b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e

Analysis

max time kernel
75s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe
Size

725KB
MD5

4185a0ebac66be79ea4863e74e8eaa90
SHA1

4dd1b7433c780cb6eee66f2776ee91ced30f55e3
SHA256

b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e
SHA512

25a78e51494d33341c1fbe9faa26ef76bbaff545bb920ad069a316d78c05de47fa2528248a78473aefa22f5c7e7d0a52b7eadd94dc0de05c7a497bda48a4b7af
SSDEEP

12288:sExXoG/3F0nLUlPIpTta7e/NU/3PwoNF7abOgHtkGG64Kg2o7ZmZcc1geFpBnKAP:sEx4e0YlItayK3fn70TKGG6PgEcXebJz

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\bmkAcwIc\\CCAwcgwc.exe,"	b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\bmkAcwIc\\CCAwcgwc.exe,"	b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 6 IoCs

pid	Process
2164	GagwkEoE.exe
3784	CCAwcgwc.exe
4864	fksMAkwk.exe
1820	GagwkEoE.exe
3276	CCAwcgwc.exe
2664	fksMAkwk.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CCAwcgwc.exe = "C:\\ProgramData\\bmkAcwIc\\CCAwcgwc.exe"	fksMAkwk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GagwkEoE.exe = "C:\\Users\\Admin\\uEUUEEYg\\GagwkEoE.exe"	b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CCAwcgwc.exe = "C:\\ProgramData\\bmkAcwIc\\CCAwcgwc.exe"	b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CCAwcgwc.exe = "C:\\ProgramData\\bmkAcwIc\\CCAwcgwc.exe"	CCAwcgwc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GagwkEoE.exe = "C:\\Users\\Admin\\uEUUEEYg\\GagwkEoE.exe"	GagwkEoE.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\uEUUEEYg\GagwkEoE	fksMAkwk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\uEUUEEYg	fksMAkwk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 30 IoCs

Modify Registry

T1112

pid	Process
4500	reg.exe
4248	reg.exe
1972	reg.exe
1932	reg.exe
2112	reg.exe
3424	reg.exe
2484	reg.exe
1116	reg.exe
4860	reg.exe
1888	reg.exe
1664	reg.exe
1756	reg.exe
4528	reg.exe
3652	reg.exe
3452	reg.exe
956	reg.exe
3704	reg.exe
2160	reg.exe
1756	reg.exe
5032	reg.exe
2468	reg.exe
516	reg.exe
1484	reg.exe
3856	reg.exe
3380	reg.exe
4476	reg.exe
2404	reg.exe
4556	reg.exe
280	reg.exe
5092	reg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3980	b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe
3980	b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe
3980	b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe
3980	b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	3844	vssvc.exe
Token: SeRestorePrivilege	3844	vssvc.exe
Token: SeAuditPrivilege	3844	vssvc.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3980 wrote to memory of 4380	3980	b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe	81
PID 3980 wrote to memory of 4380	3980	b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe	81
PID 3980 wrote to memory of 4380	3980	b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe	81
PID 3980 wrote to memory of 2164	3980	b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe	84
PID 3980 wrote to memory of 2164	3980	b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe	84
PID 3980 wrote to memory of 2164	3980	b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe	84
PID 3980 wrote to memory of 3784	3980	b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe	86
PID 3980 wrote to memory of 3784	3980	b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe	86
PID 3980 wrote to memory of 3784	3980	b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe	86
PID 2164 wrote to memory of 1820	2164	GagwkEoE.exe	88
PID 2164 wrote to memory of 1820	2164	GagwkEoE.exe	88
PID 2164 wrote to memory of 1820	2164	GagwkEoE.exe	88
PID 3784 wrote to memory of 3276	3784	CCAwcgwc.exe	89
PID 3784 wrote to memory of 3276	3784	CCAwcgwc.exe	89
PID 3784 wrote to memory of 3276	3784	CCAwcgwc.exe	89
PID 4864 wrote to memory of 2664	4864	fksMAkwk.exe	90
PID 4864 wrote to memory of 2664	4864	fksMAkwk.exe	90
PID 4864 wrote to memory of 2664	4864	fksMAkwk.exe	90
PID 3980 wrote to memory of 4216	3980	b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe	92
PID 3980 wrote to memory of 4216	3980	b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe	92
PID 3980 wrote to memory of 4216	3980	b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe	92
PID 4216 wrote to memory of 4028	4216	cmd.exe	94
PID 4216 wrote to memory of 4028	4216	cmd.exe	94
PID 4216 wrote to memory of 4028	4216	cmd.exe	94
PID 3980 wrote to memory of 1888	3980	b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe	95
PID 3980 wrote to memory of 1888	3980	b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe	95
PID 3980 wrote to memory of 1888	3980	b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe	95
PID 3980 wrote to memory of 2484	3980	b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe	100
PID 3980 wrote to memory of 2484	3980	b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe	100
PID 3980 wrote to memory of 2484	3980	b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe	100
PID 3980 wrote to memory of 956	3980	b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe	99
PID 3980 wrote to memory of 956	3980	b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe	99
PID 3980 wrote to memory of 956	3980	b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe	99
PID 4028 wrote to memory of 680	4028	b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe	104
PID 4028 wrote to memory of 680	4028	b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe	104
PID 4028 wrote to memory of 680	4028	b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe	104

C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe
"C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3980
- C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe
  LQIR
  2⤵
  PID:4380
- C:\Users\Admin\uEUUEEYg\GagwkEoE.exe
  "C:\Users\Admin\uEUUEEYg\GagwkEoE.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Users\Admin\uEUUEEYg\GagwkEoE.exe
    SWYM
    3⤵
    - Executes dropped EXE
    PID:1820
- C:\ProgramData\bmkAcwIc\CCAwcgwc.exe
  "C:\ProgramData\bmkAcwIc\CCAwcgwc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3784
- - C:\ProgramData\bmkAcwIc\CCAwcgwc.exe
    RTHB
    3⤵
    - Executes dropped EXE
    PID:3276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4216
- - C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe
    C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4028
  - - C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe
      LQIR
      4⤵
      PID:680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e"
      4⤵
      PID:1224
    - - C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe
        
        C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e
        5⤵
        
        PID:3116
      - C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe
        
        LQIR
        6⤵
        
        PID:4704
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e"
        6⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe
        
        C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e
        7⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe
        
        LQIR
        8⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e"
        8⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe
        
        C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e
        9⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe
        
        LQIR
        10⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e"
        10⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe
        
        C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e
        11⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe
        
        LQIR
        12⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e"
        12⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe
        
        C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e
        13⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe
        
        LQIR
        14⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e"
        14⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe
        
        C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e
        15⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe
        
        LQIR
        16⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e"
        16⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe
        
        C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e
        17⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe
        
        LQIR
        18⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e"
        18⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe
        
        C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e
        19⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe
        
        LQIR
        20⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e"
        20⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe
        
        C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e
        21⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e.exe
        
        LQIR
        22⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies registry key
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        Modifies registry key
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies registry key
        
        PID:516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        Modifies registry key
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies registry key
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        Modifies registry key
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies registry key
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        Modifies registry key
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies registry key
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        Modifies registry key
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies registry key
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:4248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        Modifies registry key
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies registry key
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        Modifies registry key
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:2468
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies registry key
        
        PID:2160
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:4476
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        Modifies registry key
        
        PID:1756
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:1116
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:3704
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:2112
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:1888
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:956
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2484

C:\ProgramData\fMkAcMwA\fksMAkwk.exe
C:\ProgramData\fMkAcMwA\fksMAkwk.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4864
- C:\ProgramData\fMkAcMwA\fksMAkwk.exe
  TUKF
  2⤵
  - Executes dropped EXE
  PID:2664

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\bmkAcwIc\CCAwcgwc.exe

Filesize
715KB

MD5
427a8505fc268bffb46da8514d17acef

SHA1
0a4d896ad618f2eb493626fcbc131a2a57ab37b2

SHA256
9118e7c2eec271f544a5b1ca5dc4e385ecb8d2a257293fe9ad760ec82501b826

SHA512
569aebf175e8a8e967aff688a8b07beb5f558d66c3fc34b1c28eaa6c478a194254bbfc9d808effd407cf1d8c7bf1dcdf8f0bf04092614a9b3608deeed95239d7

Download Submit
C:\ProgramData\bmkAcwIc\CCAwcgwc.exe

Filesize
715KB

MD5
427a8505fc268bffb46da8514d17acef

SHA1
0a4d896ad618f2eb493626fcbc131a2a57ab37b2

SHA256
9118e7c2eec271f544a5b1ca5dc4e385ecb8d2a257293fe9ad760ec82501b826

SHA512
569aebf175e8a8e967aff688a8b07beb5f558d66c3fc34b1c28eaa6c478a194254bbfc9d808effd407cf1d8c7bf1dcdf8f0bf04092614a9b3608deeed95239d7

Download Submit
C:\ProgramData\bmkAcwIc\CCAwcgwc.exe

Filesize
715KB

MD5
427a8505fc268bffb46da8514d17acef

SHA1
0a4d896ad618f2eb493626fcbc131a2a57ab37b2

SHA256
9118e7c2eec271f544a5b1ca5dc4e385ecb8d2a257293fe9ad760ec82501b826

SHA512
569aebf175e8a8e967aff688a8b07beb5f558d66c3fc34b1c28eaa6c478a194254bbfc9d808effd407cf1d8c7bf1dcdf8f0bf04092614a9b3608deeed95239d7

Download Submit
C:\ProgramData\bmkAcwIc\CCAwcgwcRTHB

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\ProgramData\fMkAcMwA\fksMAkwk.exe

Filesize
714KB

MD5
fd83d100f38100f6971127950935f80f

SHA1
5e8ef1e6622f9e0e0e293a332dc9914c1d93db05

SHA256
fa6dae018720699b02ecd2cee2a8425ad78ca3bb6632d0cc3a57a175d44e7796

SHA512
779d84d10ac6807e7f910e730c7b6f50a3b96102caef56c7dd2cb8655c86e87245306fd1a9b610244407ac09b6fda42094a5a3e2b198e3ba8d7642196dd82eb4

Download Submit
C:\ProgramData\fMkAcMwA\fksMAkwk.exe

Filesize
714KB

MD5
fd83d100f38100f6971127950935f80f

SHA1
5e8ef1e6622f9e0e0e293a332dc9914c1d93db05

SHA256
fa6dae018720699b02ecd2cee2a8425ad78ca3bb6632d0cc3a57a175d44e7796

SHA512
779d84d10ac6807e7f910e730c7b6f50a3b96102caef56c7dd2cb8655c86e87245306fd1a9b610244407ac09b6fda42094a5a3e2b198e3ba8d7642196dd82eb4

Download Submit
C:\ProgramData\fMkAcMwA\fksMAkwk.exe

Filesize
714KB

MD5
fd83d100f38100f6971127950935f80f

SHA1
5e8ef1e6622f9e0e0e293a332dc9914c1d93db05

SHA256
fa6dae018720699b02ecd2cee2a8425ad78ca3bb6632d0cc3a57a175d44e7796

SHA512
779d84d10ac6807e7f910e730c7b6f50a3b96102caef56c7dd2cb8655c86e87245306fd1a9b610244407ac09b6fda42094a5a3e2b198e3ba8d7642196dd82eb4

Download Submit
C:\ProgramData\fMkAcMwA\fksMAkwkTUKF

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475e

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475eLQIR

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475eLQIR

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475eLQIR

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475eLQIR

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475eLQIR

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475eLQIR

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475eLQIR

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475eLQIR

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475eLQIR

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\b053532e2d9b12521c35bc62441e5280ecc7376676e53e2cb10450f3df97475eLQIR

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\uEUUEEYg\GagwkEoE.exe

Filesize
714KB

MD5
764a3f67c5ba2ed0391d734def8acab0

SHA1
972e52452f9b0154248ca57465cd5153c43689d4

SHA256
8a7eddb76fd3a413b2151e30e63abd9dda74957430f4cc7dce622933b9d0da7f

SHA512
32b67c3828725714ac0089668bfdcd2c70616ba968f1969f686d7d1bfa313dd75c11baff70f49d2f209c41bf3f610ae819d124a465e80d66f5ad60a8549b2f04

Download Submit
C:\Users\Admin\uEUUEEYg\GagwkEoE.exe

Filesize
714KB

MD5
764a3f67c5ba2ed0391d734def8acab0

SHA1
972e52452f9b0154248ca57465cd5153c43689d4

SHA256
8a7eddb76fd3a413b2151e30e63abd9dda74957430f4cc7dce622933b9d0da7f

SHA512
32b67c3828725714ac0089668bfdcd2c70616ba968f1969f686d7d1bfa313dd75c11baff70f49d2f209c41bf3f610ae819d124a465e80d66f5ad60a8549b2f04

Download Submit
C:\Users\Admin\uEUUEEYg\GagwkEoE.exe

Filesize
714KB

MD5
764a3f67c5ba2ed0391d734def8acab0

SHA1
972e52452f9b0154248ca57465cd5153c43689d4

SHA256
8a7eddb76fd3a413b2151e30e63abd9dda74957430f4cc7dce622933b9d0da7f

SHA512
32b67c3828725714ac0089668bfdcd2c70616ba968f1969f686d7d1bfa313dd75c11baff70f49d2f209c41bf3f610ae819d124a465e80d66f5ad60a8549b2f04

Download Submit
C:\Users\Admin\uEUUEEYg\GagwkEoESWYM

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
memory/632-225-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1132-216-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1132-233-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1132-215-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1180-238-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1820-162-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1820-155-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2164-166-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2164-146-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2164-168-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2164-179-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2520-273-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2520-284-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2520-278-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2664-158-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2664-164-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2748-213-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3116-203-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3116-192-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3116-201-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3276-157-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3276-161-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3784-169-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3784-178-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3784-165-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3784-147-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3980-132-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3980-149-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3980-137-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4028-182-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4028-176-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4028-188-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4044-202-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4044-210-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4044-211-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4172-235-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4172-240-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4172-252-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4172-249-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4256-275-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4268-272-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4268-264-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4268-277-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4380-134-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4380-135-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4452-227-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4452-223-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4452-237-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4452-246-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4592-253-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4592-248-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4592-265-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4592-260-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4864-180-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4864-170-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4864-167-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4864-148-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4932-262-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download