ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4

Analysis

max time kernel
175s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
Size

989KB
MD5

830072cd2260f8810a8086add9d9c6e0
SHA1

e1a9b7fecb8d3b7bf4723e700a46688b0b561b50
SHA256

ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4
SHA512

ea0a20faf1f661af4057a82932acb8843fba64c5fe1318e504ce1281e0022496476726782456c783f10ea36df16b87371f365037856ac4d305ba199ff5c4653d
SSDEEP

24576:wQXtbnvMFKM5qZiowaE471LNPEncIJzqNrXkdMBjLWw3auh4zgR0K8/F1d7Yh:wQXtbn2KM5QiLbELNocIlqWMew3auh4F

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\VsgYMoog\\nYMYAAwY.exe,"	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\VsgYMoog\\nYMYAAwY.exe,"	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe

Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 8 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 4 IoCs

pid	Process
2336	ggIMcwoU.exe
4664	nYMYAAwY.exe
4768	kkQEEogA.exe
4784	nYMYAAwY.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	ggIMcwoU.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nYMYAAwY.exe = "C:\\ProgramData\\VsgYMoog\\nYMYAAwY.exe"	nYMYAAwY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nYMYAAwY.exe = "C:\\ProgramData\\VsgYMoog\\nYMYAAwY.exe"	kkQEEogA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nYMYAAwY.exe = "C:\\ProgramData\\VsgYMoog\\nYMYAAwY.exe"	nYMYAAwY.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ggIMcwoU.exe = "C:\\Users\\Admin\\ueIcYsEA\\ggIMcwoU.exe"	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nYMYAAwY.exe = "C:\\ProgramData\\VsgYMoog\\nYMYAAwY.exe"	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ggIMcwoU.exe = "C:\\Users\\Admin\\ueIcYsEA\\ggIMcwoU.exe"	ggIMcwoU.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	ggIMcwoU.exe
File opened for modification	C:\Windows\SysWOW64\sheExpandUnlock.xlsm	ggIMcwoU.exe
File opened for modification	C:\Windows\SysWOW64\sheOptimizeUnlock.docm	ggIMcwoU.exe
File opened for modification	C:\Windows\SysWOW64\shePopCompare.png	ggIMcwoU.exe
File opened for modification	C:\Windows\SysWOW64\sheSwitchResume.xls	ggIMcwoU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\ueIcYsEA	kkQEEogA.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\ueIcYsEA\ggIMcwoU	kkQEEogA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 24 IoCs

Modify Registry

T1112

pid	Process
4756	reg.exe
3044	reg.exe
3100	reg.exe
3092	reg.exe
3036	reg.exe
3168	reg.exe
1104	reg.exe
1376	reg.exe
1868	reg.exe
4536	reg.exe
2304	reg.exe
1356	reg.exe
3944	reg.exe
2384	reg.exe
4268	reg.exe
1684	reg.exe
628	reg.exe
4260	reg.exe
4968	reg.exe
4916	reg.exe
2780	reg.exe
4820	reg.exe
3456	reg.exe
4896	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3408	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
3408	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
3408	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
3408	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2392	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
2392	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
2392	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
2392	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
3644	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
3644	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
3644	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
3644	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
4488	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
4488	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
4488	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
4488	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
2256	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
2256	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
2256	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
2256	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
4408	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
4408	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
4408	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
4408	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
3004	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
3004	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
3004	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
3004	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2336	ggIMcwoU.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe
2336	ggIMcwoU.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3408 wrote to memory of 2336	3408	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	85
PID 3408 wrote to memory of 2336	3408	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	85
PID 3408 wrote to memory of 2336	3408	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	85
PID 3408 wrote to memory of 4664	3408	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	86
PID 3408 wrote to memory of 4664	3408	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	86
PID 3408 wrote to memory of 4664	3408	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	86
PID 2336 wrote to memory of 4784	2336	ggIMcwoU.exe	88
PID 2336 wrote to memory of 4784	2336	ggIMcwoU.exe	88
PID 2336 wrote to memory of 4784	2336	ggIMcwoU.exe	88
PID 3408 wrote to memory of 3720	3408	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	89
PID 3408 wrote to memory of 3720	3408	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	89
PID 3408 wrote to memory of 3720	3408	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	89
PID 3408 wrote to memory of 1104	3408	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	91
PID 3408 wrote to memory of 1104	3408	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	91
PID 3408 wrote to memory of 1104	3408	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	91
PID 3408 wrote to memory of 2304	3408	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	92
PID 3408 wrote to memory of 2304	3408	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	92
PID 3408 wrote to memory of 2304	3408	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	92
PID 3408 wrote to memory of 4260	3408	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	95
PID 3408 wrote to memory of 4260	3408	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	95
PID 3408 wrote to memory of 4260	3408	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	95
PID 3720 wrote to memory of 2392	3720	cmd.exe	97
PID 3720 wrote to memory of 2392	3720	cmd.exe	97
PID 3720 wrote to memory of 2392	3720	cmd.exe	97
PID 2392 wrote to memory of 1100	2392	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	98
PID 2392 wrote to memory of 1100	2392	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	98
PID 2392 wrote to memory of 1100	2392	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	98
PID 2392 wrote to memory of 4968	2392	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	100
PID 2392 wrote to memory of 4968	2392	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	100
PID 2392 wrote to memory of 4968	2392	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	100
PID 2392 wrote to memory of 1356	2392	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	101
PID 2392 wrote to memory of 1356	2392	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	101
PID 2392 wrote to memory of 1356	2392	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	101
PID 2392 wrote to memory of 3944	2392	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	104
PID 2392 wrote to memory of 3944	2392	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	104
PID 2392 wrote to memory of 3944	2392	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	104
PID 2392 wrote to memory of 5064	2392	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	105
PID 2392 wrote to memory of 5064	2392	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	105
PID 2392 wrote to memory of 5064	2392	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	105
PID 1100 wrote to memory of 3644	1100	cmd.exe	108
PID 1100 wrote to memory of 3644	1100	cmd.exe	108
PID 1100 wrote to memory of 3644	1100	cmd.exe	108
PID 5064 wrote to memory of 3380	5064	cmd.exe	109
PID 5064 wrote to memory of 3380	5064	cmd.exe	109
PID 5064 wrote to memory of 3380	5064	cmd.exe	109
PID 3644 wrote to memory of 4040	3644	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	110
PID 3644 wrote to memory of 4040	3644	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	110
PID 3644 wrote to memory of 4040	3644	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	110
PID 4040 wrote to memory of 4488	4040	cmd.exe	112
PID 4040 wrote to memory of 4488	4040	cmd.exe	112
PID 4040 wrote to memory of 4488	4040	cmd.exe	112
PID 3644 wrote to memory of 4916	3644	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	113
PID 3644 wrote to memory of 4916	3644	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	113
PID 3644 wrote to memory of 4916	3644	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	113
PID 3644 wrote to memory of 1376	3644	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	114
PID 3644 wrote to memory of 1376	3644	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	114
PID 3644 wrote to memory of 1376	3644	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	114
PID 3644 wrote to memory of 2780	3644	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	115
PID 3644 wrote to memory of 2780	3644	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	115
PID 3644 wrote to memory of 2780	3644	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	115
PID 3644 wrote to memory of 2988	3644	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	116
PID 3644 wrote to memory of 2988	3644	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	116
PID 3644 wrote to memory of 2988	3644	ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe	116
PID 2988 wrote to memory of 2292	2988	cmd.exe	121

C:\Users\Admin\AppData\Local\Temp\ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
"C:\Users\Admin\AppData\Local\Temp\ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3408
- C:\Users\Admin\ueIcYsEA\ggIMcwoU.exe
  "C:\Users\Admin\ueIcYsEA\ggIMcwoU.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\ProgramData\VsgYMoog\nYMYAAwY.exe
    "C:\ProgramData\VsgYMoog\nYMYAAwY.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4784
- C:\ProgramData\VsgYMoog\nYMYAAwY.exe
  "C:\ProgramData\VsgYMoog\nYMYAAwY.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3720
- - C:\Users\Admin\AppData\Local\Temp\ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
    C:\Users\Admin\AppData\Local\Temp\ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1100
    - - C:\Users\Admin\AppData\Local\Temp\ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3644
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4"
        8⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4"
        10⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4"
        12⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4"
        14⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4
        15⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:3168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uKsgkcQI.bat" "C:\Users\Admin\AppData\Local\Temp\ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe""
        14⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\niAUAwos.bat" "C:\Users\Admin\AppData\Local\Temp\ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe""
        12⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lyMIkgcM.bat" "C:\Users\Admin\AppData\Local\Temp\ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe""
        10⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GIYAwgQo.bat" "C:\Users\Admin\AppData\Local\Temp\ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe""
        8⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3064
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4916
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:1376
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:2780
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nuscIMYE.bat" "C:\Users\Admin\AppData\Local\Temp\ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2292
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:4968
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:1356
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:3944
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cAEcAAsc.bat" "C:\Users\Admin\AppData\Local\Temp\ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5064
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3380
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:1104
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2304
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:4260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZusYkwcg.bat" "C:\Users\Admin\AppData\Local\Temp\ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4.exe""
  2⤵
  PID:1068

C:\ProgramData\lIMgMgsk\kkQEEogA.exe
C:\ProgramData\lIMgMgsk\kkQEEogA.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\VsgYMoog\nYMYAAwY.exe

Filesize
983KB

MD5
8750640e66a4adea2a6157cb6febe393

SHA1
21ae35778744ace50f2334d737ae5c92ceb2f167

SHA256
24943ea8e6391d29961d5efa5f7e15493b17cd7c5c549821f0ef5e2950784312

SHA512
5402e5db326cad7473737047244c75c6ff608fcc16b5ada9ba738af7b9417f4127e27162acd1e79a7e35014eff130b2edb3fbc00d6aa55bf43ea36f5613626ec

Download Submit
C:\ProgramData\VsgYMoog\nYMYAAwY.exe

Filesize
983KB

MD5
8750640e66a4adea2a6157cb6febe393

SHA1
21ae35778744ace50f2334d737ae5c92ceb2f167

SHA256
24943ea8e6391d29961d5efa5f7e15493b17cd7c5c549821f0ef5e2950784312

SHA512
5402e5db326cad7473737047244c75c6ff608fcc16b5ada9ba738af7b9417f4127e27162acd1e79a7e35014eff130b2edb3fbc00d6aa55bf43ea36f5613626ec

Download Submit
C:\ProgramData\VsgYMoog\nYMYAAwY.exe

Filesize
983KB

MD5
8750640e66a4adea2a6157cb6febe393

SHA1
21ae35778744ace50f2334d737ae5c92ceb2f167

SHA256
24943ea8e6391d29961d5efa5f7e15493b17cd7c5c549821f0ef5e2950784312

SHA512
5402e5db326cad7473737047244c75c6ff608fcc16b5ada9ba738af7b9417f4127e27162acd1e79a7e35014eff130b2edb3fbc00d6aa55bf43ea36f5613626ec

Download Submit
C:\ProgramData\lIMgMgsk\kkQEEogA.exe

Filesize
983KB

MD5
44f95803387d536969b14e745082dedc

SHA1
39427bd3d0955b3546ccd9710edc0c5cc11b81e8

SHA256
fe9ef9cab6252c5e7b4d1f33ed944788a7adcbee39968faaa701d0965206e65b

SHA512
daf12f251089067b328de16848562669490c0fae3d3a9184cd92424c1eaafef8d17d23d614df4133277cf2f44d0c1210fcc681a6e54d262db0101ded9045c9ab

Download Submit
C:\ProgramData\lIMgMgsk\kkQEEogA.exe

Filesize
983KB

MD5
44f95803387d536969b14e745082dedc

SHA1
39427bd3d0955b3546ccd9710edc0c5cc11b81e8

SHA256
fe9ef9cab6252c5e7b4d1f33ed944788a7adcbee39968faaa701d0965206e65b

SHA512
daf12f251089067b328de16848562669490c0fae3d3a9184cd92424c1eaafef8d17d23d614df4133277cf2f44d0c1210fcc681a6e54d262db0101ded9045c9ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIYAwgQo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZusYkwcg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAEcAAsc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4

Filesize
6KB

MD5
96b5a5aa81cddc217e02a83da419a8ea

SHA1
2f005ac25837210b71780fbf0d44b1b1da873749

SHA256
50bc79f388a6f6a3abfd401ede993aa67626207b6ab63320fd44879ef73fda3c

SHA512
bcbfe061efd4a2e60ae16f0ff2432411b3a23b5644f52b596e9b47d699933683c93e0174107520b60c010504c070bbc41aa3b704798ef400c3ddd814fde271cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4

Filesize
6KB

MD5
96b5a5aa81cddc217e02a83da419a8ea

SHA1
2f005ac25837210b71780fbf0d44b1b1da873749

SHA256
50bc79f388a6f6a3abfd401ede993aa67626207b6ab63320fd44879ef73fda3c

SHA512
bcbfe061efd4a2e60ae16f0ff2432411b3a23b5644f52b596e9b47d699933683c93e0174107520b60c010504c070bbc41aa3b704798ef400c3ddd814fde271cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4

Filesize
6KB

MD5
96b5a5aa81cddc217e02a83da419a8ea

SHA1
2f005ac25837210b71780fbf0d44b1b1da873749

SHA256
50bc79f388a6f6a3abfd401ede993aa67626207b6ab63320fd44879ef73fda3c

SHA512
bcbfe061efd4a2e60ae16f0ff2432411b3a23b5644f52b596e9b47d699933683c93e0174107520b60c010504c070bbc41aa3b704798ef400c3ddd814fde271cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4

Filesize
6KB

MD5
96b5a5aa81cddc217e02a83da419a8ea

SHA1
2f005ac25837210b71780fbf0d44b1b1da873749

SHA256
50bc79f388a6f6a3abfd401ede993aa67626207b6ab63320fd44879ef73fda3c

SHA512
bcbfe061efd4a2e60ae16f0ff2432411b3a23b5644f52b596e9b47d699933683c93e0174107520b60c010504c070bbc41aa3b704798ef400c3ddd814fde271cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4

Filesize
6KB

MD5
96b5a5aa81cddc217e02a83da419a8ea

SHA1
2f005ac25837210b71780fbf0d44b1b1da873749

SHA256
50bc79f388a6f6a3abfd401ede993aa67626207b6ab63320fd44879ef73fda3c

SHA512
bcbfe061efd4a2e60ae16f0ff2432411b3a23b5644f52b596e9b47d699933683c93e0174107520b60c010504c070bbc41aa3b704798ef400c3ddd814fde271cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff6854a409f6477d5272a7d93df87e68794e56d7c943c89236c2841cb15b35e4

Filesize
6KB

MD5
96b5a5aa81cddc217e02a83da419a8ea

SHA1
2f005ac25837210b71780fbf0d44b1b1da873749

SHA256
50bc79f388a6f6a3abfd401ede993aa67626207b6ab63320fd44879ef73fda3c

SHA512
bcbfe061efd4a2e60ae16f0ff2432411b3a23b5644f52b596e9b47d699933683c93e0174107520b60c010504c070bbc41aa3b704798ef400c3ddd814fde271cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\lyMIkgcM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\niAUAwos.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\nuscIMYE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\uKsgkcQI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\ueIcYsEA\ggIMcwoU.exe

Filesize
982KB

MD5
e73757d16e927a71af169a4eea1443bd

SHA1
2e7319f5e85781bcf57f3e9d5021d143cb35bc88

SHA256
7cec6b164de1b07e74d9b4ce08cca5df61508a526321d59d6db7481d67218b25

SHA512
846ff50e66ed9df91ae57d0e87bc9a85c03b854784edb7d09ed7b82ab04cda4d8fd292386375b88b42fb03a5a736f875cf40d5001e758b44d533f94c560454e4

Download Submit
C:\Users\Admin\ueIcYsEA\ggIMcwoU.exe

Filesize
982KB

MD5
e73757d16e927a71af169a4eea1443bd

SHA1
2e7319f5e85781bcf57f3e9d5021d143cb35bc88

SHA256
7cec6b164de1b07e74d9b4ce08cca5df61508a526321d59d6db7481d67218b25

SHA512
846ff50e66ed9df91ae57d0e87bc9a85c03b854784edb7d09ed7b82ab04cda4d8fd292386375b88b42fb03a5a736f875cf40d5001e758b44d533f94c560454e4

Download Submit
memory/2256-205-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2256-196-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2336-144-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/2336-153-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/2392-162-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2392-169-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/3004-222-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/3004-229-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/3408-133-0x00000000049D0000-0x00000000049D5000-memory.dmp

Filesize
20KB

Download
memory/3408-236-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/3408-132-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/3408-135-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/3408-134-0x00000000049E0000-0x0000000004A06000-memory.dmp

Filesize
152KB

Download
memory/3644-173-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/3644-181-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/4408-206-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/4408-210-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/4408-217-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/4488-193-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/4488-185-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/4624-234-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/4624-238-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/4624-242-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/4664-145-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/4664-154-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/4768-148-0x00000000036A0000-0x00000000036C6000-memory.dmp

Filesize
152KB

Download
memory/4768-146-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/4768-155-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/4768-147-0x0000000003690000-0x0000000003695000-memory.dmp

Filesize
20KB

Download
memory/4784-152-0x00000000049E0000-0x0000000004A06000-memory.dmp

Filesize
152KB

Download
memory/4784-151-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/4784-156-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download