0024fbea60c3292bf8e1e842ad33a3dc87700d3c2c0169dbe1890aa2b5deb91c

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7v20201028
submitted
24-02-2021 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample26.exe
Size

6.9MB
MD5

44e00afd00a5c8c68c2489be9303dda3
SHA1

15bc3c661fd1bb5cb25117a95402a24a8fa4e08d
SHA256

0024fbea60c3292bf8e1e842ad33a3dc87700d3c2c0169dbe1890aa2b5deb91c
SHA512

6b44c194285602f05df7bc86ca08d2aaea141903d964fb736b5e40b92ac5cd81a8ac98ab88d66aaf17abef92e46658fa45823695c3aca2dd397c1eb9b2eb4d44

Score

10^/10

evasion persistence spyware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

sample26.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\XggAQYoo\\SGkYcAQo.exe,"	sample26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\ProgramData\\XggAQYoo\\SGkYcAQo.exe,"	sample26.exe

Modifies visibility of file extensions in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 4 IoCs

Processes:

aIQcskAI.exeSGkYcAQo.exeGGAUUwAU.exechoco.exe

pid process

2032 aIQcskAI.exe
1972 SGkYcAQo.exe
1800 GGAUUwAU.exe
316 choco.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

aIQcskAI.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\International\Geo\Nation	aIQcskAI.exe

Loads dropped DLL 18 IoCs

Processes:

sample26.execmd.exeaIQcskAI.exe

pid	process
1152	sample26.exe
1152	sample26.exe
1152	sample26.exe
1152	sample26.exe
1632	cmd.exe
1632	cmd.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

aIQcskAI.exeSGkYcAQo.exeGGAUUwAU.exesample26.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\aIQcskAI.exe = "C:\\Users\\Admin\\OoAcoIwQ\\aIQcskAI.exe"	aIQcskAI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SGkYcAQo.exe = "C:\\ProgramData\\XggAQYoo\\SGkYcAQo.exe"	SGkYcAQo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SGkYcAQo.exe = "C:\\ProgramData\\XggAQYoo\\SGkYcAQo.exe"	GGAUUwAU.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\aIQcskAI.exe = "C:\\Users\\Admin\\OoAcoIwQ\\aIQcskAI.exe"	sample26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SGkYcAQo.exe = "C:\\ProgramData\\XggAQYoo\\SGkYcAQo.exe"	sample26.exe

Drops file in System32 directory 2 IoCs

Processes:

GGAUUwAU.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\OoAcoIwQ	GGAUUwAU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\OoAcoIwQ\aIQcskAI	GGAUUwAU.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

1732 reg.exe
1744 reg.exe
268 reg.exe

pid	process
1732	reg.exe
1744	reg.exe
268	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sample26.exeaIQcskAI.exe

pid	process
1152	sample26.exe
1152	sample26.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

aIQcskAI.exe

pid process

2032 aIQcskAI.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

choco.exe

description pid process

Token: SeDebugPrivilege 316 choco.exe

description	pid	process
Token: SeDebugPrivilege	316	choco.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

aIQcskAI.exe

pid	process
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe
2032	aIQcskAI.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

sample26.execmd.exe

description	pid	process	target process
PID 1152 wrote to memory of 2032	1152	sample26.exe	aIQcskAI.exe
PID 1152 wrote to memory of 2032	1152	sample26.exe	aIQcskAI.exe
PID 1152 wrote to memory of 2032	1152	sample26.exe	aIQcskAI.exe
PID 1152 wrote to memory of 2032	1152	sample26.exe	aIQcskAI.exe
PID 1152 wrote to memory of 1972	1152	sample26.exe	SGkYcAQo.exe
PID 1152 wrote to memory of 1972	1152	sample26.exe	SGkYcAQo.exe
PID 1152 wrote to memory of 1972	1152	sample26.exe	SGkYcAQo.exe
PID 1152 wrote to memory of 1972	1152	sample26.exe	SGkYcAQo.exe
PID 1152 wrote to memory of 1632	1152	sample26.exe	cmd.exe
PID 1152 wrote to memory of 1632	1152	sample26.exe	cmd.exe
PID 1152 wrote to memory of 1632	1152	sample26.exe	cmd.exe
PID 1152 wrote to memory of 1632	1152	sample26.exe	cmd.exe
PID 1632 wrote to memory of 316	1632	cmd.exe	choco.exe
PID 1632 wrote to memory of 316	1632	cmd.exe	choco.exe
PID 1632 wrote to memory of 316	1632	cmd.exe	choco.exe
PID 1632 wrote to memory of 316	1632	cmd.exe	choco.exe
PID 1152 wrote to memory of 1732	1152	sample26.exe	reg.exe
PID 1152 wrote to memory of 1732	1152	sample26.exe	reg.exe
PID 1152 wrote to memory of 1732	1152	sample26.exe	reg.exe
PID 1152 wrote to memory of 1732	1152	sample26.exe	reg.exe
PID 1152 wrote to memory of 1744	1152	sample26.exe	reg.exe
PID 1152 wrote to memory of 1744	1152	sample26.exe	reg.exe
PID 1152 wrote to memory of 1744	1152	sample26.exe	reg.exe
PID 1152 wrote to memory of 1744	1152	sample26.exe	reg.exe
PID 1152 wrote to memory of 268	1152	sample26.exe	reg.exe
PID 1152 wrote to memory of 268	1152	sample26.exe	reg.exe
PID 1152 wrote to memory of 268	1152	sample26.exe	reg.exe
PID 1152 wrote to memory of 268	1152	sample26.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\sample26.exe
"C:\Users\Admin\AppData\Local\Temp\sample26.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\OoAcoIwQ\aIQcskAI.exe
"C:\Users\Admin\OoAcoIwQ\aIQcskAI.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2032

C:\ProgramData\XggAQYoo\SGkYcAQo.exe
"C:\ProgramData\XggAQYoo\SGkYcAQo.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1972

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\choco.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\choco.exe
C:\Users\Admin\AppData\Local\Temp\choco.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies registry key
PID:1732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- Modifies registry key
PID:268

C:\ProgramData\uYsEkAQo\GGAUUwAU.exe
C:\ProgramData\uYsEkAQo\GGAUUwAU.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\XggAQYoo\SGkYcAQo.exe
MD5
35cbb4db33b360b20b376aad0f71fc57

SHA1
019b095b994aea952e834ef8e70f1a6ed54b992a

SHA256
ba3e42b413b51960c3d0cb0502032e9169e205eaaf84c18f289ec2c6d3a7259c

SHA512
05ac383dc25359deb0bc50c8204696e7479c8ad6774520c90c5b0057f3d769f6ea583e12a4cbe278bf19773e06ebda7c21d1d85ee661b091664a863eaa65f1db

Download Submit
C:\ProgramData\uYsEkAQo\GGAUUwAU.exe
MD5
ad3e6a4ea73bd7577c0930165b8d2cd1

SHA1
44328cc16ff987fd3f3fab7665f8c2f3c3f395e8

SHA256
b7fd1271c3240e6f95ed644c46925deaef57928a0f5be319692d8b7dbaa2e074

SHA512
7c3486f7ba1caee8d3fe20810eed7076bfca0cec67012707584e6194d53532c417c71c67a20e1f9499cc2f49e8adcff8d01cea40cbe96f933dfae7787e773761

Download Submit
C:\Users\Admin\AppData\Local\Temp\choco.exe
MD5
f24affc10132405930282aaeb206b7b7

SHA1
462d7a447a7d6f06bf3083c2af2f00b615c6a1a0

SHA256
abcca6f158b94303d92197bf8e6db545fe4929161e3767619176c4574ccb70fc

SHA512
c7729e3a050797b7d2c6ee07cc432c6dca56ffdb6b7e2662b1a70c90e287bbb2480a3752f262a896110f60f9ce18f884452f3cae3a06c80bef5eec476fba8cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\choco.exe
MD5
f24affc10132405930282aaeb206b7b7

SHA1
462d7a447a7d6f06bf3083c2af2f00b615c6a1a0

SHA256
abcca6f158b94303d92197bf8e6db545fe4929161e3767619176c4574ccb70fc

SHA512
c7729e3a050797b7d2c6ee07cc432c6dca56ffdb6b7e2662b1a70c90e287bbb2480a3752f262a896110f60f9ce18f884452f3cae3a06c80bef5eec476fba8cfe

Download Submit
C:\Users\Admin\OoAcoIwQ\aIQcskAI.exe
MD5
326f4befdc7233a1103b4cf0c7ab622b

SHA1
16d24d4bbc48feb212c6ecb0cbb48dedd1685ea5

SHA256
745e1a3b36a5389313ae14abfc9a8a55a57302341c4ee3b2217564cd0ac14437

SHA512
8a1cfe81478b6c363c5c228310071086008deae0383d4ae88fd45b1242d1f45719fd6babe2bca4f6fe0847ce598896c6e89fe203600d38f339ca6fc433d435ac

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
MD5
a41e524f8d45f0074fd07805ff0c9b12

SHA1
948deacf95a60c3fdf17e0e4db1931a6f3fc5d38

SHA256
082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7

SHA512
91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
MD5
a41e524f8d45f0074fd07805ff0c9b12

SHA1
948deacf95a60c3fdf17e0e4db1931a6f3fc5d38

SHA256
082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7

SHA512
91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
MD5
c87e561258f2f8650cef999bf643a731

SHA1
2c64b901284908e8ed59cf9c912f17d45b05e0af

SHA256
a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b

SHA512
dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

Download Submit
\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
MD5
2b48f69517044d82e1ee675b1690c08b

SHA1
83ca22c8a8e9355d2b184c516e58b5400d8343e0

SHA256
507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496

SHA512
97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

Download Submit
\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
MD5
2b48f69517044d82e1ee675b1690c08b

SHA1
83ca22c8a8e9355d2b184c516e58b5400d8343e0

SHA256
507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496

SHA512
97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

Download Submit
\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe
MD5
e9e67cfb6c0c74912d3743176879fc44

SHA1
c6b6791a900020abf046e0950b12939d5854c988

SHA256
bacba0359c51bf0c74388273a35b95365a00f88b235143ab096dcca93ad4790c

SHA512
9bba881d9046ce31794a488b73b87b3e9c3ff09d641d21f4003b525d9078ae5cd91d2b002278e69699117e3c85bfa44a2cc7a184a42f38ca087616b699091aec

Download Submit
\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe
MD5
e9e67cfb6c0c74912d3743176879fc44

SHA1
c6b6791a900020abf046e0950b12939d5854c988

SHA256
bacba0359c51bf0c74388273a35b95365a00f88b235143ab096dcca93ad4790c

SHA512
9bba881d9046ce31794a488b73b87b3e9c3ff09d641d21f4003b525d9078ae5cd91d2b002278e69699117e3c85bfa44a2cc7a184a42f38ca087616b699091aec

Download Submit
\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe
MD5
caa6e1dcae648ce17bc57a5b7d383cc8

SHA1
21fd5579a3d001779e5b8b107a326393d35dff4c

SHA256
14ad34fa255132c22b234bb4d30fe6cfd231f4947cccdcbbb94eb85e67135d92

SHA512
e4a63894895d20d5e455d6e8c9e81256f56f30f35bf8b385be103114d2e20885f3692bb3ec5e51d1a3073a072da5405200e5ed4a35956684bb8b515a20273ccf

Download Submit
\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe
MD5
caa6e1dcae648ce17bc57a5b7d383cc8

SHA1
21fd5579a3d001779e5b8b107a326393d35dff4c

SHA256
14ad34fa255132c22b234bb4d30fe6cfd231f4947cccdcbbb94eb85e67135d92

SHA512
e4a63894895d20d5e455d6e8c9e81256f56f30f35bf8b385be103114d2e20885f3692bb3ec5e51d1a3073a072da5405200e5ed4a35956684bb8b515a20273ccf

Download Submit
\ProgramData\XggAQYoo\SGkYcAQo.exe
MD5
35cbb4db33b360b20b376aad0f71fc57

SHA1
019b095b994aea952e834ef8e70f1a6ed54b992a

SHA256
ba3e42b413b51960c3d0cb0502032e9169e205eaaf84c18f289ec2c6d3a7259c

SHA512
05ac383dc25359deb0bc50c8204696e7479c8ad6774520c90c5b0057f3d769f6ea583e12a4cbe278bf19773e06ebda7c21d1d85ee661b091664a863eaa65f1db

Download Submit
\ProgramData\XggAQYoo\SGkYcAQo.exe
MD5
35cbb4db33b360b20b376aad0f71fc57

SHA1
019b095b994aea952e834ef8e70f1a6ed54b992a

SHA256
ba3e42b413b51960c3d0cb0502032e9169e205eaaf84c18f289ec2c6d3a7259c

SHA512
05ac383dc25359deb0bc50c8204696e7479c8ad6774520c90c5b0057f3d769f6ea583e12a4cbe278bf19773e06ebda7c21d1d85ee661b091664a863eaa65f1db

Download Submit
\Users\Admin\AppData\Local\Temp\choco.exe
MD5
f24affc10132405930282aaeb206b7b7

SHA1
462d7a447a7d6f06bf3083c2af2f00b615c6a1a0

SHA256
abcca6f158b94303d92197bf8e6db545fe4929161e3767619176c4574ccb70fc

SHA512
c7729e3a050797b7d2c6ee07cc432c6dca56ffdb6b7e2662b1a70c90e287bbb2480a3752f262a896110f60f9ce18f884452f3cae3a06c80bef5eec476fba8cfe

Download Submit
\Users\Admin\AppData\Local\Temp\choco.exe
MD5
f24affc10132405930282aaeb206b7b7

SHA1
462d7a447a7d6f06bf3083c2af2f00b615c6a1a0

SHA256
abcca6f158b94303d92197bf8e6db545fe4929161e3767619176c4574ccb70fc

SHA512
c7729e3a050797b7d2c6ee07cc432c6dca56ffdb6b7e2662b1a70c90e287bbb2480a3752f262a896110f60f9ce18f884452f3cae3a06c80bef5eec476fba8cfe

Download Submit
\Users\Admin\OoAcoIwQ\aIQcskAI.exe
MD5
326f4befdc7233a1103b4cf0c7ab622b

SHA1
16d24d4bbc48feb212c6ecb0cbb48dedd1685ea5

SHA256
745e1a3b36a5389313ae14abfc9a8a55a57302341c4ee3b2217564cd0ac14437

SHA512
8a1cfe81478b6c363c5c228310071086008deae0383d4ae88fd45b1242d1f45719fd6babe2bca4f6fe0847ce598896c6e89fe203600d38f339ca6fc433d435ac

Download Submit
\Users\Admin\OoAcoIwQ\aIQcskAI.exe
MD5
326f4befdc7233a1103b4cf0c7ab622b

SHA1
16d24d4bbc48feb212c6ecb0cbb48dedd1685ea5

SHA256
745e1a3b36a5389313ae14abfc9a8a55a57302341c4ee3b2217564cd0ac14437

SHA512
8a1cfe81478b6c363c5c228310071086008deae0383d4ae88fd45b1242d1f45719fd6babe2bca4f6fe0847ce598896c6e89fe203600d38f339ca6fc433d435ac

Download Submit
memory/268-24-0x0000000000000000-mapping.dmp

Download
memory/316-19-0x0000000000000000-mapping.dmp

Download
memory/316-26-0x000000001B620000-0x000000001B622000-memory.dmp

Filesize
8KB

Download
memory/316-25-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/316-22-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/1152-2-0x00000000760C1000-0x00000000760C3000-memory.dmp

Filesize
8KB

Download
memory/1632-15-0x0000000000000000-mapping.dmp

Download
memory/1732-21-0x0000000000000000-mapping.dmp

Download
memory/1744-23-0x0000000000000000-mapping.dmp

Download
memory/1972-10-0x0000000000000000-mapping.dmp

Download
memory/2032-5-0x0000000000000000-mapping.dmp

Download

pid	process
2032	aIQcskAI.exe
1972	SGkYcAQo.exe
1800	GGAUUwAU.exe
316	choco.exe