a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab

Analysis

max time kernel
10s
max time network
16s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
Size

834KB
MD5

30f15a801dc2562f4ca607c06415e810
SHA1

bca52ea91eddcd0adc20d1126b900dd771fc3e67
SHA256

a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
SHA512

387f432da3ddd26a071b544df13213eefb003dffe371f9b9ba0bf9897bd8b412672e0f16ab1c018579c948516fb203ffae66d5aa182f16f751d4fef93f76abe9
SSDEEP

12288:B3Mh0YJwRrs6EqjhVpa6J7+Yae2oIqzxi9Nm1B3tPLZKQm/jv4i2O7jZb99ckQJA:Buh6JqmQYIuCwgj9rKw

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\fwksgAkI\\iSIQUwIE.exe,"	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\fwksgAkI\\iSIQUwIE.exe,"	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe

Modifies visibility of file extensions in Explorer 2 TTPs 10 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 10 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
1404	UakcMYsI.exe
4568	iSIQUwIE.exe
4092	tCoAEEYA.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UakcMYsI.exe = "C:\\Users\\Admin\\iEwAkEUw\\UakcMYsI.exe"	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iSIQUwIE.exe = "C:\\ProgramData\\fwksgAkI\\iSIQUwIE.exe"	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UakcMYsI.exe = "C:\\Users\\Admin\\iEwAkEUw\\UakcMYsI.exe"	UakcMYsI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iSIQUwIE.exe = "C:\\ProgramData\\fwksgAkI\\iSIQUwIE.exe"	iSIQUwIE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iSIQUwIE.exe = "C:\\ProgramData\\fwksgAkI\\iSIQUwIE.exe"	tCoAEEYA.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\iEwAkEUw	tCoAEEYA.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\iEwAkEUw\UakcMYsI	tCoAEEYA.exe

Modifies registry key 1 TTPs 36 IoCs

Modify Registry

T1112

pid	Process
1960	reg.exe
2164	reg.exe
4420	reg.exe
2312	reg.exe
2980	reg.exe
5104	reg.exe
4244	reg.exe
2500	reg.exe
4464	reg.exe
1944	reg.exe
1104	reg.exe
3500	reg.exe
1648	reg.exe
3336	reg.exe
4340	reg.exe
2768	reg.exe
1568	reg.exe
4740	reg.exe
2588	reg.exe
3860	reg.exe
3708	reg.exe
3968	reg.exe
5004	reg.exe
4952	reg.exe
3120	reg.exe
4392	reg.exe
2692	reg.exe
4388	reg.exe
4120	reg.exe
2528	reg.exe
2852	reg.exe
4772	reg.exe
4020	reg.exe
4024	reg.exe
4484	reg.exe
1748	reg.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
3952	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
3952	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
3952	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
3952	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
4692	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
4692	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
4692	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
4692	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
2480	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
2480	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
2480	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
2480	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
2700	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
2700	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
2700	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
2700	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
4848	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
4848	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
4848	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
4848	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
4812	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
4812	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
4812	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
4812	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
4492	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
4492	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
4492	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
4492	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
2112	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
2112	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
2112	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
2112	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
2004	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
2004	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
2004	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
2004	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1440	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1440	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1440	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1440	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
672	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
672	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
672	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
672	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 1404	3952	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	84
PID 3952 wrote to memory of 1404	3952	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	84
PID 3952 wrote to memory of 1404	3952	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	84
PID 3952 wrote to memory of 4568	3952	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	85
PID 3952 wrote to memory of 4568	3952	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	85
PID 3952 wrote to memory of 4568	3952	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	85
PID 3952 wrote to memory of 2224	3952	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	87
PID 3952 wrote to memory of 2224	3952	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	87
PID 3952 wrote to memory of 2224	3952	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	87
PID 2224 wrote to memory of 4692	2224	cmd.exe	89
PID 2224 wrote to memory of 4692	2224	cmd.exe	89
PID 2224 wrote to memory of 4692	2224	cmd.exe	89
PID 3952 wrote to memory of 4420	3952	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	90
PID 3952 wrote to memory of 4420	3952	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	90
PID 3952 wrote to memory of 4420	3952	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	90
PID 3952 wrote to memory of 3968	3952	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	91
PID 3952 wrote to memory of 3968	3952	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	91
PID 3952 wrote to memory of 3968	3952	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	91
PID 3952 wrote to memory of 2692	3952	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	94
PID 3952 wrote to memory of 2692	3952	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	94
PID 3952 wrote to memory of 2692	3952	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	94
PID 4692 wrote to memory of 4184	4692	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	96
PID 4692 wrote to memory of 4184	4692	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	96
PID 4692 wrote to memory of 4184	4692	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	96
PID 4692 wrote to memory of 4464	4692	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	98
PID 4692 wrote to memory of 4464	4692	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	98
PID 4692 wrote to memory of 4464	4692	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	98
PID 4692 wrote to memory of 4388	4692	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	99
PID 4692 wrote to memory of 4388	4692	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	99
PID 4692 wrote to memory of 4388	4692	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	99
PID 4692 wrote to memory of 3336	4692	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	101
PID 4692 wrote to memory of 3336	4692	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	101
PID 4692 wrote to memory of 3336	4692	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	101
PID 4692 wrote to memory of 1912	4692	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	103
PID 4692 wrote to memory of 1912	4692	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	103
PID 4692 wrote to memory of 1912	4692	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	103
PID 4184 wrote to memory of 2480	4184	cmd.exe	106
PID 4184 wrote to memory of 2480	4184	cmd.exe	106
PID 4184 wrote to memory of 2480	4184	cmd.exe	106
PID 1912 wrote to memory of 1996	1912	cmd.exe	107
PID 1912 wrote to memory of 1996	1912	cmd.exe	107
PID 1912 wrote to memory of 1996	1912	cmd.exe	107
PID 2480 wrote to memory of 5104	2480	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	108
PID 2480 wrote to memory of 5104	2480	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	108
PID 2480 wrote to memory of 5104	2480	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	108
PID 5104 wrote to memory of 2700	5104	cmd.exe	110
PID 5104 wrote to memory of 2700	5104	cmd.exe	110
PID 5104 wrote to memory of 2700	5104	cmd.exe	110
PID 2480 wrote to memory of 1944	2480	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	111
PID 2480 wrote to memory of 1944	2480	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	111
PID 2480 wrote to memory of 1944	2480	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	111
PID 2480 wrote to memory of 5004	2480	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	112
PID 2480 wrote to memory of 5004	2480	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	112
PID 2480 wrote to memory of 5004	2480	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	112
PID 2480 wrote to memory of 4952	2480	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	117
PID 2480 wrote to memory of 4952	2480	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	117
PID 2480 wrote to memory of 4952	2480	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	117
PID 2480 wrote to memory of 4308	2480	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	116
PID 2480 wrote to memory of 4308	2480	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	116
PID 2480 wrote to memory of 4308	2480	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	116
PID 2700 wrote to memory of 3992	2700	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	119
PID 2700 wrote to memory of 3992	2700	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	119
PID 2700 wrote to memory of 3992	2700	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	119
PID 2700 wrote to memory of 1568	2700	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	120

C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
"C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Users\Admin\iEwAkEUw\UakcMYsI.exe
  "C:\Users\Admin\iEwAkEUw\UakcMYsI.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1404
- C:\ProgramData\fwksgAkI\iSIQUwIE.exe
  "C:\ProgramData\fwksgAkI\iSIQUwIE.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
    C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4692
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4184
    - - C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2480
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        8⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        10⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        12⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        14⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        16⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        18⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        20⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        22⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        23⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        24⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        25⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PYUkEgAk.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        24⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        Modifies registry key
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies registry key
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies registry key
        
        PID:3860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        Modifies registry key
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MkgMQIYU.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        22⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SywYoAQs.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        20⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mIcgoooU.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        18⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ayUQoosc.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        16⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JycMsoYs.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        14⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dUYgMkwo.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        12⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sMgIEgsM.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        10⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aUsEAAAI.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        8⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:1104
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1944
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:5004
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dgYcEkQM.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        6⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1548
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:4952
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:4464
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:4388
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:3336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DiUkMMYY.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1912
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1996
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:4420
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:3968
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2692

C:\ProgramData\xSYcQMYc\tCoAEEYA.exe
C:\ProgramData\xSYcQMYc\tCoAEEYA.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\fwksgAkI\iSIQUwIE.exe

Filesize
479KB

MD5
2b88a27b20297adce57bf783a0113838

SHA1
f690e59ea5f6cf9f7d118c90a700a07a03e2ccf8

SHA256
1c267161a8f7e7a2bfecf3eb47e1a7d2673a72155eaccc506bfcb0b9efea803f

SHA512
7af0dbe8eb812d4d67c961ac1333d6a82b03f3dfdef118987f17fd06669ddab36372a80fa5fa1838fc5cc478e2f56792590320418ef4e9ed2618a799f03504e6

Download Submit
C:\ProgramData\fwksgAkI\iSIQUwIE.exe

Filesize
479KB

MD5
2b88a27b20297adce57bf783a0113838

SHA1
f690e59ea5f6cf9f7d118c90a700a07a03e2ccf8

SHA256
1c267161a8f7e7a2bfecf3eb47e1a7d2673a72155eaccc506bfcb0b9efea803f

SHA512
7af0dbe8eb812d4d67c961ac1333d6a82b03f3dfdef118987f17fd06669ddab36372a80fa5fa1838fc5cc478e2f56792590320418ef4e9ed2618a799f03504e6

Download Submit
C:\ProgramData\xSYcQMYc\tCoAEEYA.exe

Filesize
478KB

MD5
6f3f56d0dd1661c023aa2e61efce2b4d

SHA1
5263e38985f39ac494bc8844e9f9f929b354e595

SHA256
7233ada9050367287e2c19c235b25652bd1a8d1194eff2176abda1931a2726e4

SHA512
d7171d287ffd628310fadf730ca9317d0d8cd311fcd78c8a2d9fa3701cc072691d040d837592f16fe966650b85624e4cbc93d9fe05c273b7eeb01f8617b307af

Download Submit
C:\ProgramData\xSYcQMYc\tCoAEEYA.exe

Filesize
478KB

MD5
6f3f56d0dd1661c023aa2e61efce2b4d

SHA1
5263e38985f39ac494bc8844e9f9f929b354e595

SHA256
7233ada9050367287e2c19c235b25652bd1a8d1194eff2176abda1931a2726e4

SHA512
d7171d287ffd628310fadf730ca9317d0d8cd311fcd78c8a2d9fa3701cc072691d040d837592f16fe966650b85624e4cbc93d9fe05c273b7eeb01f8617b307af

Download Submit
C:\Users\Admin\AppData\Local\Temp\DiUkMMYY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\JycMsoYs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkgMQIYU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\PYUkEgAk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\SywYoAQs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab

Filesize
352KB

MD5
5feab868caedbbd1b7a145ca8261e4aa

SHA1
f43f28cc5165608e6fb3794e9a3d083ca2c75f0e

SHA256
08bace187a0225e10677de9aa6738a7118be3e5cad6dc45fb8d3366a61bb343c

SHA512
91108ab6dd422c1d500fc0a65df6faffdb7000828a0f908b1c053129b4b8702fdb7309fa3f4f6054ad542dfe24fd4853e2fe32f7e45aa369e7a3cb6137bdaca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab

Filesize
352KB

MD5
5feab868caedbbd1b7a145ca8261e4aa

SHA1
f43f28cc5165608e6fb3794e9a3d083ca2c75f0e

SHA256
08bace187a0225e10677de9aa6738a7118be3e5cad6dc45fb8d3366a61bb343c

SHA512
91108ab6dd422c1d500fc0a65df6faffdb7000828a0f908b1c053129b4b8702fdb7309fa3f4f6054ad542dfe24fd4853e2fe32f7e45aa369e7a3cb6137bdaca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab

Filesize
352KB

MD5
5feab868caedbbd1b7a145ca8261e4aa

SHA1
f43f28cc5165608e6fb3794e9a3d083ca2c75f0e

SHA256
08bace187a0225e10677de9aa6738a7118be3e5cad6dc45fb8d3366a61bb343c

SHA512
91108ab6dd422c1d500fc0a65df6faffdb7000828a0f908b1c053129b4b8702fdb7309fa3f4f6054ad542dfe24fd4853e2fe32f7e45aa369e7a3cb6137bdaca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab

Filesize
352KB

MD5
5feab868caedbbd1b7a145ca8261e4aa

SHA1
f43f28cc5165608e6fb3794e9a3d083ca2c75f0e

SHA256
08bace187a0225e10677de9aa6738a7118be3e5cad6dc45fb8d3366a61bb343c

SHA512
91108ab6dd422c1d500fc0a65df6faffdb7000828a0f908b1c053129b4b8702fdb7309fa3f4f6054ad542dfe24fd4853e2fe32f7e45aa369e7a3cb6137bdaca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab

Filesize
352KB

MD5
5feab868caedbbd1b7a145ca8261e4aa

SHA1
f43f28cc5165608e6fb3794e9a3d083ca2c75f0e

SHA256
08bace187a0225e10677de9aa6738a7118be3e5cad6dc45fb8d3366a61bb343c

SHA512
91108ab6dd422c1d500fc0a65df6faffdb7000828a0f908b1c053129b4b8702fdb7309fa3f4f6054ad542dfe24fd4853e2fe32f7e45aa369e7a3cb6137bdaca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab

Filesize
352KB

MD5
5feab868caedbbd1b7a145ca8261e4aa

SHA1
f43f28cc5165608e6fb3794e9a3d083ca2c75f0e

SHA256
08bace187a0225e10677de9aa6738a7118be3e5cad6dc45fb8d3366a61bb343c

SHA512
91108ab6dd422c1d500fc0a65df6faffdb7000828a0f908b1c053129b4b8702fdb7309fa3f4f6054ad542dfe24fd4853e2fe32f7e45aa369e7a3cb6137bdaca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab

Filesize
352KB

MD5
5feab868caedbbd1b7a145ca8261e4aa

SHA1
f43f28cc5165608e6fb3794e9a3d083ca2c75f0e

SHA256
08bace187a0225e10677de9aa6738a7118be3e5cad6dc45fb8d3366a61bb343c

SHA512
91108ab6dd422c1d500fc0a65df6faffdb7000828a0f908b1c053129b4b8702fdb7309fa3f4f6054ad542dfe24fd4853e2fe32f7e45aa369e7a3cb6137bdaca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab

Filesize
352KB

MD5
5feab868caedbbd1b7a145ca8261e4aa

SHA1
f43f28cc5165608e6fb3794e9a3d083ca2c75f0e

SHA256
08bace187a0225e10677de9aa6738a7118be3e5cad6dc45fb8d3366a61bb343c

SHA512
91108ab6dd422c1d500fc0a65df6faffdb7000828a0f908b1c053129b4b8702fdb7309fa3f4f6054ad542dfe24fd4853e2fe32f7e45aa369e7a3cb6137bdaca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab

Filesize
352KB

MD5
5feab868caedbbd1b7a145ca8261e4aa

SHA1
f43f28cc5165608e6fb3794e9a3d083ca2c75f0e

SHA256
08bace187a0225e10677de9aa6738a7118be3e5cad6dc45fb8d3366a61bb343c

SHA512
91108ab6dd422c1d500fc0a65df6faffdb7000828a0f908b1c053129b4b8702fdb7309fa3f4f6054ad542dfe24fd4853e2fe32f7e45aa369e7a3cb6137bdaca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab

Filesize
352KB

MD5
5feab868caedbbd1b7a145ca8261e4aa

SHA1
f43f28cc5165608e6fb3794e9a3d083ca2c75f0e

SHA256
08bace187a0225e10677de9aa6738a7118be3e5cad6dc45fb8d3366a61bb343c

SHA512
91108ab6dd422c1d500fc0a65df6faffdb7000828a0f908b1c053129b4b8702fdb7309fa3f4f6054ad542dfe24fd4853e2fe32f7e45aa369e7a3cb6137bdaca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab

Filesize
352KB

MD5
5feab868caedbbd1b7a145ca8261e4aa

SHA1
f43f28cc5165608e6fb3794e9a3d083ca2c75f0e

SHA256
08bace187a0225e10677de9aa6738a7118be3e5cad6dc45fb8d3366a61bb343c

SHA512
91108ab6dd422c1d500fc0a65df6faffdb7000828a0f908b1c053129b4b8702fdb7309fa3f4f6054ad542dfe24fd4853e2fe32f7e45aa369e7a3cb6137bdaca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUsEAAAI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ayUQoosc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\dUYgMkwo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgYcEkQM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIcgoooU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMgIEgsM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\iEwAkEUw\UakcMYsI.exe

Filesize
478KB

MD5
2b708844e7dd3634e1d5500a21be43af

SHA1
8992d760b3985b9679a3a12534438774bea57592

SHA256
126b198ba6c0dda9f1d54f0bcf70b4577c8a9bef8878ea763bd4dbf4e725a21f

SHA512
461ab5e3695b62c265251967402e7eb963baffc847574943a43fd17d54a5f67299f09597df99fbf01c42d55c1c148405dfaa07646ec2bceea69518df554ec264

Download Submit
C:\Users\Admin\iEwAkEUw\UakcMYsI.exe

Filesize
478KB

MD5
2b708844e7dd3634e1d5500a21be43af

SHA1
8992d760b3985b9679a3a12534438774bea57592

SHA256
126b198ba6c0dda9f1d54f0bcf70b4577c8a9bef8878ea763bd4dbf4e725a21f

SHA512
461ab5e3695b62c265251967402e7eb963baffc847574943a43fd17d54a5f67299f09597df99fbf01c42d55c1c148405dfaa07646ec2bceea69518df554ec264

Download Submit
memory/672-245-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1404-143-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1440-241-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2004-231-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2112-224-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2480-166-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2700-167-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2700-175-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/3952-132-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/4092-146-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4412-249-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/4412-250-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/4492-212-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/4568-145-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4692-156-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/4812-201-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/4848-185-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/4848-190-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download