7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9

Analysis

max time kernel
65s
max time network
198s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2022 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe
Size

726KB
MD5

a0ea30310662f37c50143fc5da86ab50
SHA1

e6170b6d05bec582849afbb49275f764b7a651b9
SHA256

7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9
SHA512

7c7dd96ef91b6316780dfe0b644bba0cf6f2850be7e3695580a721373f649a19d851f1603884a2d95cb95c8d91259ab8e2a51c17877e6db35e535fba11a09300
SSDEEP

12288:VViQhHm3ri9An07OAoaK89JH4Q7h6rY0cNy/WBfcU1RTcr70i1UHmdEib6vlP:VsuHBO0CAH4EIrCy/WBRwr73pEibk

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\TEAoEooA\\ESQIgMAY.exe,"	7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\TEAoEooA\\ESQIgMAY.exe,"	7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 6 IoCs

pid	Process
3140	TYUowIgs.exe
4744	ESQIgMAY.exe
4048	HMcUQEgc.exe
332	TYUowIgs.exe
4172	ESQIgMAY.exe
224	HMcUQEgc.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TYUowIgs.exe = "C:\\Users\\Admin\\xukYYgMs\\TYUowIgs.exe"	7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ESQIgMAY.exe = "C:\\ProgramData\\TEAoEooA\\ESQIgMAY.exe"	7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ESQIgMAY.exe = "C:\\ProgramData\\TEAoEooA\\ESQIgMAY.exe"	ESQIgMAY.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TYUowIgs.exe = "C:\\Users\\Admin\\xukYYgMs\\TYUowIgs.exe"	TYUowIgs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ESQIgMAY.exe = "C:\\ProgramData\\TEAoEooA\\ESQIgMAY.exe"	HMcUQEgc.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\xukYYgMs	HMcUQEgc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\xukYYgMs\TYUowIgs	HMcUQEgc.exe

Modifies registry key 1 TTPs 39 IoCs

Modify Registry

T1112

pid	Process
2664	reg.exe
3844	reg.exe
4916	reg.exe
2132	reg.exe
1688	reg.exe
3940	reg.exe
3068	reg.exe
1104	reg.exe
5004	reg.exe
1868	reg.exe
2628	reg.exe
2324	reg.exe
900	reg.exe
4864	reg.exe
1832	reg.exe
4340	reg.exe
4564	reg.exe
4348	reg.exe
1152	reg.exe
2620	reg.exe
4248	reg.exe
3144	reg.exe
3852	reg.exe
1928	reg.exe
4564	reg.exe
3440	reg.exe
5104	reg.exe
1308	reg.exe
2564	reg.exe
4008	reg.exe
4576	reg.exe
1780	reg.exe
4248	reg.exe
1100	reg.exe
3764	reg.exe
4508	reg.exe
1924	reg.exe
3892	reg.exe
4624	reg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4804	7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe
4804	7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe
4804	7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe
4804	7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	396	vssvc.exe
Token: SeRestorePrivilege	396	vssvc.exe
Token: SeAuditPrivilege	396	vssvc.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 4724	4804	7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe	80
PID 4804 wrote to memory of 4724	4804	7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe	80
PID 4804 wrote to memory of 4724	4804	7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe	80
PID 4804 wrote to memory of 3140	4804	7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe	81
PID 4804 wrote to memory of 3140	4804	7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe	81
PID 4804 wrote to memory of 3140	4804	7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe	81
PID 4804 wrote to memory of 4744	4804	7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe	82
PID 4804 wrote to memory of 4744	4804	7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe	82
PID 4804 wrote to memory of 4744	4804	7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe	82
PID 3140 wrote to memory of 332	3140	TYUowIgs.exe	85
PID 3140 wrote to memory of 332	3140	TYUowIgs.exe	85
PID 3140 wrote to memory of 332	3140	TYUowIgs.exe	85
PID 4744 wrote to memory of 4172	4744	ESQIgMAY.exe	84
PID 4744 wrote to memory of 4172	4744	ESQIgMAY.exe	84
PID 4744 wrote to memory of 4172	4744	ESQIgMAY.exe	84
PID 4048 wrote to memory of 224	4048	HMcUQEgc.exe	86
PID 4048 wrote to memory of 224	4048	HMcUQEgc.exe	86
PID 4048 wrote to memory of 224	4048	HMcUQEgc.exe	86
PID 4804 wrote to memory of 3880	4804	7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe	87
PID 4804 wrote to memory of 3880	4804	7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe	87
PID 4804 wrote to memory of 3880	4804	7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe	87
PID 4804 wrote to memory of 1924	4804	7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe	89
PID 4804 wrote to memory of 1924	4804	7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe	89
PID 4804 wrote to memory of 1924	4804	7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe	89
PID 4804 wrote to memory of 3892	4804	7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe	94
PID 4804 wrote to memory of 3892	4804	7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe	94
PID 4804 wrote to memory of 3892	4804	7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe	94
PID 4804 wrote to memory of 1104	4804	7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe	91
PID 4804 wrote to memory of 1104	4804	7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe	91
PID 4804 wrote to memory of 1104	4804	7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe	91
PID 3880 wrote to memory of 680	3880	cmd.exe	96
PID 3880 wrote to memory of 680	3880	cmd.exe	96
PID 3880 wrote to memory of 680	3880	cmd.exe	96
PID 680 wrote to memory of 2328	680	7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe	99
PID 680 wrote to memory of 2328	680	7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe	99
PID 680 wrote to memory of 2328	680	7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe	99

C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe
"C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe
  QVVV
  2⤵
  PID:4724
- C:\Users\Admin\xukYYgMs\TYUowIgs.exe
  "C:\Users\Admin\xukYYgMs\TYUowIgs.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3140
- - C:\Users\Admin\xukYYgMs\TYUowIgs.exe
    LDZX
    3⤵
    - Executes dropped EXE
    PID:332
- C:\ProgramData\TEAoEooA\ESQIgMAY.exe
  "C:\ProgramData\TEAoEooA\ESQIgMAY.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\ProgramData\TEAoEooA\ESQIgMAY.exe
    RTUX
    3⤵
    - Executes dropped EXE
    PID:4172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3880
- - C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe
    C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:680
  - - C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe
      QVVV
      4⤵
      PID:2328
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9"
      4⤵
      PID:4772
    - - C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe
        
        C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9
        5⤵
        
        PID:4672
      - C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe
        
        QVVV
        6⤵
        
        PID:1436
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9"
        6⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe
        
        C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9
        7⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe
        
        QVVV
        8⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9"
        8⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe
        
        C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9
        9⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe
        
        QVVV
        10⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9"
        10⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe
        
        C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9
        11⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe
        
        QVVV
        12⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9"
        12⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe
        
        C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9
        13⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe
        
        QVVV
        14⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9"
        14⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe
        
        C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9
        15⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe
        
        QVVV
        16⤵
        
        PID:32
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9"
        16⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe
        
        C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9
        17⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe
        
        QVVV
        18⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9"
        18⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe
        
        C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9
        19⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe
        
        QVVV
        20⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9"
        20⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe
        
        C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9
        21⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe
        
        QVVV
        22⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9"
        22⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe
        
        C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9
        23⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe
        
        QVVV
        24⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9"
        24⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe
        
        C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9
        25⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9.exe
        
        QVVV
        26⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies registry key
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        Modifies registry key
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies registry key
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        Modifies registry key
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        Modifies registry key
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies registry key
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies registry key
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        Modifies registry key
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies registry key
        
        PID:900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        Modifies registry key
        
        PID:4248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:3144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies registry key
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        Modifies registry key
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:3440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies registry key
        
        PID:3844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        Modifies registry key
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies registry key
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        Modifies registry key
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies registry key
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        Modifies registry key
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies registry key
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:4248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        Modifies registry key
        
        PID:2324
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies registry key
        
        PID:1152
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:1868
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        Modifies registry key
        
        PID:2628
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:5104
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:2664
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:5004
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:1924
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:1104
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:3892

C:\ProgramData\tegwQIok\HMcUQEgc.exe
C:\ProgramData\tegwQIok\HMcUQEgc.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4048
- C:\ProgramData\tegwQIok\HMcUQEgc.exe
  PSWL
  2⤵
  - Executes dropped EXE
  PID:224

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TEAoEooA\ESQIgMAY.exe

Filesize
713KB

MD5
cd34177a2ef4aa0d737990ea8792ac0b

SHA1
a43a4238d9d741227b9413431ad7852c9d20eb81

SHA256
30ef59f91e9c3dc7d62b688f4a48bf78a7f7ead30cec765079eb40256677ea68

SHA512
c0b72f0a40e66d67544076554ecd6afc40935ae34573bc64e037537d1ed184d66569da3dfa862b2b7d84ede28482250a790ecc245ffd50c26f7377c3d1691fff

Download Submit
C:\ProgramData\TEAoEooA\ESQIgMAY.exe

Filesize
713KB

MD5
cd34177a2ef4aa0d737990ea8792ac0b

SHA1
a43a4238d9d741227b9413431ad7852c9d20eb81

SHA256
30ef59f91e9c3dc7d62b688f4a48bf78a7f7ead30cec765079eb40256677ea68

SHA512
c0b72f0a40e66d67544076554ecd6afc40935ae34573bc64e037537d1ed184d66569da3dfa862b2b7d84ede28482250a790ecc245ffd50c26f7377c3d1691fff

Download Submit
C:\ProgramData\TEAoEooA\ESQIgMAY.exe

Filesize
713KB

MD5
cd34177a2ef4aa0d737990ea8792ac0b

SHA1
a43a4238d9d741227b9413431ad7852c9d20eb81

SHA256
30ef59f91e9c3dc7d62b688f4a48bf78a7f7ead30cec765079eb40256677ea68

SHA512
c0b72f0a40e66d67544076554ecd6afc40935ae34573bc64e037537d1ed184d66569da3dfa862b2b7d84ede28482250a790ecc245ffd50c26f7377c3d1691fff

Download Submit
C:\ProgramData\TEAoEooA\ESQIgMAYRTUX

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\ProgramData\tegwQIok\HMcUQEgc.exe

Filesize
715KB

MD5
a8ef8a1b62bf0cf64526322ca91097fd

SHA1
ef4e0fa821c3c6ed124202c480ff16a409b9599c

SHA256
7916f57d0809dd93fc437a218789959002c33fd3c6fc489ebeeb4c5783bfc26e

SHA512
1873c0ae473d4f4b74386278c04b93dd2a61fbce436ce72f6c34e39f1988e63489255f0b48d005e21586632e733a44603023b6e03e2760193afd299e6d4be017

Download Submit
C:\ProgramData\tegwQIok\HMcUQEgc.exe

Filesize
715KB

MD5
a8ef8a1b62bf0cf64526322ca91097fd

SHA1
ef4e0fa821c3c6ed124202c480ff16a409b9599c

SHA256
7916f57d0809dd93fc437a218789959002c33fd3c6fc489ebeeb4c5783bfc26e

SHA512
1873c0ae473d4f4b74386278c04b93dd2a61fbce436ce72f6c34e39f1988e63489255f0b48d005e21586632e733a44603023b6e03e2760193afd299e6d4be017

Download Submit
C:\ProgramData\tegwQIok\HMcUQEgc.exe

Filesize
715KB

MD5
a8ef8a1b62bf0cf64526322ca91097fd

SHA1
ef4e0fa821c3c6ed124202c480ff16a409b9599c

SHA256
7916f57d0809dd93fc437a218789959002c33fd3c6fc489ebeeb4c5783bfc26e

SHA512
1873c0ae473d4f4b74386278c04b93dd2a61fbce436ce72f6c34e39f1988e63489255f0b48d005e21586632e733a44603023b6e03e2760193afd299e6d4be017

Download Submit
C:\ProgramData\tegwQIok\HMcUQEgcPSWL

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9

Filesize
6KB

MD5
bdf926b971c6dacb62c5c764b548f850

SHA1
daf9c28f324a1b0d9886021ad63d84b468cbac20

SHA256
8dd31725432fd800dc2ff4a95567e2d8c8391385686ad0fe88bc480864e8ddda

SHA512
cd7b29d5edb69d0c5642a2c6a7632509503956be80aaf8750f505673bd2c3e5200718412a2f43c8071ed032a35f78480db17d17138de19470e0606567db3f3d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9

Filesize
6KB

MD5
bdf926b971c6dacb62c5c764b548f850

SHA1
daf9c28f324a1b0d9886021ad63d84b468cbac20

SHA256
8dd31725432fd800dc2ff4a95567e2d8c8391385686ad0fe88bc480864e8ddda

SHA512
cd7b29d5edb69d0c5642a2c6a7632509503956be80aaf8750f505673bd2c3e5200718412a2f43c8071ed032a35f78480db17d17138de19470e0606567db3f3d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9

Filesize
6KB

MD5
bdf926b971c6dacb62c5c764b548f850

SHA1
daf9c28f324a1b0d9886021ad63d84b468cbac20

SHA256
8dd31725432fd800dc2ff4a95567e2d8c8391385686ad0fe88bc480864e8ddda

SHA512
cd7b29d5edb69d0c5642a2c6a7632509503956be80aaf8750f505673bd2c3e5200718412a2f43c8071ed032a35f78480db17d17138de19470e0606567db3f3d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9

Filesize
6KB

MD5
bdf926b971c6dacb62c5c764b548f850

SHA1
daf9c28f324a1b0d9886021ad63d84b468cbac20

SHA256
8dd31725432fd800dc2ff4a95567e2d8c8391385686ad0fe88bc480864e8ddda

SHA512
cd7b29d5edb69d0c5642a2c6a7632509503956be80aaf8750f505673bd2c3e5200718412a2f43c8071ed032a35f78480db17d17138de19470e0606567db3f3d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9

Filesize
6KB

MD5
bdf926b971c6dacb62c5c764b548f850

SHA1
daf9c28f324a1b0d9886021ad63d84b468cbac20

SHA256
8dd31725432fd800dc2ff4a95567e2d8c8391385686ad0fe88bc480864e8ddda

SHA512
cd7b29d5edb69d0c5642a2c6a7632509503956be80aaf8750f505673bd2c3e5200718412a2f43c8071ed032a35f78480db17d17138de19470e0606567db3f3d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9

Filesize
6KB

MD5
bdf926b971c6dacb62c5c764b548f850

SHA1
daf9c28f324a1b0d9886021ad63d84b468cbac20

SHA256
8dd31725432fd800dc2ff4a95567e2d8c8391385686ad0fe88bc480864e8ddda

SHA512
cd7b29d5edb69d0c5642a2c6a7632509503956be80aaf8750f505673bd2c3e5200718412a2f43c8071ed032a35f78480db17d17138de19470e0606567db3f3d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9

Filesize
6KB

MD5
bdf926b971c6dacb62c5c764b548f850

SHA1
daf9c28f324a1b0d9886021ad63d84b468cbac20

SHA256
8dd31725432fd800dc2ff4a95567e2d8c8391385686ad0fe88bc480864e8ddda

SHA512
cd7b29d5edb69d0c5642a2c6a7632509503956be80aaf8750f505673bd2c3e5200718412a2f43c8071ed032a35f78480db17d17138de19470e0606567db3f3d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9

Filesize
6KB

MD5
bdf926b971c6dacb62c5c764b548f850

SHA1
daf9c28f324a1b0d9886021ad63d84b468cbac20

SHA256
8dd31725432fd800dc2ff4a95567e2d8c8391385686ad0fe88bc480864e8ddda

SHA512
cd7b29d5edb69d0c5642a2c6a7632509503956be80aaf8750f505673bd2c3e5200718412a2f43c8071ed032a35f78480db17d17138de19470e0606567db3f3d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9

Filesize
6KB

MD5
bdf926b971c6dacb62c5c764b548f850

SHA1
daf9c28f324a1b0d9886021ad63d84b468cbac20

SHA256
8dd31725432fd800dc2ff4a95567e2d8c8391385686ad0fe88bc480864e8ddda

SHA512
cd7b29d5edb69d0c5642a2c6a7632509503956be80aaf8750f505673bd2c3e5200718412a2f43c8071ed032a35f78480db17d17138de19470e0606567db3f3d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9

Filesize
6KB

MD5
bdf926b971c6dacb62c5c764b548f850

SHA1
daf9c28f324a1b0d9886021ad63d84b468cbac20

SHA256
8dd31725432fd800dc2ff4a95567e2d8c8391385686ad0fe88bc480864e8ddda

SHA512
cd7b29d5edb69d0c5642a2c6a7632509503956be80aaf8750f505673bd2c3e5200718412a2f43c8071ed032a35f78480db17d17138de19470e0606567db3f3d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9

Filesize
6KB

MD5
bdf926b971c6dacb62c5c764b548f850

SHA1
daf9c28f324a1b0d9886021ad63d84b468cbac20

SHA256
8dd31725432fd800dc2ff4a95567e2d8c8391385686ad0fe88bc480864e8ddda

SHA512
cd7b29d5edb69d0c5642a2c6a7632509503956be80aaf8750f505673bd2c3e5200718412a2f43c8071ed032a35f78480db17d17138de19470e0606567db3f3d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9QVVV

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9QVVV

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9QVVV

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9QVVV

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9QVVV

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9QVVV

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9QVVV

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9QVVV

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9QVVV

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9QVVV

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9QVVV

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9QVVV

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e42cde5097c4137af5d193692c1056eb689ddd8187b4d6764946fed03e996b9QVVV

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
C:\Users\Admin\xukYYgMs\TYUowIgs.exe

Filesize
714KB

MD5
312b5e41e2e369f5603befb37333ba68

SHA1
b974e75394f4e00814b2dde4f502e96ea2ffec92

SHA256
2a303a5d1dd6dfef6e108a1ed4e1088dbc7defb8e8db5fc58f9ffc29730af07a

SHA512
0587bfec6e8d6a08c7ca8b2a475aac6c6223f471d7d16a48f81c3bc8dfda93da5e9813a6f4e26cc8da401595bf2df2a32e926171bc5ee4de86ae5b034c2eaa5f

Download Submit
C:\Users\Admin\xukYYgMs\TYUowIgs.exe

Filesize
714KB

MD5
312b5e41e2e369f5603befb37333ba68

SHA1
b974e75394f4e00814b2dde4f502e96ea2ffec92

SHA256
2a303a5d1dd6dfef6e108a1ed4e1088dbc7defb8e8db5fc58f9ffc29730af07a

SHA512
0587bfec6e8d6a08c7ca8b2a475aac6c6223f471d7d16a48f81c3bc8dfda93da5e9813a6f4e26cc8da401595bf2df2a32e926171bc5ee4de86ae5b034c2eaa5f

Download Submit
C:\Users\Admin\xukYYgMs\TYUowIgs.exe

Filesize
714KB

MD5
312b5e41e2e369f5603befb37333ba68

SHA1
b974e75394f4e00814b2dde4f502e96ea2ffec92

SHA256
2a303a5d1dd6dfef6e108a1ed4e1088dbc7defb8e8db5fc58f9ffc29730af07a

SHA512
0587bfec6e8d6a08c7ca8b2a475aac6c6223f471d7d16a48f81c3bc8dfda93da5e9813a6f4e26cc8da401595bf2df2a32e926171bc5ee4de86ae5b034c2eaa5f

Download Submit
C:\Users\Admin\xukYYgMs\TYUowIgsLDZX

Filesize
4B

MD5
9134669f44c1af0532f613b7508283c4

SHA1
1c2ac638c61bcdbc434fc74649e281bcb1381da2

SHA256
7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2

SHA512
ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

Download Submit
memory/32-244-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/220-294-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/220-280-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/220-283-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/224-155-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/224-160-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/332-162-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/680-172-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/680-179-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/680-198-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1392-268-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1436-187-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2176-221-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2176-224-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2176-241-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2176-246-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2324-255-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2324-269-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2324-267-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2324-259-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2328-174-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2464-248-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2464-266-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2464-265-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2464-242-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2960-220-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2960-201-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3140-164-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3140-175-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3140-146-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3140-190-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3620-234-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3620-258-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3620-247-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3704-211-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3732-213-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3732-208-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3732-231-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3800-293-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4048-165-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4048-148-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4048-178-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4156-290-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4156-284-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4156-274-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4156-271-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4172-159-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4248-281-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4672-191-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4672-210-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4724-134-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4724-135-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4744-163-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4744-189-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4744-291-0x0000000009780000-0x0000000009785000-memory.dmp

Filesize
20KB

Download
memory/4744-147-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4744-292-0x0000000009A10000-0x0000000009A36000-memory.dmp

Filesize
152KB

Download
memory/4744-177-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4804-137-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4804-132-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4804-171-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4804-156-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/5032-286-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/5032-288-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download