c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725

Analysis

max time kernel
272s
max time network
276s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
Size

443KB
MD5

acce61c5ea00fbcd4e15e9bcf3aea724
SHA1

db5da2926b5a47197fea3e8c99209ff87a8dd6e6
SHA256

c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725
SHA512

1dc25a030011b6996c6f1049360c538e0b94910b0f0ed741ef3be7f170acd5e58386d3addbe5cf39645ec0cf2bb04f7801c1821066e2db2c4a3d2624a3c1e2fe
SSDEEP

6144:xcSiSXs4HYAP2L6J3RSbURXL0kNNEBEPr2gYIbbr/e19Mpqnp+pKn5FD:xcind2LkWi70ABiKbbLlkphn5FD

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 8 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

Processes:

LUsQwIYg.exeioAkogoU.exeeSAYYEcM.exe

pid process

3452 LUsQwIYg.exe
4948 ioAkogoU.exe
1272 eSAYYEcM.exe

pid	process
3452	LUsQwIYg.exe
4948	ioAkogoU.exe
1272	eSAYYEcM.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

eSAYYEcM.exec973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exeLUsQwIYg.exeioAkogoU.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ioAkogoU.exe = "C:\\ProgramData\\nEEkUEcc\\ioAkogoU.exe"	eSAYYEcM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LUsQwIYg.exe = "C:\\Users\\Admin\\YawYYcUU\\LUsQwIYg.exe"	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LUsQwIYg.exe = "C:\\Users\\Admin\\YawYYcUU\\LUsQwIYg.exe"	LUsQwIYg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ioAkogoU.exe = "C:\\ProgramData\\nEEkUEcc\\ioAkogoU.exe"	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ioAkogoU.exe = "C:\\ProgramData\\nEEkUEcc\\ioAkogoU.exe"	ioAkogoU.exe

Drops file in System32 directory 2 IoCs

Processes:

eSAYYEcM.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\YawYYcUU	eSAYYEcM.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\YawYYcUU\LUsQwIYg	eSAYYEcM.exe

Modifies registry key 1 TTPs 27 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
3428	reg.exe
2916	reg.exe
1700	reg.exe
488	reg.exe
2816	reg.exe
2152	reg.exe
4496	reg.exe
624	reg.exe
2212	reg.exe
3392	reg.exe
5112	reg.exe
1872	reg.exe
1320	reg.exe
2068	reg.exe
4740	reg.exe
3672	reg.exe
4268	reg.exe
5056	reg.exe
4976	reg.exe
3048	reg.exe
4504	reg.exe
4932	reg.exe
3868	reg.exe
3156	reg.exe
4832	reg.exe
3696	reg.exe
4684	reg.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exec973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exec973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exec973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exec973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exec973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exec973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exec973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exec973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe

pid	process
4460	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
4460	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
4460	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
4460	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
2976	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
2976	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
2976	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
2976	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
3292	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
3292	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
3292	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
3292	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
2972	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
2972	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
2972	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
2972	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
4936	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
4936	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
4936	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
4936	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
4592	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
4592	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
4592	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
4592	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
3500	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
3500	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
3500	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
3500	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
3364	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
3364	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
3364	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
3364	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
2376	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
2376	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
2376	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
2376	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.execmd.exec973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.execmd.exec973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.execmd.exec973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe

description	pid	process	target process
PID 4460 wrote to memory of 3452	4460	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	LUsQwIYg.exe
PID 4460 wrote to memory of 3452	4460	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	LUsQwIYg.exe
PID 4460 wrote to memory of 3452	4460	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	LUsQwIYg.exe
PID 4460 wrote to memory of 4948	4460	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	ioAkogoU.exe
PID 4460 wrote to memory of 4948	4460	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	ioAkogoU.exe
PID 4460 wrote to memory of 4948	4460	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	ioAkogoU.exe
PID 4460 wrote to memory of 2744	4460	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	cmd.exe
PID 4460 wrote to memory of 2744	4460	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	cmd.exe
PID 4460 wrote to memory of 2744	4460	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	cmd.exe
PID 4460 wrote to memory of 3428	4460	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	reg.exe
PID 4460 wrote to memory of 3428	4460	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	reg.exe
PID 4460 wrote to memory of 3428	4460	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	reg.exe
PID 4460 wrote to memory of 1320	4460	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	reg.exe
PID 4460 wrote to memory of 1320	4460	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	reg.exe
PID 4460 wrote to memory of 1320	4460	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	reg.exe
PID 4460 wrote to memory of 1872	4460	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	reg.exe
PID 4460 wrote to memory of 1872	4460	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	reg.exe
PID 4460 wrote to memory of 1872	4460	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	reg.exe
PID 2744 wrote to memory of 2976	2744	cmd.exe	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
PID 2744 wrote to memory of 2976	2744	cmd.exe	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
PID 2744 wrote to memory of 2976	2744	cmd.exe	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
PID 2976 wrote to memory of 1560	2976	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	cmd.exe
PID 2976 wrote to memory of 1560	2976	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	cmd.exe
PID 2976 wrote to memory of 1560	2976	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	cmd.exe
PID 2976 wrote to memory of 2916	2976	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	reg.exe
PID 2976 wrote to memory of 2916	2976	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	reg.exe
PID 2976 wrote to memory of 2916	2976	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	reg.exe
PID 1560 wrote to memory of 3292	1560	cmd.exe	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
PID 1560 wrote to memory of 3292	1560	cmd.exe	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
PID 1560 wrote to memory of 3292	1560	cmd.exe	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
PID 2976 wrote to memory of 4976	2976	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	reg.exe
PID 2976 wrote to memory of 4976	2976	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	reg.exe
PID 2976 wrote to memory of 4976	2976	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	reg.exe
PID 2976 wrote to memory of 3156	2976	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	reg.exe
PID 2976 wrote to memory of 3156	2976	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	reg.exe
PID 2976 wrote to memory of 3156	2976	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	reg.exe
PID 2976 wrote to memory of 4596	2976	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	cmd.exe
PID 2976 wrote to memory of 4596	2976	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	cmd.exe
PID 2976 wrote to memory of 4596	2976	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	cmd.exe
PID 3292 wrote to memory of 2660	3292	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	cmd.exe
PID 3292 wrote to memory of 2660	3292	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	cmd.exe
PID 3292 wrote to memory of 2660	3292	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	cmd.exe
PID 3292 wrote to memory of 3696	3292	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	reg.exe
PID 3292 wrote to memory of 3696	3292	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	reg.exe
PID 3292 wrote to memory of 3696	3292	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	reg.exe
PID 3292 wrote to memory of 4832	3292	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	reg.exe
PID 3292 wrote to memory of 4832	3292	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	reg.exe
PID 3292 wrote to memory of 4832	3292	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	reg.exe
PID 3292 wrote to memory of 4496	3292	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	reg.exe
PID 3292 wrote to memory of 4496	3292	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	reg.exe
PID 3292 wrote to memory of 4496	3292	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	reg.exe
PID 3292 wrote to memory of 3852	3292	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	cmd.exe
PID 3292 wrote to memory of 3852	3292	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	cmd.exe
PID 3292 wrote to memory of 3852	3292	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	cmd.exe
PID 2660 wrote to memory of 2972	2660	cmd.exe	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
PID 2660 wrote to memory of 2972	2660	cmd.exe	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
PID 2660 wrote to memory of 2972	2660	cmd.exe	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
PID 2972 wrote to memory of 1348	2972	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	cmd.exe
PID 2972 wrote to memory of 1348	2972	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	cmd.exe
PID 2972 wrote to memory of 1348	2972	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	cmd.exe
PID 2972 wrote to memory of 1700	2972	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	reg.exe
PID 2972 wrote to memory of 1700	2972	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	reg.exe
PID 2972 wrote to memory of 1700	2972	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	reg.exe
PID 2972 wrote to memory of 2212	2972	c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
"C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4460

C:\Users\Admin\YawYYcUU\LUsQwIYg.exe
"C:\Users\Admin\YawYYcUU\LUsQwIYg.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3452

C:\ProgramData\nEEkUEcc\ioAkogoU.exe
"C:\ProgramData\nEEkUEcc\ioAkogoU.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725"
2⤵
- Suspicious use of WriteProcessMemory
PID:2744

C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725"
4⤵
- Suspicious use of WriteProcessMemory
PID:1560

C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725"
6⤵
- Suspicious use of WriteProcessMemory
PID:2660

C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725"
8⤵
PID:1348

C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:4936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725"
10⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:4592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725"
12⤵
PID:3940

C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:3500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725"
14⤵
PID:2276

C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:3364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725"
16⤵
PID:4832

C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe
C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:2376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725"
18⤵
PID:3008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies registry key
PID:2152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
- Modifies registry key
PID:5112

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- Modifies registry key
PID:2068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TsUwYoYg.bat" "C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe""
18⤵
PID:4384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
- Modifies registry key
PID:4268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
- Modifies registry key
PID:2816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QiIwEcIU.bat" "C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe""
16⤵
PID:4072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
- Modifies registry key
PID:3392

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- UAC bypass
- Modifies registry key
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mKkwkQgw.bat" "C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe""
14⤵
PID:5060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:3744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
- Modifies registry key
PID:4932

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- UAC bypass
- Modifies registry key
PID:3672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XCMoMAkA.bat" "C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe""
12⤵
PID:1632

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
- Modifies registry key
PID:624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
- Modifies registry key
PID:3048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LMkUIMow.bat" "C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe""
10⤵
PID:1836

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:1532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
- Modifies registry key
PID:2212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IcgsYgws.bat" "C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe""
8⤵
PID:1088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:2872

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
- Modifies registry key
PID:4684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
- Modifies registry key
PID:4832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- UAC bypass
- Modifies registry key
PID:4496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\docIoAQY.bat" "C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe""
6⤵
PID:3852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:4984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
- Modifies registry key
PID:4976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- UAC bypass
- Modifies registry key
PID:3156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IgkoAgUk.bat" "C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725.exe""
4⤵
PID:4596

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:4380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3428

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
- Modifies registry key
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:1320

C:\ProgramData\ymsQQIwY\eSAYYEcM.exe
C:\ProgramData\ymsQQIwY\eSAYYEcM.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1272

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\nEEkUEcc\ioAkogoU.exe
Filesize
433KB

MD5
12112321c62697215d00ea86325d908f

SHA1
072fe3eebf9dc949506bfe60fef5f6ca1f7c1148

SHA256
7b2ae4fd31a57253cf727c3a7cd09002e4a99d6b49c1f71ceced219f4e4f174e

SHA512
8d6688509fd77e8258a02707786ac7a921be0eb5dcdf0d284769009cc16b6deeb34076bce54a8428148483839d8b0b24212a8bdbb71b8e1cc3ea948ff058269e

Download Submit
C:\ProgramData\nEEkUEcc\ioAkogoU.exe
Filesize
433KB

MD5
12112321c62697215d00ea86325d908f

SHA1
072fe3eebf9dc949506bfe60fef5f6ca1f7c1148

SHA256
7b2ae4fd31a57253cf727c3a7cd09002e4a99d6b49c1f71ceced219f4e4f174e

SHA512
8d6688509fd77e8258a02707786ac7a921be0eb5dcdf0d284769009cc16b6deeb34076bce54a8428148483839d8b0b24212a8bdbb71b8e1cc3ea948ff058269e

Download Submit
C:\ProgramData\ymsQQIwY\eSAYYEcM.exe
Filesize
433KB

MD5
50f97ce179bb2dfae525ebc42c893210

SHA1
548f40029f1d7704c922e70ecf9ec8cb714f84d4

SHA256
e2fcfa91a9e50aedb49af480cdcfe50f57eb0d840ea6228099b6a81290359d44

SHA512
7f837620aedfac2ca90b0074806b4841c7530ce2bfb0e3e8fdc95081108de672bafcbe5b38877efdc129903f58c34d9acb5d0a7ed5d65e474903ee4ab9842371

Download Submit
C:\ProgramData\ymsQQIwY\eSAYYEcM.exe
Filesize
433KB

MD5
50f97ce179bb2dfae525ebc42c893210

SHA1
548f40029f1d7704c922e70ecf9ec8cb714f84d4

SHA256
e2fcfa91a9e50aedb49af480cdcfe50f57eb0d840ea6228099b6a81290359d44

SHA512
7f837620aedfac2ca90b0074806b4841c7530ce2bfb0e3e8fdc95081108de672bafcbe5b38877efdc129903f58c34d9acb5d0a7ed5d65e474903ee4ab9842371

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcgsYgws.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgkoAgUk.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\LMkUIMow.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QiIwEcIU.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\XCMoMAkA.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725
Filesize
7KB

MD5
4b542ae8cefb03050e85a1d80fbd2780

SHA1
d4d056dfc313af8b736b2613861f22e2cd873dc8

SHA256
e9b3ecd633671ebf77e56953405e5b33cf95d0d303f5264a10e9d9dd9c8375ee

SHA512
8200a285dc446ea5ab581a9a98a83a1923362ce700d450bc2122ab7f88b19137a5b1ddae621610ef4c89477418082007cac725c0ddf17968393d1628cd02fb19

Download Submit
C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725
Filesize
7KB

MD5
4b542ae8cefb03050e85a1d80fbd2780

SHA1
d4d056dfc313af8b736b2613861f22e2cd873dc8

SHA256
e9b3ecd633671ebf77e56953405e5b33cf95d0d303f5264a10e9d9dd9c8375ee

SHA512
8200a285dc446ea5ab581a9a98a83a1923362ce700d450bc2122ab7f88b19137a5b1ddae621610ef4c89477418082007cac725c0ddf17968393d1628cd02fb19

Download Submit
C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725
Filesize
7KB

MD5
4b542ae8cefb03050e85a1d80fbd2780

SHA1
d4d056dfc313af8b736b2613861f22e2cd873dc8

SHA256
e9b3ecd633671ebf77e56953405e5b33cf95d0d303f5264a10e9d9dd9c8375ee

SHA512
8200a285dc446ea5ab581a9a98a83a1923362ce700d450bc2122ab7f88b19137a5b1ddae621610ef4c89477418082007cac725c0ddf17968393d1628cd02fb19

Download Submit
C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725
Filesize
7KB

MD5
4b542ae8cefb03050e85a1d80fbd2780

SHA1
d4d056dfc313af8b736b2613861f22e2cd873dc8

SHA256
e9b3ecd633671ebf77e56953405e5b33cf95d0d303f5264a10e9d9dd9c8375ee

SHA512
8200a285dc446ea5ab581a9a98a83a1923362ce700d450bc2122ab7f88b19137a5b1ddae621610ef4c89477418082007cac725c0ddf17968393d1628cd02fb19

Download Submit
C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725
Filesize
7KB

MD5
4b542ae8cefb03050e85a1d80fbd2780

SHA1
d4d056dfc313af8b736b2613861f22e2cd873dc8

SHA256
e9b3ecd633671ebf77e56953405e5b33cf95d0d303f5264a10e9d9dd9c8375ee

SHA512
8200a285dc446ea5ab581a9a98a83a1923362ce700d450bc2122ab7f88b19137a5b1ddae621610ef4c89477418082007cac725c0ddf17968393d1628cd02fb19

Download Submit
C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725
Filesize
7KB

MD5
4b542ae8cefb03050e85a1d80fbd2780

SHA1
d4d056dfc313af8b736b2613861f22e2cd873dc8

SHA256
e9b3ecd633671ebf77e56953405e5b33cf95d0d303f5264a10e9d9dd9c8375ee

SHA512
8200a285dc446ea5ab581a9a98a83a1923362ce700d450bc2122ab7f88b19137a5b1ddae621610ef4c89477418082007cac725c0ddf17968393d1628cd02fb19

Download Submit
C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725
Filesize
7KB

MD5
4b542ae8cefb03050e85a1d80fbd2780

SHA1
d4d056dfc313af8b736b2613861f22e2cd873dc8

SHA256
e9b3ecd633671ebf77e56953405e5b33cf95d0d303f5264a10e9d9dd9c8375ee

SHA512
8200a285dc446ea5ab581a9a98a83a1923362ce700d450bc2122ab7f88b19137a5b1ddae621610ef4c89477418082007cac725c0ddf17968393d1628cd02fb19

Download Submit
C:\Users\Admin\AppData\Local\Temp\c973c3a5ae6b1085cbb723b937dde0c92fc11b5e5e8c6a9b90701890919f3725
Filesize
7KB

MD5
4b542ae8cefb03050e85a1d80fbd2780

SHA1
d4d056dfc313af8b736b2613861f22e2cd873dc8

SHA256
e9b3ecd633671ebf77e56953405e5b33cf95d0d303f5264a10e9d9dd9c8375ee

SHA512
8200a285dc446ea5ab581a9a98a83a1923362ce700d450bc2122ab7f88b19137a5b1ddae621610ef4c89477418082007cac725c0ddf17968393d1628cd02fb19

Download Submit
C:\Users\Admin\AppData\Local\Temp\docIoAQY.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mKkwkQgw.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\YawYYcUU\LUsQwIYg.exe
Filesize
432KB

MD5
e1c6447b5109e6edd1aea43a2b0b0576

SHA1
24efb1e48a4c54a1e39a44253a1a68e9547094ea

SHA256
b28a9ab468f3848796c200ede49c6aac7d466c4372b4a288a72e133a8465e71f

SHA512
16de72e6ad0e34e135623019859a4507e2818a0f70cd141b3421715d5da524cb74c583641a7aaa5e4966dea695d5936684d1140293f7edb710c45389795fc916

Download Submit
C:\Users\Admin\YawYYcUU\LUsQwIYg.exe
Filesize
432KB

MD5
e1c6447b5109e6edd1aea43a2b0b0576

SHA1
24efb1e48a4c54a1e39a44253a1a68e9547094ea

SHA256
b28a9ab468f3848796c200ede49c6aac7d466c4372b4a288a72e133a8465e71f

SHA512
16de72e6ad0e34e135623019859a4507e2818a0f70cd141b3421715d5da524cb74c583641a7aaa5e4966dea695d5936684d1140293f7edb710c45389795fc916

Download Submit
memory/432-227-0x0000000000000000-mapping.dmp

Download
memory/488-208-0x0000000000000000-mapping.dmp

Download
memory/624-188-0x0000000000000000-mapping.dmp

Download
memory/628-229-0x0000000000000000-mapping.dmp

Download
memory/1088-176-0x0000000000000000-mapping.dmp

Download
memory/1272-167-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1272-147-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1320-149-0x0000000000000000-mapping.dmp

Download
memory/1348-172-0x0000000000000000-mapping.dmp

Download
memory/1532-228-0x0000000000000000-mapping.dmp

Download
memory/1560-153-0x0000000000000000-mapping.dmp

Download
memory/1632-200-0x0000000000000000-mapping.dmp

Download
memory/1700-173-0x0000000000000000-mapping.dmp

Download
memory/1776-185-0x0000000000000000-mapping.dmp

Download
memory/1836-190-0x0000000000000000-mapping.dmp

Download
memory/1872-150-0x0000000000000000-mapping.dmp

Download
memory/2068-238-0x0000000000000000-mapping.dmp

Download
memory/2152-236-0x0000000000000000-mapping.dmp

Download
memory/2212-174-0x0000000000000000-mapping.dmp

Download
memory/2276-206-0x0000000000000000-mapping.dmp

Download
memory/2376-220-0x0000000000000000-mapping.dmp

Download
memory/2376-240-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2660-161-0x0000000000000000-mapping.dmp

Download
memory/2744-146-0x0000000000000000-mapping.dmp

Download
memory/2816-221-0x0000000000000000-mapping.dmp

Download
memory/2872-226-0x0000000000000000-mapping.dmp

Download
memory/2916-155-0x0000000000000000-mapping.dmp

Download
memory/2972-169-0x0000000000000000-mapping.dmp

Download
memory/2972-177-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2972-170-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2976-168-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2976-154-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2976-151-0x0000000000000000-mapping.dmp

Download
memory/3008-235-0x0000000000000000-mapping.dmp

Download
memory/3048-189-0x0000000000000000-mapping.dmp

Download
memory/3156-158-0x0000000000000000-mapping.dmp

Download
memory/3292-166-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3292-156-0x0000000000000000-mapping.dmp

Download
memory/3364-233-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3364-207-0x0000000000000000-mapping.dmp

Download
memory/3364-216-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3392-209-0x0000000000000000-mapping.dmp

Download
memory/3428-148-0x0000000000000000-mapping.dmp

Download
memory/3452-142-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3452-139-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3452-133-0x0000000000000000-mapping.dmp

Download
memory/3500-213-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3500-202-0x0000000000000000-mapping.dmp

Download
memory/3672-199-0x0000000000000000-mapping.dmp

Download
memory/3696-162-0x0000000000000000-mapping.dmp

Download
memory/3744-231-0x0000000000000000-mapping.dmp

Download
memory/3852-165-0x0000000000000000-mapping.dmp

Download
memory/3868-219-0x0000000000000000-mapping.dmp

Download
memory/3940-196-0x0000000000000000-mapping.dmp

Download
memory/4072-223-0x0000000000000000-mapping.dmp

Download
memory/4268-222-0x0000000000000000-mapping.dmp

Download
memory/4380-230-0x0000000000000000-mapping.dmp

Download
memory/4384-239-0x0000000000000000-mapping.dmp

Download
memory/4460-132-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4460-141-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4496-164-0x0000000000000000-mapping.dmp

Download
memory/4504-197-0x0000000000000000-mapping.dmp

Download
memory/4592-212-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4592-191-0x0000000000000000-mapping.dmp

Download
memory/4592-194-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4596-159-0x0000000000000000-mapping.dmp

Download
memory/4684-175-0x0000000000000000-mapping.dmp

Download
memory/4740-187-0x0000000000000000-mapping.dmp

Download
memory/4832-218-0x0000000000000000-mapping.dmp

Download
memory/4832-163-0x0000000000000000-mapping.dmp

Download
memory/4932-198-0x0000000000000000-mapping.dmp

Download
memory/4936-178-0x0000000000000000-mapping.dmp

Download
memory/4936-201-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4936-186-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4948-143-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4948-140-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4948-136-0x0000000000000000-mapping.dmp

Download
memory/4976-157-0x0000000000000000-mapping.dmp

Download
memory/4984-232-0x0000000000000000-mapping.dmp

Download
memory/5056-210-0x0000000000000000-mapping.dmp

Download
memory/5060-211-0x0000000000000000-mapping.dmp

Download
memory/5112-237-0x0000000000000000-mapping.dmp

Download