545e2a62b03cec511c23bdeaf6a820c04ef4cd6a596621ec80ebd87eae52a0403

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3497749202_0306065333690_3.sft

MD5 0db465b837e87ee3915b0ce59beeee70
SHA1 6aa950bb451285209c72c0ff065b4a9962587a8c
SHA256 ed2b7b5641c3062271fcf999496dfe51bd0c828d30d0c8eb37fa3af7ae517827
SHA512 0553b64bdf5473126eb2d7ec5c19bf1f9ae0c7bb4ee6fafe9f45a13277842f669a5bb7e569302833b5ad51ec299ead65ea455a26f1098c245ed6036194ddf459

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3497749202_0306065333830_0.sft

MD5 37f0fb87f79733beebacb8d5964d95ba
SHA1 fb304ba16b55437205f2dc3cd4a77b052923c513
SHA256 294ee6dc47cb85ccdf6efee650a04a90202408c7a717b2f968aeec1e24f78aeb
SHA512 a1f6c22a02fb5a29ee84eb5e46d66864b0c90e302e0ba7dfca8fa8b19007e5cf06dcae619d233fea5dd03f70b338a8d9bbedb70fbe592f9197541d27b862b7c4

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3497749202_0306065333908_0.sft

MD5 6990382119b394368b8de15c7856e492
SHA1 23c0777efc696e0d7cdc5c1a9fe73ba6d15e5335
SHA256 b552b4372767da415acdc041c20e4eed0f86f098afc7d3d50dca29f6e2dc2a91
SHA512 836d872e634032886f1b0058e2d1d691a5ab330eac1ade1b164d42da0d5a9e861fb9487c6e912665979c2c5e5a6b91b4dfc8ddd45e4531f1a2f8e78e794755e0

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3497749202_0306065333939_0.sft

MD5 ee5abab4afe8e3bf3a22610d2e3d173d
SHA1 e4fe77b572c9b020202942af0700d1367acf896d
SHA256 2b8a6a2e224c06edcabc25b602dda8b3f097ea6ae6ae4998dc139d409a737623
SHA512 7ded21e257839681bec57afaf5f9838ac38ca357d0f8aade9a974beb6326a2c8b26d5cae564be46dc5bf9aad9819d14740f099d789ce74eba741bacb1d08fea7

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3497749202_0306065333939_1.sft

MD5 02a4dd71556292700e59cd9b07a660fc
SHA1 b877144147a3e9854bf8f1dcde71c37914fbbd2a
SHA256 1c6d1cf2eda8c15014f5adab8a718d01c550f7c37c46a90f22ea6a635f1544e3
SHA512 0e80ab93934303155c9390b2e4284dc3f2d8098057c5a3ed62ef653c1bcdcefa71b8797373394a324deae975fef96c20192a04dc439cb7ddd88acbf4d6961638

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3497749202_0306065333939_2.sft

MD5 bfb468d5f5f26befcf92e23a207b40b3
SHA1 4a658da160563303ceabad63a1973a76d06e7859
SHA256 22229a4b04ace745256794775389ba406a45136f058ccb3487354e932fa5edc7
SHA512 bfd0eab83abe8d8deaa6a306b3df89d769b10c5f4dfc8709cfd091a9f570901c4fcb3bf7ed9fa78c03f8fa9c8abd571ada5a652ff0d681fd8875987895af7159

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3497749202_0306065333939_3.sft

MD5 38d1e2cffb4407f1a7b992faa72e03ed
SHA1 3bfdc5a39db73b6132cb257a5a7ab1812d92ca08
SHA256 bc1dc36f4f9904c5e9881e7d0e3e7e383fdf0e733957f86eaff10f66c934565c
SHA512 77cdde0066ed01f260eeb2fa52ff601982c515c60c3217be1f47bae5ba620e154a92b3d6b08fcda258502a558f83bf5af53b8ae4ad0c6d0873394556966a079d

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3497749202_0306065333939_4.sft

MD5 4c7e393a66c3e9cc757523eefb77c40b
SHA1 eae84abce778f7dc6f6480784a3bfa5ee1d175fc
SHA256 4a2b7bba214440ff2695bc66b8ada1fb7a9325d6327821f17b409fec59799862
SHA512 1d1898a4dc038158cbb92b3858c62ac66593264a4d9a6f3a7c16fd2313dc1a8209df54524a54baede945df946a1fb272d5f1dac02efccaebb39d86f51d8163f7

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3497749202_0306065334064_0.sft

MD5 49945b0cadc2a7a570f6e2269ac2e118
SHA1 126721c5707d68ce9bb28918828e663aaadf9b52
SHA256 a6c54ee5620f79155d5e34e0a2397c0aafeee2f7d2a2e75509158b20d2a83e0d
SHA512 10465c9bd7388edd0d823505151529bc248879724f1b7ba9af0c90d0b4453789c33d8bcd8095c1d9ec84321ad0dbae2e6b82d142fbc42c15f5f3e020bc6505bc

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3497749202_0306065334142_0.sft

MD5 1bb981ab58ab477defdf3dc28b820b44
SHA1 3b6e649fe4cdb35e29ff0348b519fc3c0d2839f9
SHA256 6c7f1df9d39b9fb4f7ef7884fb967bdb78165777f83051426eec34eec6d5b83f
SHA512 2058e2ca35ee2bb4464d097466cd411d625d4eac942a26fe8e802e31d7de66248dda0c42fb7ca3ec9430eb2387751dad6e11866006c6e28b45b8659a2112ab88

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3497749202_0306065334204_0.sft

MD5 cf4b9bad4c374bc61bf6d475e6575623
SHA1 8469dbc7a33d820f8d21fc8b1b4e1bf70acd8b7a
SHA256 72a3a48be146746b8f5907c153c0ac47f9ad9592201fdbfedbb8ae71460d67df
SHA512 f7b0a6b935cf8153f73b9ecfc30f4818cf87fd20e45e8b1048322222f650b60383cc05ed686da790430c3043ddad0274fdc046b1b6864af6d1dd934398990967

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3497749202_0306065334407_0.sft

MD5 e44793a28fd0d0a69e79caa22b3262dd
SHA1 92e56487c5946672910f6762eda44e5e02189f27
SHA256 38447cf13508378d141f44efe61f7b4b88f4662b23b630a286e40c3bb449b40a
SHA512 2588515f785df63aed781a9bcec41c12aae85f768879dcf03b9953a1610eb26694efe61b148c8d1d8e98e3d019574ed1d278ef23107f9833e770e0b54986ad37

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3497749202_0306065334407_1.sft

MD5 4c6178416b5728533038eab06152c402
SHA1 eb695331cf8be02c28dcd78b9a42fea56235cb46
SHA256 910ea3f0176f1e4e0913794eb95185de5b88c4fcf9fc6d74155ae9c2a1b4b3ed
SHA512 468265b653c1336591940cb3878a4483b6ed7fd4796013e6c38018eb657222ff18165dba0e57dae8785aaa6426f7847579c5da18563f91c7577a15df475e3b81

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3497749202_0306065334407_10.sft

MD5 2aee1bb4254162cd701e7e4735eea553
SHA1 eb07cabaa104dde5cca0abf76f8a6529b09cf835
SHA256 f2ce947438573de1d8767694a4c8817ae87618ab4966a4ed37159cfa538385a1
SHA512 34f6f808c152d1f3da665c497dcabd55bc525bd44be48c5c9c24253791e859f508102d3cfea797ce022e5cf5209153898f20092bb46b6741c3f7e24fd56c020f

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3497749202_0306065334407_11.sft

MD5 c4eb2129f8d6cb8190ea9c523a5301e2
SHA1 598d8f3ba77f3c16a41bee5bea9352f02acb3dd1
SHA256 a09288de3bf8c8b86623f018e22c1dfb855e5f3f90b3f23b901e1c6fa8231c32
SHA512 5e603a0e6f7a05ff7aad034f1e1a8817c21b75854233fc0747be41eab015d1be94fef81fd1a8ffd14670f1488d25a8ae544b6e205dd15c0a741151db7b264194

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3497749202_0306065334407_12.sft

MD5 8304e21374ce0e3a759eaedb8b672aa0
SHA1 1681b248c6ca02e702443274c161b9e22b20dea0
SHA256 5dbfa4c323fd7395b797f16e9b805b0b400200789bb3f5d2e6d0ad35124b07c8
SHA512 bf4f558fba8331d84c27ece1dd7d981e4e705f553204fbc2d19be841a3ba12b50dc8c03da38390ab241be7201085fc9fec5469171ad045da96d87c2305e099b7

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3497749202_0306065334407_13.sft

MD5 e55e4b96a55a898b958e6433ed62c10e
SHA1 bcf0785f716daf6b412ca749f54668b4345cab04
SHA256 6be90c043c6131636f839a0426ff33b62413c96f81b561fc121ede7fe0a8863f
SHA512 8facbef7f078b2cd45f0c91d19b4142576c30d5c515adbba444d8fca5bbee18cd4fb085d6e18657926f6780e35618ad88c8e56007be123feeb1b5368bd338e53

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3497749202_0306065334407_14.sft

MD5 28063c8ef00b6458a98d06e299935faf
SHA1 fa98d4e2746021c401ce2f22b400771d69be816b
SHA256 8bb5215eefe967474301fefe624beba56521f19f6d390c67de09de0c6a9e3bc5
SHA512 064acd34c0ad7b8b44b88d4b2c05d56b94d95d5efb2351e6b3aed6663c637e172ec6276567f6ad9aaedfdf022749163289cd0c702c4cde262e899f2e1d1e4016

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3497749202_0306065334407_15.sft

MD5 39ffb5c4a4ea64f1977c4dba19770f93
SHA1 15686f53e953c4d830db5e5c94c3a643a9e15938
SHA256 ba8218716c410aef2866c3b5e0bd199f5afc35032f16cb3e096b4193d8be8da9
SHA512 a065ea0c0d588e02371baf95d26f2c83d677559109cf63d2b8c2910cfb2e971f90cfb2171e33c70a4949a66f8e96664a35d36f21704616e37a2db64a26c009aa

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3497749202_0306065334407_2.sft

MD5 4fbdf0276b8a5b2759ac0cdeacc93266
SHA1 ffb54585520466212a04e463948d968d6e72e07b
SHA256 7dc6e74ce449765a48c8aba15d928786593a6a4131643750c15360c7ec2a16a8
SHA512 e437195fee999b22699eb91877bde4133f0035fea0822190f6159dfc04a8af797ccf13563a81481e9d73083dba2128ac5ceb6e7ce1673931e593d296e3aed392

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3497749202_0306065334407_16.sft

MD5 e678c51539bc3a735067563dc03d32b6
SHA1 0e7ad547a071fcda0a54079205be19e216185d35
SHA256 ad341f568432779be930941cc919aa2fb70e9c6e40b49e1a47b5b3ae23239c28
SHA512 2e6d802b4bd05443f9ab12b612e5981e1794c1fcf539e5f78d3a29d69134646337ace6886a0e03c5707dc9d14b2ab95b0369a97af4b18d4bb3d1503a27326286

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3497749202_0306065334407_3.sft

MD5 c5923bce9c1a913a87cd6d0f66d93e11
SHA1 d48c1a04a71d298f2a5f1914f6b2d1f7589f4a63
SHA256 16840f14a7fbcd922d936a08d51569132ea43cda67cf20cc64baa838f26b02c0
SHA512 cd8bbd6cf31deefd52f7e8c921ebff6fd71595201579a457e51d8cc452dd7b664cc0ac1b5591c27117b981bf681c3cb7e29c8a4deea3edb00c04d068290e566f

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3497749202_0306065334407_6.sft

MD5 385be0f3a93b0016b203c0ef8e4e19d1
SHA1 288d91234cfe4af9474366433628727071a8323a
SHA256 1442cdce8bdef18e2a980d30acac605822822dad6066007d41858f1f81ff1b10
SHA512 c33cb3c0f5c3c691bc7d2c4532aca8f40065df5b9604ae693cfdc3ac42599400cea42c41306f703c19b5623d36a206408209257c56d67879ddbd3bdaec1cb473

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3497749202_0306065334407_5.sft

MD5 c98ab9aa3debaa6b0d3269ed3c6a281d
SHA1 206a54366e1849a531de4ef3456b9e0f518a8f29
SHA256 1c020a51f3ef9ec55dd0d4dbb30a56d6e1d8554408b1af810407fb343cdd38fe
SHA512 2fca18eeae641bc09cea7421da8009a7cae2a3b57afc4fe0ed9994c14770b6cb7556e0294860c31e53579b16af7d494f2622ee29fac83af1ddaf782ee6e9305f

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3497749202_0306065334407_4.sft

MD5 70d43186eef5e271633866713f5c620a
SHA1 e47e13e8893d7c25585ef77321cba82ec4e43d2e
SHA256 d8090c61d8c071b35dbdc3716a197bdf740d27b65ee67eeb28317792af1babf7
SHA512 94c34c0818d7c0d64cddf36e9584e7bb0a57810e82a5ce361046dab598506679de4a5f4cd66480fb5fce18ef989d98261535fb6cd274ae865e9788b773f12ae3

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3497749202_0306065334407_7.sft

MD5 26331dec3ecbf72fadcd5d6c8110b6e4
SHA1 1bb9b55d2dba57e0b64a2c7994adc5f4e67f2bbc
SHA256 5270b6daed475dba520d9f3536d830607c588df3d211d5509a12a38ddef5e903
SHA512 71d24e49a8afcbea8c0f00f222988575d1a638707e11713fd4b517ba598cb54b93cf7ba5bbfe77bc29563067bba9ce7730781665017d45b564e90f92a02cd2b8

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3497749202_0306065334407_8.sft

MD5 b0153ee3441c265d2c1b1bb689712351
SHA1 7cc68bb049e9b5cde26cf9923a1964987d4e501e
SHA256 ec5c07e2d5c23120f94653f7371e3db02cbdb46cd18f36f1692b7b698a8b0234
SHA512 230be91b1601e7725d3d2eb1e8cb267b4c4bc9c5e057be79b67c48f8960a2363fe525d0e570a43071a1a793dabf38fd6adf2ae874921763eb5eb0a92f15f1ba1

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3497749202_0306065334407_9.sft

MD5 632b6e07cf146d85f8313dcadfae5e7f
SHA1 a1798b364fd9c48f9a8ba71edef160d862f3dcac
SHA256 0e8a2d02056324ab5522903c55fcc414ba6cc4ef2bd1f629ddcf738e186417e7
SHA512 59e0abf2d1ef64fb4be8ad0728a82ff619e8d4b1edae8b09cdce78786e3d25f309fb6aeb95fb567ef92c125c33317432ad94c35ee3679ba3100f2faf9e4c1776

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3497749202_0306065334875_0.sft

MD5 33e7e422348998313ae2ea451299ad81
SHA1 590a10258fef69dfdfc189a921f95cebb3aaf8b1
SHA256 1042ab5734a3317589a5041ef15a8eb6147be95d076ed93019fe5ed5cd6f2de6
SHA512 ee440b1a0e4c9f73027e3886dd90832741208d38e313a4708596ccce8c2841fb8375820f8f1b7e670e75bacc71beac6099b1e1c49f64791e18ac22b40b9956ca

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_3497749202_0306065334984_0.sft

MD5 7299aebf8dee7465e71bd728cd0852a2
SHA1 47f6caa9176ef2ba346820d30e4f211dfa221168
SHA256 b75eab6e2096ef25b71a24b9254133ebf2c63a373a99d3c85a7dccd6d86360d6
SHA512 7f45a17be3dff6ba32847c845fe790cbf5896b81db373cc4d9adc265deb7747f984aae73004296ac24d81d64c86f02eb2f216befaa1227dc07501b6cab5da77b

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-06 06:51

Reported

2022-03-06 06:56

Platform

win10v2004-en-20220112

Max time kernel

174s

Max time network

187s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe"

Signatures

StrongPity

stealer spyware strongpity

StrongPity Spyware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-6ADJE.tmp\fnmsetup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeyStoreUpdater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndaData\\nvwmisrv.exe" C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1552 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe
PID 1552 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe
PID 1552 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe
PID 2460 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe C:\Users\Admin\AppData\Local\Temp\is-6ADJE.tmp\fnmsetup.tmp
PID 2460 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe C:\Users\Admin\AppData\Local\Temp\is-6ADJE.tmp\fnmsetup.tmp
PID 2460 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe C:\Users\Admin\AppData\Local\Temp\is-6ADJE.tmp\fnmsetup.tmp
PID 1552 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe
PID 1552 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe
PID 1552 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe
PID 3504 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe
PID 3504 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe
PID 3504 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe

"C:\Users\Admin\AppData\Local\Temp\d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.exe"

C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe

"C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe"

C:\Users\Admin\AppData\Local\Temp\is-6ADJE.tmp\fnmsetup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-6ADJE.tmp\fnmsetup.tmp" /SL5="$901E8,1480519,54272,C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe"

C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe

"C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe"

C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe

"C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe"

Network

Country Destination Domain Proto
NL 104.80.224.57:443 tcp
BE 8.238.110.126:80 tcp
BE 8.238.110.126:80 tcp
NL 92.123.77.43:80 tcp
US 72.21.91.29:80 tcp
US 72.21.91.29:80 tcp
US 8.8.8.8:53 uppertrainingtool.com udp
US 8.8.8.8:53 uppertrainingtool.com udp
US 8.8.8.8:53 geo.prod.do.dsp.mp.microsoft.com udp
IE 20.54.24.69:443 geo.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 kv801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 kv801.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 cp801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 uppertrainingtool.com udp
US 8.8.8.8:53 uppertrainingtool.com udp
US 8.8.8.8:53 uppertrainingtool.com udp
US 8.8.8.8:53 uppertrainingtool.com udp
US 8.8.8.8:53 uppertrainingtool.com udp
US 8.8.8.8:53 uppertrainingtool.com udp

Files

C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe

MD5 65689075a82a08bb797bb9a5cc2932c9
SHA1 a13b3baeedc3456bf8a03e6f7fd43b8ccfabc7e2
SHA256 803b09f5863b583114d4db7d19ac0c5f64163c0075992bcfc289d27feea3a3ab
SHA512 20a1ac3df849e09fe361d0de8c04f9d8598457e95427a30df9ab74316c2644aa30f782b88b171ffadd7be4b6fc85970ec539d003aa1244434be6a12bbb9b6ee6

C:\Users\Admin\AppData\Local\Temp\fnmsetup.exe

MD5 65689075a82a08bb797bb9a5cc2932c9
SHA1 a13b3baeedc3456bf8a03e6f7fd43b8ccfabc7e2
SHA256 803b09f5863b583114d4db7d19ac0c5f64163c0075992bcfc289d27feea3a3ab
SHA512 20a1ac3df849e09fe361d0de8c04f9d8598457e95427a30df9ab74316c2644aa30f782b88b171ffadd7be4b6fc85970ec539d003aa1244434be6a12bbb9b6ee6

memory/2460-132-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2460-133-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-6ADJE.tmp\fnmsetup.tmp

MD5 8f144bcbcad0417e7823dd8e60218530
SHA1 9df092a764b8ad278ed574f00d1c065683eef6ac
SHA256 39dfa032878743bba8244c73173c263e669131f0084a38f22c52b1383f627ba0
SHA512 e093f69030fee17d8b55bde8337d409e8dfb583c97a81ed37425fb72122318d4c1f996d0d1bca28f24182ff5c8afe2be25eadc27951463ddca5c0abceca2a72d

C:\Users\Admin\AppData\Local\Temp\is-6ADJE.tmp\fnmsetup.tmp

MD5 8f144bcbcad0417e7823dd8e60218530
SHA1 9df092a764b8ad278ed574f00d1c065683eef6ac
SHA256 39dfa032878743bba8244c73173c263e669131f0084a38f22c52b1383f627ba0
SHA512 e093f69030fee17d8b55bde8337d409e8dfb583c97a81ed37425fb72122318d4c1f996d0d1bca28f24182ff5c8afe2be25eadc27951463ddca5c0abceca2a72d

memory/960-136-0x0000000000690000-0x0000000000691000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe

MD5 81390ce601d34f384bff9198eef793a9
SHA1 6067bb07169464ca2261fb7b9f3a50868a8d412f
SHA256 1185998fd595936708c1fc5a3ddeadbdd46b88e216419597da0b461e136ddfa7
SHA512 48eab568a08b20c5046d12b2a061bef562cbd1e2e2de692d805873bc6ae7bc5c47adb5a3b3c5ccd818aff12c2be8becd70314e59e16b2d598d14711111e8a33a

C:\Users\Admin\AppData\Local\Temp\ndaData\nvwmisrv.exe

MD5 81390ce601d34f384bff9198eef793a9
SHA1 6067bb07169464ca2261fb7b9f3a50868a8d412f
SHA256 1185998fd595936708c1fc5a3ddeadbdd46b88e216419597da0b461e136ddfa7
SHA512 48eab568a08b20c5046d12b2a061bef562cbd1e2e2de692d805873bc6ae7bc5c47adb5a3b3c5ccd818aff12c2be8becd70314e59e16b2d598d14711111e8a33a

C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe

MD5 8c24dd49d037121212985c722e1c7d03
SHA1 6080cf16925c33fb0edbeeaf2a549a3749d99c9b
SHA256 9b499b3945d8f979fdbb46342e1fd3dd5b2b5aa4322e9447df13598817c670e1
SHA512 3790a519b479a2c7718cfd51d408563043bc745918e92dc7bfbdc82e61444b719669123568e7dab8142699d350dd66287eb6512fbcaf6f0b35d1e9376d5379d8

C:\Users\Admin\AppData\Local\Temp\ndaData\winmsism.exe

MD5 8c24dd49d037121212985c722e1c7d03
SHA1 6080cf16925c33fb0edbeeaf2a549a3749d99c9b
SHA256 9b499b3945d8f979fdbb46342e1fd3dd5b2b5aa4322e9447df13598817c670e1
SHA512 3790a519b479a2c7718cfd51d408563043bc745918e92dc7bfbdc82e61444b719669123568e7dab8142699d350dd66287eb6512fbcaf6f0b35d1e9376d5379d8

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075419721_0.sft

MD5 c29ad2282ade588d0f8015fb78c1e0c9
SHA1 98d7a38e7e3a72103454a7162929203b63b15ab1
SHA256 a9cf27ccd276a7a2e2a2396fb582836cb257f441dcb436bb4b56f144990a2f33
SHA512 e9c117ac534f9e5a5ecf5dfe4e7bd4c469598b38a774ab6b336f16115053400be8363d73ed45127a06df86343bebbd958ceac22b9bd692aa1cfea7848058204d

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075419721_1.sft

MD5 158c042c1cd5d3957a793a7ba3c2ba03
SHA1 3383ae6dff9517c998cbc33ed48b110a60c2515e
SHA256 bc78c1790dafb3aaf63744debf53f485b430782e3690c1f7805746f14207af17
SHA512 15beaa8786b5e3c77544043a05e49be45319b74ea691ba8159fff5cd24756dc7f691d776be9811a07ee0e8f91a63264b2addc2f775004f432e672bb9418665d3

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075419721_2.sft

MD5 41b8ba05e019a6970d5a81da11251d92
SHA1 425ac44ccbae2b7ca54260ce7983b32b162d7a2d
SHA256 980a6b07fb52f30a4cd6c478806a2781585c303d9671e06cd3fd489ea2d355aa
SHA512 f8ae0d259e956bc9b198580911abd93cb4463952df75d68f3c6764d132cbcad49540113d66a42e72718ac23fdcb7477b430eeec94cdc22bf5342068e27d04509

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075419721_3.sft

MD5 b8740f55d205c2d222edd7da15a5f915
SHA1 4bf63812498b3eac75e117d0ed2db708419199d2
SHA256 cb3ed1c5570f5380a983bf4edb6c847464afb0de05eb33350bb3eb27b8a830a8
SHA512 8bba0bb4fa6099040d67d31b1bf2e79567d3b5e633f5b5a3fd7c98f87d1bf9327ffa8f26a09c19469180f42a503ef98a92685f9f79ac41a1514bd36675c98291

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075420221_0.sft

MD5 f920943c772a3dfd965aa28047944db7
SHA1 d9e772fe2922ce4b4f79f569aa94205d06afa306
SHA256 341043ef1a1e6d3afa2b023640676642dc6acaa715e1cefda78130de05f0df66
SHA512 059cef51bc7d123bc1890373fbaa27a9b8998d0356b9563d2a8520bb76db15cb84586cb102ad911643aec64235b2bb03195bb832b7176f2b1896108a220548bd

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075420221_1.sft

MD5 f28db7fef9060326c9cafafc3bfe819f
SHA1 b84a992050ccc660dc85e79101f71b7b163348eb
SHA256 9f8ca520423d6399faede009e3ba5fac7be7d89a328efbec6bb5dd390d69966e
SHA512 47099fb5db239bfa5c5f53361d2e53a8413d6cbe579ff81e7e968f88210313e9657a337fa022c5800d597f1f62454422207dc6a9af78e44add15dffa2f0790a9

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075420221_2.sft

MD5 d6ebf480fdd6f928ed6d294a84622833
SHA1 243051a8298c147531f9c73a0105ada511d984a2
SHA256 160ad643b539729afc709a6cbd03062386c2c64c84cb572ef3b864f9510549d5
SHA512 a0d25a763faaeb902010c2d97dc8e7e5e24fc4278a3a4339f95ac19eb8fe6d293b503a212384fa28778121c50922247cb2136f610a4fe31c6d4d9d244ea2d5c9

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075420362_0.sft

MD5 aea560c95e91a5b80ec2a4c619a45e48
SHA1 c18aeac5dd51fbcbb91c6982153af3f9b5571336
SHA256 36d0e6399435c19af77cde18b6f30ad1aa7141a8f5dba7891cd92a0e8f35caa0
SHA512 02310d177e3627369548aeda9f3c5ad4c3ca1a1d9842318977fb9f857c1574e0257a972ed2a668c814be11fbcd9d3934e05f085501ffcdba402f94a22e731f8b

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075420534_0.sft

MD5 dddd5c39c9dfb911e7648014e8d04c50
SHA1 75dd48bcbfc10a9b8cbd1f3aadc16aa82b34f649
SHA256 e61f994e8455655a6c207ec250afc14536479a16c7948d583545e720890f7e7d
SHA512 bc94b9934605d785cea6a6aad545a35dd58be81a28c626580f97e5b7390560c13c97fc15cb760d850c9410a920a62da5cd1b7fba9304e7d7a0a4736eb235f941

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075420534_1.sft

MD5 d5f5dab796bd8dbbf80432eb7ea7aa8c
SHA1 c53e8b49e4a3fb291c695c8638bc4a1039c6cfb5
SHA256 0861cc5c699115e2dfd693582983a55f345aa8776819f211cf20798f9014e292
SHA512 e3072f1fcf9690451f002711bd85d633d92238e9b3cc80ed5959457c792ca59d91911c4718e634f24d4e5ba8c78bfdc2b848d5baa313794d8b67a253ef405b2a

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075420534_10.sft

MD5 de9c5370413105bf259c9a92bf0aeb6d
SHA1 7c83b53fa5129bedd6e9f984f8aa19bc5ee2abe4
SHA256 cc87474a430342b4069afa4c2aba6c24fb1c0e8377019633f3a36ac566fbcbac
SHA512 8e01e1a364924711600c82e94450fcd95f108cab61fb013bed22997dc7cafccfed71a0fed9370233cf35c290ff39e2f875292e293c7436191e75b411f999fefc

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075420534_11.sft

MD5 2e64e20a3d01e536a52ae626bb5da2c9
SHA1 0b073f25f722e8e5af4e196740a5d02e5dd35901
SHA256 9f82d9be9ca89ee8d127c8503d00f7f6839151e44d8055283f584fce7c3bbda2
SHA512 029b47286ed089b570fc0e76632fee3eb02681a11833902a07779c1eb6bc74f0631abdf48671690293f812e0c4f431b190a21465bb6aae217add5d6aed039a2d

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075420534_12.sft

MD5 3eb35244b1db6059c23382f52a78ae88
SHA1 416853eeb2ee9f37773738d54068d2409713e2fd
SHA256 09263d77672b7e0454aa026623be3a77430a8b7bead20a582700d1f36f17f4bc
SHA512 8647b7570bd850c8ff44f2300720af4d185261f4bca198d5471479b9c399629be90db3e27ecf5917c4295df9a0b13d9781ac518490dbdf50c440dffe10d7f970

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075420534_13.sft

MD5 606e90698f642179f706f1c28f50f7ff
SHA1 f061841507c2992f1ff4cb5f4b0c34440c0fedbb
SHA256 89c849d0d43d5c51ca737119e549695add0dc138ff5eb29c977ecb102290d93a
SHA512 2632f7d34f6c3cc3a3afcaa5175f1b55579fcd37620fb0dff4b517cc56b40d94c5c3a6591d23d636f0febf1a75830a9ac429a0cd269e87c9cd2c3817403f7754

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075420534_14.sft

MD5 a6d22565776507ea15c2c233720b317f
SHA1 954f8982896ceb20966033a9fa0f8d22992c521e
SHA256 968a6c3a02b67d702c32e84b728c6c1ad79d26be66837dc3e9db5e8ee670b107
SHA512 3e6647651bbf35716d205c77a54b5c7c82403a494fd7fe5d7edb308335c4f186cdc51edf3afa2f2ae203225bac8e355ab0690a77cd9b46d06ae068424c8f7373

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075420534_15.sft

MD5 723f4be3cba7c9f9184420e7b5610c6e
SHA1 bf904cb267681a8d6996ac72fa5781a7fd0ca184
SHA256 92718bc06d6dc11b1eed7fc3197bf3336a371a099af199489421369f9dcd9e6b
SHA512 826639cd1f175c8c56724be457d8d0315d0b89c80d91fabe1a87ba49c0a49b7fffbc2b623bbf06565e24ca3600df4698599d396071188831d75b3ecce5581124

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075420534_16.sft

MD5 39975524ba7c6080da38f040ba1e5381
SHA1 8fe69597ba6662d4a43516712326a1a478ab79f6
SHA256 e8d2df3aebdae0ddbfc0c074806aaa0065e37010a8760237f6c68efdc99fec7a
SHA512 9359131ed9b2ed2b582e5ddafc90750aedba8189cc500b74a008fd414555cb7949d9a8c9fd50cda3f79849c5eb1c64b5d8994c14fc68c4448e646dac07956cde

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075420534_17.sft

MD5 fc1c195bc18a1a2eadc0d27cc8266088
SHA1 881ff349863b69d4fc0318110c299c3d990cd47b
SHA256 8846c6e1321f550d906229cb1dc2826f36449f8d0ee11ee47642be5d0be794db
SHA512 fca0b3c79db2b6cb77db956a5ec44809b3cccebdb8380a09cfbb38de08b802aaecb915fae7c152ae47413333d32d76dc72cea790af58187393b57a450e3bdcb9

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075420534_18.sft

MD5 9d969989ce2b029a6e6af7fd0c535c11
SHA1 4b20b6dcc2d3208fee747e88a396a41c7264406a
SHA256 ce13877b668b9b7f32f1776fa882f201becea49ad9969af7db0f96a4cf9642ea
SHA512 9222da4b352beb55116669a20db07f3e4ca48191a8d3a157dde575e88f3433a25e1a74270d7fec06a19f40df7761e6382776cc1703fbd0ee82b448b77b47e9ed

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075420534_19.sft

MD5 60d1435d560721514ad705ba84197e2a
SHA1 eb65536cc4db381a0dc54b414857418c3efe5317
SHA256 bacd1bc6090c182bb36b3311dd52251cb720e357f1e209af4ebfa09016451da5
SHA512 d085bef8e1ae4d8bf141326d1c76662b7bed0384c379e19b6dfe38cdc58b11399520066356f89420077a132b8a67574fcd7dce5f2901ed37397376a9a27d34ef

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075420534_2.sft

MD5 2a5bd06170d686d0eb6f00fd32ed5315
SHA1 61b1dc3abbbe3add2000fcb757064dc66cee38fc
SHA256 e89de03e09b36fb95c66362d0179bb10f8e96fb3c341d39d6b643f552fee0b0c
SHA512 faf56558beb165a55351a86fb7e61ecf3432cd2970ee52705c8a21d3043a94e9b35daa9937ec8baabdcfdc656c8e5c7c0b645689b819bd2868057715e3c9336d

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075420534_20.sft

MD5 08512fd0169b1aafbeaec71afd41e439
SHA1 b0196a668424d7f168fe4aba7f665442551d76a2
SHA256 98f8cdbacfc0bb86808be7dab7eb2618ba451ba9093a9aba4cdf9ef47121346e
SHA512 86fdf95f2cfaa41bcd9aa71bd305b19cbc0118474920736354540cbfd12bb64679163f7c3d9b4318074e86ed40d812f438ae698b30a8bc55f354ac7c74c5c7f4

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075420534_21.sft

MD5 7794b528a5f50b376e1091b157f91988
SHA1 c3a2e52316ccd0b303de53fcd594779baf78c8ce
SHA256 564b810063e432883d8da52a5ace46cbd0ee3231d403dff5af4a9e835bb71489
SHA512 fadd4a6ddb845521a83a36aea17b896778a4ef81e009cc1d78ccd8a7a7f2682ff52c2544dded5cd80da3e4b2621eb08c8d1ade52dd4206f854e377fcd42b7386

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075420534_22.sft

MD5 4806944faeb2e8f3fde55037be7ef903
SHA1 b7b10db97d05773de61eac7cc4a9b99869dfaf8d
SHA256 4eb269d6b869bcf1e249fdd7bcb8895d452e6b368348d458d3dcd099f0ae1c30
SHA512 8e018d8bd2c15a20441f42dfb3432fb8574793dfab0c899a267db6b9278b2e6caea61fe15ca3880e8f57894ece53fb1ff3a5d042f929bf4f29cd3b2dd2858dca

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075420534_24.sft

MD5 f89a068f24a9766001b8fa0beacf2481
SHA1 e73a7f82bae2fdeea8d62e2653ae950a875b0454
SHA256 c13f275ecfb0b1c0bd2f424b29a64f1d2a27ad3b8eaa4b86e2aa240843dbac1f
SHA512 330b99486281539bd84b1bca171110955fb2f6f6b291372d2e216f323f0bb7f8915d583810c21cc9a8451512d9f45a8677433e3c354ea3472697dd6aefc9a0c4

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075420534_26.sft

MD5 56bfb7615e7b0032845bd75acde5d023
SHA1 be218da73e2958e4d72d79ad4f6baadc3a1c889d
SHA256 d7f8e30c46814c421bbf3deb851db744d16eedb4734781c1dfffae316335c9db
SHA512 fc1001dad5dc77aef46066b1d7206b51aaa9a56e6b765fb68180d6b3d18f4a3d6c741db20fabafdd562e1a68a62c700cdcb157becb4c660c0b3ca89307e306c0

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075420534_3.sft

MD5 bf1d4960300c6fe51797e194be7055aa
SHA1 5c4a96d709bb41812011803803bdbe5baaf50674
SHA256 f43283f60d61380268b121d105ae1fde4333fb1527278cadf5792c254d740583
SHA512 c6d1894a7384cfa8446b288e147051ee94be2888af5753772e43e7290169c150df672b34692cbf8217d65d98d41604be7179c00dbfd82f399c362d24c1707758

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075420534_6.sft

MD5 c6314b5e78ab989e62e179c001328e4b
SHA1 2c0cfefbc917e63b5fcfd7095f7a246696921bcc
SHA256 ac5e75bc857c0e7b5118d813d911751d058140a9bf829597ba923491c130e538
SHA512 ff4f3ab07d3489c458a7b7deb50afcd371b302f0401be1c1929fb9d67572a7548d6a2ec246cae9cb2e62c8fb50a6f3d19eed029983516439738a57f5facc179a

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075420534_9.sft

MD5 f0ae2a4b547bfdd58ed8eccccb6021cf
SHA1 d37401ed92ec7d67f191fe30b6a5a7397afe7afd
SHA256 83debf20df8a017de36c12619eca7adba541415813791ede55c452b9fdbfe07a
SHA512 2a144a045b16cf378dfbf5989bfb624c65d0dc9fc8d3e01a881afb6baea8d0b6a000db8de1a985e33525ac3f9c09edaa0b7b5b07d4ec4ad9c1f73490854557bd

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075421221_0.sft

MD5 a8b41baa1e59d4e8d79105121d6af455
SHA1 b2a0545ee15cbd1a4eebe131137d9eb499f66e11
SHA256 7d945377e816d4298478e2419045a6d15144371fc95cd6e05fd2a8af23c5a2e6
SHA512 0a7ea582a6bc03f9e34788c95f574edbc4608bf0573217032eeffc5d5289238250e2f248ab05b43af6518313b20da3cc9a7ed287b418d0384b58e635b002a66f

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075421221_12.sft

MD5 244b1a7454f0027233797b308367af0d
SHA1 16df51b27ebc465ef51bbcf5eb950bd923a82e61
SHA256 9db2df0d234559b4331a94baba98593ecfe3d8f9ece72b08db7f8e79c537692a
SHA512 9a3b193012ae9fc8432eaeb4e7f052d493cf1a4c0cbb36b01b54738268bf5c844e5870b7b2ae968f6f4376f594e755d2d1d6def21057661e3a26b57feb5e7038

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075421221_3.sft

MD5 b8b120e4ab0e077d50029b0bfa52dca8
SHA1 01820b27eb6bfdcfd706600cd2372335a2382caf
SHA256 7ee80389bff7f0e37c1b825011c5e04b761e66acc39f5a08f83844435cc8feb0
SHA512 78b72e2c65f7a05af03d5f35873d70d9f75a2201837939ce9dcaff04fe61be367bd86fe093d77a28c747db864e6d9fa1f840cd09ea6abc1863076d9eeae65528

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075421221_7.sft

MD5 988b86f5fd80036617e5b44cd23be896
SHA1 b1bbbfc0636ada0fc775ad4190e302b23ab369db
SHA256 28e97a3204b7bfaa4bd08279120a7703e9992d087d9e6baf742d46df5685731a
SHA512 b62a37cabea88eaf28377d02ea258d5e74d6497d83c0c8dbf2c75814f6c118876810b3983eb68bf6b3c0fd58bd2452af5c36635f73ed122c3903a10ba030d8c8

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075421768_0.sft

MD5 fc304f0c3a7589e9c7a7cce2367635b3
SHA1 74a9afba0f6dd465b7b2e5e0cb710d724461c4c3
SHA256 4061266853be3a615c66370e71374a7bc6fcd90341a97f6b22f80d3a7a47c900
SHA512 c95e00f76d2ec5d32f482e1cd326421f666da0cc472b9d521aef7b2e3940cee8c52252df407e25d6036f2ec6087aa4f8bb6332a379e1f5bd183903e1260f64e4

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075421221_9.sft

MD5 e5754aa2510f746dcbe288be7ca618c0
SHA1 5073735888f3915e5225a36e4ccb64b40679555c
SHA256 f6bfd384fcc19a775d0eb6b64f9a04b64678067f87b56839e44e9444f5af6811
SHA512 d73bb9ac54f14bae9ffea042e198dbae9a707494b370995c02affae81c2d18805fd3702ac9af8eb39134c8f4d69297cac874a78e5260c053a10ac34cad5eda21

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075421221_8.sft

MD5 3d13ba27bffb0b4045bb88ad2e85848b
SHA1 ce6fdabb9489950414f71f96aed3b9c8306ae071
SHA256 6da670574b55006eb9c2702c1a1efa81722f6aeeeff0ff0bc664987edba64782
SHA512 ca7dc8da9f32eadac1088ba667ec3338afbe847f56a8a9075eb87b2530b13cfe2ffb624dc79e5bdda1be2a675b02e7b885cdfb9a928fd43a925eac720d80cd1a

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075421221_6.sft

MD5 656cf42ea1817f4910ec533ce90e2930
SHA1 d7f4b44d32ab640b6539fec2d2a9c355c443288f
SHA256 1b9246711a11dc1fb6663df2bbf5879f17e2784670bbcd8a773a4b5d4e253740
SHA512 4cb0b20d1753d3a7ae469b6c1395fc93c876bf71b2ae25feeeb20d980ae3143e48417de0bd6176c9387c897f89dd77533a6d476eb5e788f5c1b959540fe7ac90

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075421221_5.sft

MD5 394115fdeea57a0e6dfb9f6ca55ad1cd
SHA1 e6c4f7ac1c202286f062c5c7f78d383cf6ca027d
SHA256 b11b3e92c793156d0ead0f8df3830541a62c34ee29be1e7e59b73c3810aa62f5
SHA512 b4ec9cf1d85b8613ca055d8005183a80039e9d2315599c99da9f359e978b252bfa686b2c9ab006ea8cee65d41350ef042f8bc2ffad470ae3dbbfa18c6e49e341

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075421221_4.sft

MD5 6f0dbc8a55f79138fddf6959becbb167
SHA1 831b8cc5a8c5b52922ab6444fdaafe4a4b542c8d
SHA256 244f79406becfe5e54367aa92d2b4461914a8909cbd101a739c9217388f65e15
SHA512 c4410ad8338ff85ee95a743473ff4c4c2cc72b448025d22b2962dc9985195957895651465d1e30b6259a8bdb990bd7b682d3390880379dedf706bab57ff35fd3

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075421221_2.sft

MD5 964527caeea9629f0dc7b8124b95ac68
SHA1 582bfcffa88d9849fb65fc782ee3ce4fa44a8773
SHA256 7c09a3400a7036aba44633014612cb8b5e319d1dfd080f0515279a53c60ccd94
SHA512 beb2bb13c1a086f6c3268ed8f9b4c91eac944765ef3e5ed5787ac4dfcc89e1ee72ed3b5c773268d85acc0523c93af438f1f75c6525e7c64e79696a6af921a721

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075421221_14.sft

MD5 8918d9d8cba88a852c1835592fb8448a
SHA1 dcdf778646e565cb316577a2a958c14e1ed8b5a5
SHA256 4057dc845d7a63e9b96bbe375c9e4ddc95b23c37bcfc6921df2f8095ab805acf
SHA512 ffbb14cc2ad2d77aad75d72de4f5961287c82cfa127bbcd7877efac2f74b76eaa40849e365f85b9c163d93c3f1e9392a31c883524e658d96b3cdb57d881cf94c

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075421221_13.sft

MD5 4cfe235a80e439b61117c7ccec0ed27f
SHA1 0dbb52254e528a50b586b54a2bc362a871f12ccf
SHA256 88e845243d9cb8ca968773176115e1fc182d3dfcf9516ed2d9aa2e0a157a6c52
SHA512 e162652185d41b9815e0e91265523788e4060cd7210b35bc74216ac333b6eae383d0727c12da84578e958d64e6b64de1460e423f0662d3349228fd83d665a4d3

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075421221_11.sft

MD5 6352f07989391139427990f589525a04
SHA1 633097f5182501588f8ac40599580edd83cc29c1
SHA256 e4c648c54186616a29a44ff53dbb9bd826934181f9644300b1afe8846bf38352
SHA512 dc0e72263982b727c4e9de4857898db2656ede2ed06296c2ca87e365672c712d91b7246c989be3f836c163c0f7b8619dc40b6d8769157e3760bcef9d631309b7

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075421221_10.sft

MD5 38dc1a276b4019edf59e28728d327008
SHA1 020193812f158d57ff3a93a6985043be87765914
SHA256 90a9492d21bb0147c1eac3ecf758710114bed1ce4fa0e62602df4b10eff632f7
SHA512 72cd073da8f7e888fa95fec9a489bb326f18fd15351dec98ea485231e767ed1b06b5e168d870ac786d18bcd73538dd4995037c88f4f60cb8fd86079cb0d5d754

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075421221_1.sft

MD5 c5f30f50e1ebfaf44472f1fb4d76d5e1
SHA1 f8c40f1ed7a03ba6104a1f1aeee8cefcb3390637
SHA256 d807e0679333750a8502e0013bc8bc14672ffbed0d1cc80614a992b5499171f6
SHA512 42d605d14d8a8d65e49089069a94573d15ca4d2149ceccf118a66b99059e188f189657df01b677407afdba513aae7485ce7c186c62496aca2bf3135a5965b5f3

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075421127_0.sft

MD5 cc5ae89a823bad5f3ad054f31d3ac7c9
SHA1 dbad82abc0a8a0bb584366a285d3dd9fbd5cc847
SHA256 dfc66d2d1388e894e7db8ea7921bf98c43085bcd861211ef71cf73df17d9aebd
SHA512 c4a3489efc164b824b81caa382a5176a03579fccfc59fcc6a5d3ffc8d6f6ccebfb07f6ec5445fed95744ccb7da47db00065f0be6896d4fe070f473a1dade3a5c

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075421034_0.sft

MD5 b7dec362db26d7e90540f634ad8bb85e
SHA1 dfa5b0ad09084ae70ddf5b42a21a2f14e3dbb184
SHA256 d226f75365116d03caa7125b770efeea0f2f4ae67702e6b34552cedd44f0db89
SHA512 dac2bd6569dcf670bd7415e6e2c7bb638047a946d309a32f12f7f2ca7ba14aa580a625132159efad5f3283ab35e93942d0490875645715f6f6ff2f869d143fab

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075420784_0.sft

MD5 c8be7240a176cad9b5d717bf100afa2d
SHA1 b1f93725fe74aed3ff15da104cf02e153d92015f
SHA256 bc00f1b50509359ac20763407e2ade0d923f5d92bd733a45d0da29c90bccb23e
SHA512 b13e262a99f83af9ece4c6fd3e65dd57f7d80f93d9e0fc944794d566a3b20ff37fd7c35de30ed2e4f25e23e3007b5277747192677778b9f5056d92df1e220421

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075420534_8.sft

MD5 8385aa409a871a3086ead1b8e0fd40e7
SHA1 5baac6433e4cea0dafa20ad5ba1557ccbc1bbc4c
SHA256 2500f3beb944c973ffeb030584b8b2afac5e2fa875902c73f829f4d5f65f22c2
SHA512 96c25f23f3102b0191afbdf60e867767ce6b9d85cae88f8ec2bc88eb91fdb9e478c620798b91b960758dfcc75a37efca380d83601fd9b2db162cfdfb9f6d7ce6

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075420534_7.sft

MD5 93feaf2141b7cea72592472b3f22bc07
SHA1 00be6adebc0447d55d0e30b6328429d5f9ddf15c
SHA256 b9ae18b5282d758db92ed249ff0c055f651e3f17bf8896bbe6777b415832ee16
SHA512 16c7134e26115623974500f8ab61f2674ecc880177a8405ff39231cf6b7d095f1a1bd9d9434e8102a98b5dabac5fe894249ac6267ddbbaf650169dccc8805a0f

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075420534_5.sft

MD5 df948c79f2fd5f3410a0e120da1ffe16
SHA1 7b124bad56db6ce0a31e9e3ab8e1cbf3bb5d130a
SHA256 b58806c463c62b8ec1d44fcd07d4c8d717b9367c566a780add0b51ba1cde5d27
SHA512 4e276259cd0c03b221968620282628ea9921cb71aaf5a3634006297f995c2612710988d8bd6a2fa1c0424e7ac89a0c76a5afdd0ddf7ef427aade8dc75fe226cf

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075420534_4.sft

MD5 288de71ab57baed9c36cade6515c0ae2
SHA1 e075ff64d56c1c5d56d668b7cbe391493847309b
SHA256 8ae532ca41180afe48019890e9637cf0f011995654dcb87dc43743882820d2dd
SHA512 f1c050c59a83420807fa172ab9bb33c1166e869d5beab85f7d18977f2881595aed6102fd51db5ea57250f57a1ac1afd56d8c0939302ffd30fa6809682dd6574f

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075420534_28.sft

MD5 43c09632f3b02ccd846bba90c8901134
SHA1 37b9946c6965c4f124d6b350ad716d292e62ba3a
SHA256 7646f19f368b9dede78677102632883f5196919961cdebe5ffe0e23eac9c4989
SHA512 1e2a65504c495ea53a880c5e1b6590f1872249ef730ce20cc1b211f5daf0b141a4a01db5c23f0239770f71021451db38eb70a9a0de9f0a65d5e6e063add30c35

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075420534_27.sft

MD5 445e9ee0f13b2d7612cb4ec2a339a2a1
SHA1 96bef552b65f7501073fd87a078342d35c132311
SHA256 55570095ccf8a63c81a3c9e78a061a27197525e0b32e6b5a374d402aa7a0cdbf
SHA512 421a65791175c4d05ad705c45ab7241d8415603a6bdbc13609a92863478d5a21ccdc79de6815bb8c900b6ad4758c041ffde80bfd719803e8311fb9b843d93fbe

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075420534_25.sft

MD5 131fa663c0b2abad5c5c78e653876c84
SHA1 cb34552333b014be6d4e63b09a653738f2ecae67
SHA256 39f603518fa128d1f4429d9352608f6da1ebd0c9ab1811ce16628c7d40c7634a
SHA512 0b4850c6bd37c8dc4d7994c075d37cf12f8d5c6f2137cfb23851c42daa825ef6cd10f556bf1b4c23b484facc9146cc9f492c31a8712241b5c57d791dab98d71c

C:\Users\Admin\AppData\Local\Temp\ndaData\guid_app0_1275657691_0306075420534_23.sft

MD5 922c864e14153886d365077583694cab
SHA1 1556921d714cdb4fd914afbdbf96044473e68256
SHA256 5e65eb6776ce760bc0b860ea0f8bb10bb1d9c4e05671448ac9355b24e0cf7b50
SHA512 c94bebde489d63019823b608f45084931060a76c59735e86931a4c8c2a09e1464fbc4172f06b025b8fc8c36102d1f1ff04901f2d7a13c622d5357674b18244c3