01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2022, 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
Size

2.0MB
MD5

c5d373a1954822afcddcc785e6ad6045
SHA1

4db2eea6bd6cf5ea40ea14c3ecbf3845d05dae73
SHA256

01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9
SHA512

67a44eef568aa7d3444313256146af4e26a8614326f0b6ecf029f765733c38fb8ab54986f25969a9030de3a3bf9408373e0c1d23b049e0cfb908fa8faf1d981a
SSDEEP

24576:S2IOcUV7/Fbi06CFZZxdhf8T7njJfl0POn2AknzL+STqPeoAt6ae7yStHq+p19Sk:S1UVbRioFZZxT6SOn2AHbSTJA9TyC131

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\MagQcMAA\\ImwQgEsE.exe,"	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\MagQcMAA\\ImwQgEsE.exe,"	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 6 IoCs

pid	Process
3068	VGIUAgQM.exe
3112	ImwQgEsE.exe
4668	UcIcsgEk.exe
3332	UcIcsgEk.exe
2896	UcIcsgEk.exe
272	UcIcsgEk.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VGIUAgQM.exe = "C:\\Users\\Admin\\mOkYAwEc\\VGIUAgQM.exe"	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VGIUAgQM.exe = "C:\\Users\\Admin\\mOkYAwEc\\VGIUAgQM.exe"	VGIUAgQM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ImwQgEsE.exe = "C:\\ProgramData\\MagQcMAA\\ImwQgEsE.exe"	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ImwQgEsE.exe = "C:\\ProgramData\\MagQcMAA\\ImwQgEsE.exe"	ImwQgEsE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
4520	reg.exe
4704	reg.exe
2872	reg.exe
3896	reg.exe
3632	reg.exe
4752	reg.exe
1144	reg.exe
956	reg.exe
1948	reg.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4708	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
4708	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
4708	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
4708	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
4208	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
4208	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
4208	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
4208	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
3396	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
3396	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
3396	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
3396	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
4432	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
4432	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
4432	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
4432	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	4608	vssvc.exe
Token: SeRestorePrivilege	4608	vssvc.exe
Token: SeAuditPrivilege	4608	vssvc.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 4708 wrote to memory of 3068	4708	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	81
PID 4708 wrote to memory of 3068	4708	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	81
PID 4708 wrote to memory of 3068	4708	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	81
PID 4708 wrote to memory of 3112	4708	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	82
PID 4708 wrote to memory of 3112	4708	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	82
PID 4708 wrote to memory of 3112	4708	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	82
PID 4708 wrote to memory of 4736	4708	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	92
PID 4708 wrote to memory of 4736	4708	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	92
PID 4708 wrote to memory of 4736	4708	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	92
PID 4736 wrote to memory of 4208	4736	cmd.exe	94
PID 4736 wrote to memory of 4208	4736	cmd.exe	94
PID 4736 wrote to memory of 4208	4736	cmd.exe	94
PID 4708 wrote to memory of 3896	4708	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	95
PID 4708 wrote to memory of 3896	4708	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	95
PID 4708 wrote to memory of 3896	4708	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	95
PID 4708 wrote to memory of 1948	4708	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	96
PID 4708 wrote to memory of 1948	4708	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	96
PID 4708 wrote to memory of 1948	4708	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	96
PID 4708 wrote to memory of 3632	4708	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	97
PID 4708 wrote to memory of 3632	4708	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	97
PID 4708 wrote to memory of 3632	4708	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	97
PID 4208 wrote to memory of 4692	4208	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	105
PID 4208 wrote to memory of 4692	4208	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	105
PID 4208 wrote to memory of 4692	4208	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	105
PID 4208 wrote to memory of 4520	4208	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	107
PID 4208 wrote to memory of 4520	4208	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	107
PID 4208 wrote to memory of 4520	4208	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	107
PID 4208 wrote to memory of 4752	4208	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	108
PID 4208 wrote to memory of 4752	4208	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	108
PID 4208 wrote to memory of 4752	4208	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	108
PID 4208 wrote to memory of 4704	4208	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	110
PID 4208 wrote to memory of 4704	4208	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	110
PID 4208 wrote to memory of 4704	4208	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	110
PID 4692 wrote to memory of 3396	4692	cmd.exe	113
PID 4692 wrote to memory of 3396	4692	cmd.exe	113
PID 4692 wrote to memory of 3396	4692	cmd.exe	113
PID 3396 wrote to memory of 448	3396	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	115
PID 3396 wrote to memory of 448	3396	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	115
PID 3396 wrote to memory of 448	3396	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	115
PID 3396 wrote to memory of 1144	3396	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	117
PID 3396 wrote to memory of 1144	3396	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	117
PID 3396 wrote to memory of 1144	3396	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	117
PID 3396 wrote to memory of 2872	3396	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	118
PID 3396 wrote to memory of 2872	3396	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	118
PID 3396 wrote to memory of 2872	3396	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	118
PID 3396 wrote to memory of 956	3396	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	121
PID 3396 wrote to memory of 956	3396	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	121
PID 3396 wrote to memory of 956	3396	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	121
PID 448 wrote to memory of 4432	448	cmd.exe	123
PID 448 wrote to memory of 4432	448	cmd.exe	123
PID 448 wrote to memory of 4432	448	cmd.exe	123

C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
"C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Users\Admin\mOkYAwEc\VGIUAgQM.exe
  "C:\Users\Admin\mOkYAwEc\VGIUAgQM.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3068
- C:\ProgramData\MagQcMAA\ImwQgEsE.exe
  "C:\ProgramData\MagQcMAA\ImwQgEsE.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
    C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4208
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4692
    - - C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
        
        C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3396
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
        
        C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4432
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1144
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:2872
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:956
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:4520
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:4752
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:4704
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:3896
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1948
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:3632

C:\ProgramData\DkMgswQk\UcIcsgEk.exe
C:\ProgramData\DkMgswQk\UcIcsgEk.exe
1⤵
- Executes dropped EXE
PID:4668

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\ProgramData\DkMgswQk\UcIcsgEk.exe
C:\ProgramData\DkMgswQk\UcIcsgEk.exe
1⤵
- Executes dropped EXE
PID:3332

C:\ProgramData\DkMgswQk\UcIcsgEk.exe
C:\ProgramData\DkMgswQk\UcIcsgEk.exe
1⤵
- Executes dropped EXE
PID:2896

C:\ProgramData\DkMgswQk\UcIcsgEk.exe
C:\ProgramData\DkMgswQk\UcIcsgEk.exe
1⤵
- Executes dropped EXE
PID:272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DkMgswQk\UcIcsgEk.exe

Filesize
2.0MB

MD5
11ca9ec09067e910505122ece2d7bac0

SHA1
72d7d4a915b7f46b55a4d3e34f880b9f1c4b8f4a

SHA256
9219f88b0923b1e979eeadbc6dda154d9cf6ec008d66a6620a1cb2f9d3139b02

SHA512
145fac8b1fa8afd79e2e206d0f1b88118e7231f799bb81f01b3f7be86db7e99f29951b62c1e990e1d243c6cb8e0e4980869fd7ba4f5730d3ef1bc94c78a912c4

Download Submit
C:\ProgramData\DkMgswQk\UcIcsgEk.exe

Filesize
2.0MB

MD5
11ca9ec09067e910505122ece2d7bac0

SHA1
72d7d4a915b7f46b55a4d3e34f880b9f1c4b8f4a

SHA256
9219f88b0923b1e979eeadbc6dda154d9cf6ec008d66a6620a1cb2f9d3139b02

SHA512
145fac8b1fa8afd79e2e206d0f1b88118e7231f799bb81f01b3f7be86db7e99f29951b62c1e990e1d243c6cb8e0e4980869fd7ba4f5730d3ef1bc94c78a912c4

Download Submit
C:\ProgramData\DkMgswQk\UcIcsgEk.exe

Filesize
2.0MB

MD5
11ca9ec09067e910505122ece2d7bac0

SHA1
72d7d4a915b7f46b55a4d3e34f880b9f1c4b8f4a

SHA256
9219f88b0923b1e979eeadbc6dda154d9cf6ec008d66a6620a1cb2f9d3139b02

SHA512
145fac8b1fa8afd79e2e206d0f1b88118e7231f799bb81f01b3f7be86db7e99f29951b62c1e990e1d243c6cb8e0e4980869fd7ba4f5730d3ef1bc94c78a912c4

Download Submit
C:\ProgramData\DkMgswQk\UcIcsgEk.exe

Filesize
2.0MB

MD5
11ca9ec09067e910505122ece2d7bac0

SHA1
72d7d4a915b7f46b55a4d3e34f880b9f1c4b8f4a

SHA256
9219f88b0923b1e979eeadbc6dda154d9cf6ec008d66a6620a1cb2f9d3139b02

SHA512
145fac8b1fa8afd79e2e206d0f1b88118e7231f799bb81f01b3f7be86db7e99f29951b62c1e990e1d243c6cb8e0e4980869fd7ba4f5730d3ef1bc94c78a912c4

Download Submit
C:\ProgramData\DkMgswQk\UcIcsgEk.exe

Filesize
2.0MB

MD5
11ca9ec09067e910505122ece2d7bac0

SHA1
72d7d4a915b7f46b55a4d3e34f880b9f1c4b8f4a

SHA256
9219f88b0923b1e979eeadbc6dda154d9cf6ec008d66a6620a1cb2f9d3139b02

SHA512
145fac8b1fa8afd79e2e206d0f1b88118e7231f799bb81f01b3f7be86db7e99f29951b62c1e990e1d243c6cb8e0e4980869fd7ba4f5730d3ef1bc94c78a912c4

Download Submit
C:\ProgramData\MagQcMAA\ImwQgEsE.exe

Filesize
2.0MB

MD5
7a32faf6f4aa34e86d9fa8fe5a9e3d48

SHA1
9e815790653a8451971ac215956257f9c6b158c1

SHA256
8ee8ce3629526f80d21fda21d3862fbf090d3c4bb3ecf28d26cefc96cd4c99c4

SHA512
99e0425519ad79bf33f2d0ec13d59d823f42c0800a123369e26ca814caba70406f297eb9e383829f10ad4b1fa77ed17e41ef3c1e08135eaaa9077a8a8e3c5e45

Download Submit
C:\ProgramData\MagQcMAA\ImwQgEsE.exe

Filesize
2.0MB

MD5
7a32faf6f4aa34e86d9fa8fe5a9e3d48

SHA1
9e815790653a8451971ac215956257f9c6b158c1

SHA256
8ee8ce3629526f80d21fda21d3862fbf090d3c4bb3ecf28d26cefc96cd4c99c4

SHA512
99e0425519ad79bf33f2d0ec13d59d823f42c0800a123369e26ca814caba70406f297eb9e383829f10ad4b1fa77ed17e41ef3c1e08135eaaa9077a8a8e3c5e45

Download Submit
C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9

Filesize
6KB

MD5
8243501c8bec7c2fabcac8cb47d98048

SHA1
f03c28e2f966b10efdc0eafda6ed6d3ab14b7d43

SHA256
4f5230f4e5338c433953dfe6fc203f2cb1936ca7ad8a9d6aed0afb583a1639fd

SHA512
5de50003977c1b5c4f55132465d0a5589a32a00f388c6c57fbc9da42fcb7368578ebb6e9b541e2656dc07fb9c0a77cea75f990316be67ed5bffeed47385a5aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9

Filesize
6KB

MD5
8243501c8bec7c2fabcac8cb47d98048

SHA1
f03c28e2f966b10efdc0eafda6ed6d3ab14b7d43

SHA256
4f5230f4e5338c433953dfe6fc203f2cb1936ca7ad8a9d6aed0afb583a1639fd

SHA512
5de50003977c1b5c4f55132465d0a5589a32a00f388c6c57fbc9da42fcb7368578ebb6e9b541e2656dc07fb9c0a77cea75f990316be67ed5bffeed47385a5aa7

Download Submit
C:\Users\Admin\mOkYAwEc\VGIUAgQM.exe

Filesize
2.1MB

MD5
81d3a8f05ffec8d10ba9dad818d855dc

SHA1
ea9079a62da2a1e2f95452133f7c02b9828e9f2e

SHA256
6d3836c6d5e496d25525dfa3a8c3c42bf85161cf7dfd66621462a085eac9165b

SHA512
d06d2b336da04a21e460731d098c5e289babb743b653758707a6a30f40280765198d4c75f1f9a8e84bd09dbb96429655d7bdf1bac81071645f7ee5b80d70c5a0

Download Submit
C:\Users\Admin\mOkYAwEc\VGIUAgQM.exe

Filesize
2.1MB

MD5
81d3a8f05ffec8d10ba9dad818d855dc

SHA1
ea9079a62da2a1e2f95452133f7c02b9828e9f2e

SHA256
6d3836c6d5e496d25525dfa3a8c3c42bf85161cf7dfd66621462a085eac9165b

SHA512
d06d2b336da04a21e460731d098c5e289babb743b653758707a6a30f40280765198d4c75f1f9a8e84bd09dbb96429655d7bdf1bac81071645f7ee5b80d70c5a0

Download Submit
memory/2896-176-0x0000000000700000-0x0000000000732000-memory.dmp

Filesize
200KB

Download
memory/3068-139-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/3068-146-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/3068-137-0x0000000002140000-0x00000000021F1000-memory.dmp

Filesize
708KB

Download
memory/3068-141-0x0000000002140000-0x00000000021F1000-memory.dmp

Filesize
708KB

Download
memory/3112-152-0x0000000000400000-0x000000000060B000-memory.dmp

Filesize
2.0MB

Download
memory/3112-145-0x00000000020D0000-0x00000000021BE000-memory.dmp

Filesize
952KB

Download
memory/3112-147-0x0000000000400000-0x000000000060B000-memory.dmp

Filesize
2.0MB

Download
memory/3112-151-0x00000000020D0000-0x00000000021BE000-memory.dmp

Filesize
952KB

Download
memory/3332-165-0x0000000000650000-0x0000000000682000-memory.dmp

Filesize
200KB

Download
memory/3332-163-0x0000000000650000-0x0000000000682000-memory.dmp

Filesize
200KB

Download
memory/3332-166-0x0000000000650000-0x0000000000682000-memory.dmp

Filesize
200KB

Download
memory/3396-175-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/3396-173-0x0000000000820000-0x00000000008B2000-memory.dmp

Filesize
584KB

Download
memory/4208-160-0x0000000000820000-0x00000000008B2000-memory.dmp

Filesize
584KB

Download
memory/4208-161-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/4208-164-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/4432-183-0x0000000000770000-0x0000000000802000-memory.dmp

Filesize
584KB

Download
memory/4432-186-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/4432-184-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/4668-154-0x0000000000630000-0x0000000000662000-memory.dmp

Filesize
200KB

Download
memory/4668-153-0x0000000000630000-0x0000000000662000-memory.dmp

Filesize
200KB

Download
memory/4668-150-0x0000000000630000-0x0000000000662000-memory.dmp

Filesize
200KB

Download
memory/4708-138-0x0000000002360000-0x00000000023F2000-memory.dmp

Filesize
584KB

Download
memory/4708-140-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/4708-132-0x0000000002360000-0x00000000023F2000-memory.dmp

Filesize
584KB

Download
memory/4708-133-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download