ec2c57559451ce2035b87787377deff11adf05766a20befa77e1bc652651c624

Analysis

max time kernel
192s
max time network
115s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe
Size

2.1MB
MD5

ffc9b11fc8dea0432f634a37f4b05e42
SHA1

e0fc237a8f07c11cf167082bd1eb3ffe9c4f8bef
SHA256

ec2c57559451ce2035b87787377deff11adf05766a20befa77e1bc652651c624
SHA512

911e18d00b9a9ee80f3630a4050721a549c106af29c54b3174c1d38aa66c7cf7ca0c13a697d92dfb3cf8e8a6b0c0a9422950ed653307e3e38bd5411c6f8e8085
SSDEEP

49152:eWWdEEJt1NkLksmKj8BdfHEJOjrICfbSa8DAn:oJt7

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\hYwkcckc\\AcIQgoQM.exe,"	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\ProgramData\\hYwkcckc\\AcIQgoQM.exe,"	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe

Modifies visibility of file extensions in Explorer 2 TTPs 9 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\ConfirmUnregister.png.exe	UsAYAgAA.exe

Executes dropped EXE 3 IoCs

pid	Process
1156	UsAYAgAA.exe
884	AcIQgoQM.exe
728	ZawgQMcI.exe

Loads dropped DLL 26 IoCs

pid	Process
1412	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe
1412	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe
1412	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe
1412	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe
1156	UsAYAgAA.exe
1156	UsAYAgAA.exe
1156	UsAYAgAA.exe
1156	UsAYAgAA.exe
1156	UsAYAgAA.exe
1156	UsAYAgAA.exe
1156	UsAYAgAA.exe
1156	UsAYAgAA.exe
1156	UsAYAgAA.exe
1156	UsAYAgAA.exe
1156	UsAYAgAA.exe
1156	UsAYAgAA.exe
1156	UsAYAgAA.exe
1156	UsAYAgAA.exe
1156	UsAYAgAA.exe
1156	UsAYAgAA.exe
1156	UsAYAgAA.exe
1156	UsAYAgAA.exe
1156	UsAYAgAA.exe
1156	UsAYAgAA.exe
1156	UsAYAgAA.exe
1156	UsAYAgAA.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Windows\CurrentVersion\Run\UsAYAgAA.exe = "C:\\Users\\Admin\\EqkswEoQ\\UsAYAgAA.exe"	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AcIQgoQM.exe = "C:\\ProgramData\\hYwkcckc\\AcIQgoQM.exe"	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Windows\CurrentVersion\Run\UsAYAgAA.exe = "C:\\Users\\Admin\\EqkswEoQ\\UsAYAgAA.exe"	UsAYAgAA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AcIQgoQM.exe = "C:\\ProgramData\\hYwkcckc\\AcIQgoQM.exe"	AcIQgoQM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AcIQgoQM.exe = "C:\\ProgramData\\hYwkcckc\\AcIQgoQM.exe"	ZawgQMcI.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\EqkswEoQ	ZawgQMcI.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\EqkswEoQ\UsAYAgAA	ZawgQMcI.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	UsAYAgAA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 27 IoCs

Modify Registry

T1112

pid	Process
1712	reg.exe
3040	reg.exe
2552	reg.exe
1808	reg.exe
2132	reg.exe
2576	reg.exe
2776	reg.exe
2000	reg.exe
1632	reg.exe
2684	reg.exe
3032	reg.exe
1308	reg.exe
1908	reg.exe
2404	reg.exe
2752	reg.exe
1908	reg.exe
1320	reg.exe
2692	reg.exe
2136	reg.exe
2144	reg.exe
392	reg.exe
2676	reg.exe
1488	reg.exe
1960	reg.exe
1812	reg.exe
3048	reg.exe
1924	reg.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1412	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe
1412	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe
1608	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe
1608	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe
812	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe
812	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe
1204	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe
1204	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe
1908	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe
1908	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe
2560	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe
2560	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe
3020	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe
3020	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe
912	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe
912	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe
2420	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe
2420	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	556	vssvc.exe
Token: SeRestorePrivilege	556	vssvc.exe
Token: SeAuditPrivilege	556	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 1156	1412	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	28
PID 1412 wrote to memory of 1156	1412	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	28
PID 1412 wrote to memory of 1156	1412	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	28
PID 1412 wrote to memory of 1156	1412	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	28
PID 1412 wrote to memory of 884	1412	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	29
PID 1412 wrote to memory of 884	1412	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	29
PID 1412 wrote to memory of 884	1412	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	29
PID 1412 wrote to memory of 884	1412	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	29
PID 1412 wrote to memory of 1720	1412	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	31
PID 1412 wrote to memory of 1720	1412	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	31
PID 1412 wrote to memory of 1720	1412	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	31
PID 1412 wrote to memory of 1720	1412	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	31
PID 1720 wrote to memory of 1608	1720	cmd.exe	33
PID 1720 wrote to memory of 1608	1720	cmd.exe	33
PID 1720 wrote to memory of 1608	1720	cmd.exe	33
PID 1720 wrote to memory of 1608	1720	cmd.exe	33
PID 1412 wrote to memory of 1808	1412	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	34
PID 1412 wrote to memory of 1808	1412	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	34
PID 1412 wrote to memory of 1808	1412	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	34
PID 1412 wrote to memory of 1808	1412	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	34
PID 1412 wrote to memory of 1308	1412	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	35
PID 1412 wrote to memory of 1308	1412	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	35
PID 1412 wrote to memory of 1308	1412	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	35
PID 1412 wrote to memory of 1308	1412	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	35
PID 1412 wrote to memory of 1488	1412	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	36
PID 1412 wrote to memory of 1488	1412	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	36
PID 1412 wrote to memory of 1488	1412	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	36
PID 1412 wrote to memory of 1488	1412	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	36
PID 1608 wrote to memory of 584	1608	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	40
PID 1608 wrote to memory of 584	1608	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	40
PID 1608 wrote to memory of 584	1608	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	40
PID 1608 wrote to memory of 584	1608	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	40
PID 584 wrote to memory of 812	584	cmd.exe	42
PID 584 wrote to memory of 812	584	cmd.exe	42
PID 584 wrote to memory of 812	584	cmd.exe	42
PID 584 wrote to memory of 812	584	cmd.exe	42
PID 1608 wrote to memory of 1908	1608	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	43
PID 1608 wrote to memory of 1908	1608	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	43
PID 1608 wrote to memory of 1908	1608	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	43
PID 1608 wrote to memory of 1908	1608	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	43
PID 1608 wrote to memory of 1960	1608	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	44
PID 1608 wrote to memory of 1960	1608	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	44
PID 1608 wrote to memory of 1960	1608	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	44
PID 1608 wrote to memory of 1960	1608	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	44
PID 1608 wrote to memory of 1924	1608	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	46
PID 1608 wrote to memory of 1924	1608	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	46
PID 1608 wrote to memory of 1924	1608	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	46
PID 1608 wrote to memory of 1924	1608	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	46
PID 812 wrote to memory of 1044	812	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	52
PID 812 wrote to memory of 1044	812	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	52
PID 812 wrote to memory of 1044	812	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	52
PID 812 wrote to memory of 1044	812	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	52
PID 1044 wrote to memory of 1204	1044	cmd.exe	54
PID 1044 wrote to memory of 1204	1044	cmd.exe	54
PID 1044 wrote to memory of 1204	1044	cmd.exe	54
PID 1044 wrote to memory of 1204	1044	cmd.exe	54
PID 812 wrote to memory of 2000	812	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	60
PID 812 wrote to memory of 2000	812	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	60
PID 812 wrote to memory of 2000	812	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	60
PID 812 wrote to memory of 2000	812	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	60
PID 812 wrote to memory of 1908	812	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	59
PID 812 wrote to memory of 1908	812	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	59
PID 812 wrote to memory of 1908	812	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	59
PID 812 wrote to memory of 1908	812	20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe	59

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe
"C:\Users\Admin\AppData\Local\Temp\20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Users\Admin\EqkswEoQ\UsAYAgAA.exe
  "C:\Users\Admin\EqkswEoQ\UsAYAgAA.exe"
  2⤵
  - Modifies extensions of user files
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  PID:1156
- C:\ProgramData\hYwkcckc\AcIQgoQM.exe
  "C:\ProgramData\hYwkcckc\AcIQgoQM.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\20230429ffc9b11fc8dea0432f634a37f4b05e42virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Users\Admin\AppData\Local\Temp\20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe
    C:\Users\Admin\AppData\Local\Temp\20230429ffc9b11fc8dea0432f634a37f4b05e42virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\20230429ffc9b11fc8dea0432f634a37f4b05e42virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:584
    - - C:\Users\Admin\AppData\Local\Temp\20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20230429ffc9b11fc8dea0432f634a37f4b05e42virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:812
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20230429ffc9b11fc8dea0432f634a37f4b05e42virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20230429ffc9b11fc8dea0432f634a37f4b05e42virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20230429ffc9b11fc8dea0432f634a37f4b05e42virlock"
        8⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20230429ffc9b11fc8dea0432f634a37f4b05e42virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20230429ffc9b11fc8dea0432f634a37f4b05e42virlock"
        10⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20230429ffc9b11fc8dea0432f634a37f4b05e42virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20230429ffc9b11fc8dea0432f634a37f4b05e42virlock"
        12⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20230429ffc9b11fc8dea0432f634a37f4b05e42virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20230429ffc9b11fc8dea0432f634a37f4b05e42virlock"
        14⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20230429ffc9b11fc8dea0432f634a37f4b05e42virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20230429ffc9b11fc8dea0432f634a37f4b05e42virlock"
        16⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20230429ffc9b11fc8dea0432f634a37f4b05e42virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\20230429ffc9b11fc8dea0432f634a37f4b05e42virlock"
        18⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\20230429ffc9b11fc8dea0432f634a37f4b05e42virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20230429ffc9b11fc8dea0432f634a37f4b05e42virlock
        19⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:1632
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:392
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:1908
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2000
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:1908
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:1960
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:1924
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:1808
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1308
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:1488

C:\ProgramData\kqgEAMYI\ZawgQMcI.exe
C:\ProgramData\kqgEAMYI\ZawgQMcI.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:728

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
2.1MB

MD5
72d41ef3c836608d81de5df1420205e2

SHA1
f22b01379ce14cb49b1d217695a9561e1e86b277

SHA256
ad5c2412fa2ebb5ea2f09071ae3319c3d45d182258ff07ed9dc4f0fa7edc945a

SHA512
e22174812441afa7f1650b6d365f3a960f838e0b10194f9995473ac9ef8af2890f9ab8b4682d7440559805f05600194c660bc8cb7739aa46ac43b53491959fe0

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
2.0MB

MD5
31a2b370281da3a854044670a9b7f9bb

SHA1
887226886dc6077ba8f0ad139509be7716df0a68

SHA256
b6853ab15ad3f663cc97b74627d51caaa4f6aa1d5a6af38b569dd032a71172a3

SHA512
d855d5977fed09c154a3d9c4703cd3d0ec1ba145ede691ec7ee55c03af245b8b4d203f5ed6481d4e9353714cc31100c1547829b8ecfca9238063e3bffd5f9829

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
2.0MB

MD5
4089f87b781af20bd4809138ff8b3dc9

SHA1
633271efeb53f2b85decd7af5536ca89a7280442

SHA256
2a41940fcf92e316a61a13fc63b08c44e3fcd37c0975006d9e4e2c6e7415c3e6

SHA512
35f4660bb098281ef032650c80996464918000ca5a931c3c950c8e5732deb7e37483fd0744f8d212573e94af4ab4348b11bc9587c652dc72619da54017d7cedd

Download Submit
C:\ProgramData\hYwkcckc\AcIQgoQM.exe

Filesize
2.0MB

MD5
9d9f3f095f6d0eae036201d8a4c4b328

SHA1
88fdfda484496e61cb2a3cfffbe845bf77e796a0

SHA256
109fe3432d25658811e565cd6062cfd3094773f94beddc468c4a6463a0edc3e2

SHA512
5c5a4c36a9ebcbb1ab2471e3bef8c1cc637578520b2087d8b774cd70ef7159dd48650794f90248d8524e855b01d6ebaf22f8f54c7ef3a3ce18a867e90177de74

Download Submit
C:\ProgramData\hYwkcckc\AcIQgoQM.exe

Filesize
2.0MB

MD5
9d9f3f095f6d0eae036201d8a4c4b328

SHA1
88fdfda484496e61cb2a3cfffbe845bf77e796a0

SHA256
109fe3432d25658811e565cd6062cfd3094773f94beddc468c4a6463a0edc3e2

SHA512
5c5a4c36a9ebcbb1ab2471e3bef8c1cc637578520b2087d8b774cd70ef7159dd48650794f90248d8524e855b01d6ebaf22f8f54c7ef3a3ce18a867e90177de74

Download Submit
C:\ProgramData\hYwkcckc\AcIQgoQM.exe

Filesize
2.0MB

MD5
9d9f3f095f6d0eae036201d8a4c4b328

SHA1
88fdfda484496e61cb2a3cfffbe845bf77e796a0

SHA256
109fe3432d25658811e565cd6062cfd3094773f94beddc468c4a6463a0edc3e2

SHA512
5c5a4c36a9ebcbb1ab2471e3bef8c1cc637578520b2087d8b774cd70ef7159dd48650794f90248d8524e855b01d6ebaf22f8f54c7ef3a3ce18a867e90177de74

Download Submit
C:\ProgramData\kqgEAMYI\ZawgQMcI.exe

Filesize
2.0MB

MD5
644d4a851224a8f72cbac96331b17067

SHA1
702d28976c96b4133b7368ed67eebd7db4ab43aa

SHA256
f8a09ec3f092b2e3daff42a80aeea189f4c4a222cf02141d322553e6a8f2191c

SHA512
2b0a8faf9f20e0e656f24d1b8088d08d9177572901db831ceed1a62356dcd75691033b5a4ccd4979454655f2df8177afc4d40ffc82425861ad824c6ed277c7e9

Download Submit
C:\ProgramData\kqgEAMYI\ZawgQMcI.exe

Filesize
2.0MB

MD5
644d4a851224a8f72cbac96331b17067

SHA1
702d28976c96b4133b7368ed67eebd7db4ab43aa

SHA256
f8a09ec3f092b2e3daff42a80aeea189f4c4a222cf02141d322553e6a8f2191c

SHA512
2b0a8faf9f20e0e656f24d1b8088d08d9177572901db831ceed1a62356dcd75691033b5a4ccd4979454655f2df8177afc4d40ffc82425861ad824c6ed277c7e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\20230429ffc9b11fc8dea0432f634a37f4b05e42virlock

Filesize
38KB

MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\20230429ffc9b11fc8dea0432f634a37f4b05e42virlock

Filesize
38KB

MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\20230429ffc9b11fc8dea0432f634a37f4b05e42virlock

Filesize
38KB

MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\20230429ffc9b11fc8dea0432f634a37f4b05e42virlock

Filesize
38KB

MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\20230429ffc9b11fc8dea0432f634a37f4b05e42virlock

Filesize
38KB

MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\20230429ffc9b11fc8dea0432f634a37f4b05e42virlock

Filesize
38KB

MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\20230429ffc9b11fc8dea0432f634a37f4b05e42virlock

Filesize
38KB

MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\20230429ffc9b11fc8dea0432f634a37f4b05e42virlock

Filesize
38KB

MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\20230429ffc9b11fc8dea0432f634a37f4b05e42virlock

Filesize
38KB

MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HkAIowIo.bat

Filesize
4B

MD5
1fcad51ffdff44c5313f437a654c89fd

SHA1
b213390242392161a92e5b26a5503c74123aff99

SHA256
9cb72e900ffe69b369e937bc1f173122820a454cf401562fbd36b6e5248d2bb3

SHA512
23bf24813cf5b95536f894c3fa774536106c7472a3610f22fb9fb937a9623eb4c72e1040c25eefb2b666941fa764377c833dfe882470e09752f07052a397f740

Download Submit
C:\Users\Admin\AppData\Local\Temp\IGgkMYQs.bat

Filesize
4B

MD5
0f321c129090a9417ae8c8d40dd26f98

SHA1
6a0fa958e23109f5523c2e5497707810ae9bde19

SHA256
89faaa16451abf2e31406378000b3597b33dc85a903084eef96ca20b120b52dd

SHA512
9c0faca0b9b4e5c1ddc6a412f44467e98f69eeb2dd0cfa30a8e4bcf55f9cf22213d1049e7f0f1528b2c380aa1cc7d47de1f10e5844c1eb6f27979790badd240c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NeAgEsMQ.bat

Filesize
4B

MD5
de373d1d0cd8b330f560bfdd0379284b

SHA1
1cb8d8481b73caba60310cde73530c0146ad0e4f

SHA256
f13d88bbc5b1b4c5363fb24b49bc1b971436b83c46f7da125f3a4b3b5699db98

SHA512
8265f151fee7c520a25fbaeb232727955c10b970255fd145f69de6dae2eb5f6782993c08b22cbeccf556184e10ba317a4b0f04c00cea931167b4cc34454449cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\REsEYQUo.bat

Filesize
4B

MD5
5fa533c95bc497474db852e7040e5b3d

SHA1
ad86e1a32aa349e6c4503cf7165f97d7539c1786

SHA256
d3a88b76c734b572847e004dc32a2cd8eba4d8c10504d23cb88a90f7676a4058

SHA512
7950693aa9274536034277ce0303616235dfe78f48e49f2441620b0e4f237c7b19607d6a55085f66f0f44a1ec5803b7f4c3e8b21018837d513da3767b69049dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\bywYocgw.bat

Filesize
4B

MD5
087348dd9a624a0dff233e2955b7f654

SHA1
f2e1382c32d6b7b80cb70010a7121285a79dbed3

SHA256
e54aa09db22bac423e2cf488279a0bac6bfa405beb7da4503d2e143f30bd79c8

SHA512
d1b480d70d4fa11fe9ddad8dacd7421d08153acd80f281dc141ae7e121a775278e09520726db8b15d23769313af80b63198822addb47cfbe6a172966c38f3ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\dQMAAkIw.bat

Filesize
4B

MD5
7678b555cab9d26ee5dfebdc74ab69b0

SHA1
139216ebe889b724fa25b1e7b15feeaef054529c

SHA256
6d25cbf2c7466062ef9c786dfa881856411148d71cf6bda90f4fbff7db06c473

SHA512
025ddf6b6c34c272148052a9bc83b91c94ace832c570c50934539b732f47a7eaef0594a620b7b6fa4d602a3a603d5ba9bdcfee938ea66c09b60e287e916640bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIIoAoEc.bat

Filesize
4B

MD5
0b66655f24ab83942c45b72167246c0e

SHA1
91e5b26c0dbf30f968124fd0f915f96116224313

SHA256
83a83504d5deeb12289cd525e82b68227c7f24cc5285cff2c951f2420663efca

SHA512
303ac760e60af22d8d234ba93d49048163278189f6d09ecd95b38a6c8a5cf0ad4c27ab33690c18a30275db80afa99121b530b0cddfca0be3fdbaaa6d71bbbf57

Download Submit
C:\Users\Admin\AppData\Local\Temp\nUMMcUEk.bat

Filesize
4B

MD5
120983a02c94989760e386c3b24c9662

SHA1
306a77a4792495dda980a0019a594f291ec50ac3

SHA256
1ec8a5188448f3146b471b5382a748b03eb66f334f0d939286ab854b11b0c9f1

SHA512
0beac61cfbd0b16cfd20d6bad4b1a88d46b81485adf1506f60eb88b07df1bde59e35881a7f64d9c3baf58486266b3877d2773c69db7639c408ffe803c575ed4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmQQoEsY.bat

Filesize
4B

MD5
bbcfb9d054895f4cd186f4480f9425a1

SHA1
fb53ac83ac7a6a764b279aced7c1c416250ae1ec

SHA256
0a247650061a5d57216575674d8c6497992833c542b2d94ddafba651e19576aa

SHA512
9911e78a620097833fe8de6a99c719c5f887afd41e16bd2063dd3350b8a6901832d183e2dc9d692fbb5e836ed5461354b52dd6a15a50b27705ef7ae3267bb473

Download Submit
C:\Users\Admin\EqkswEoQ\FIEC.exe

Filesize
2.1MB

MD5
b93fe413287ab8fa4873b5cded1c61b5

SHA1
7bf124d8cc0c376506f2f866c9a012de6c9b534a

SHA256
aed0fd43ca13d79a346a857d96b603a5a7f06920c165cbcecaf86627562ad3b6

SHA512
30318a5d2c893e6c02c11d293a608181e6a8e5617da85a476ca6bb38e629a872d1163fe38d76bad20a37e9ce67d69d483191442363a8a36a6657e420bf9acf5b

Download Submit
C:\Users\Admin\EqkswEoQ\PQIG.exe

Filesize
2.1MB

MD5
c025f1d74be864a1a2aa06e8e4cf2669

SHA1
07eef003aa9187ae669b7dab90055227057b49df

SHA256
be49a9220fe894460908e6c3c69b658594e5881d2335e1a8f848669bdbc0c74e

SHA512
d0bfd92727f9e2ccdb79183a917c976705e94bbbefaf58369baecf67cd0eb840395f6d89db137b1b3f732984ed60ca057ce277af79ad933803e6894790fc07f7

Download Submit
C:\Users\Admin\EqkswEoQ\UsAYAgAA.exe

Filesize
2.0MB

MD5
3ebd997a7dfb25e0a6b4bc54bf49274f

SHA1
69319ae2891f90e81ac15f37b94e1b61af2ad238

SHA256
05cdfe3c46d62232626a5825352fa62eeb6c9694001a4d4483f37c25e3ab3600

SHA512
861f8251664dc65d6e10ba76f4c60f9339f583a8dd565f8dba296bfcde6d4475207ba43d7bb66fed8f4e9e7b2aa2455cb6db92798f0281139952dd56af50af12

Download Submit
C:\Users\Admin\EqkswEoQ\UsAYAgAA.exe

Filesize
2.0MB

MD5
3ebd997a7dfb25e0a6b4bc54bf49274f

SHA1
69319ae2891f90e81ac15f37b94e1b61af2ad238

SHA256
05cdfe3c46d62232626a5825352fa62eeb6c9694001a4d4483f37c25e3ab3600

SHA512
861f8251664dc65d6e10ba76f4c60f9339f583a8dd565f8dba296bfcde6d4475207ba43d7bb66fed8f4e9e7b2aa2455cb6db92798f0281139952dd56af50af12

Download Submit
C:\Users\Admin\EqkswEoQ\UsAYAgAA.exe

Filesize
2.0MB

MD5
3ebd997a7dfb25e0a6b4bc54bf49274f

SHA1
69319ae2891f90e81ac15f37b94e1b61af2ad238

SHA256
05cdfe3c46d62232626a5825352fa62eeb6c9694001a4d4483f37c25e3ab3600

SHA512
861f8251664dc65d6e10ba76f4c60f9339f583a8dd565f8dba296bfcde6d4475207ba43d7bb66fed8f4e9e7b2aa2455cb6db92798f0281139952dd56af50af12

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
818KB

MD5
a41e524f8d45f0074fd07805ff0c9b12

SHA1
948deacf95a60c3fdf17e0e4db1931a6f3fc5d38

SHA256
082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7

SHA512
91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
818KB

MD5
a41e524f8d45f0074fd07805ff0c9b12

SHA1
948deacf95a60c3fdf17e0e4db1931a6f3fc5d38

SHA256
082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7

SHA512
91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
507KB

MD5
c87e561258f2f8650cef999bf643a731

SHA1
2c64b901284908e8ed59cf9c912f17d45b05e0af

SHA256
a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b

SHA512
dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

Download Submit
\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
445KB

MD5
1191ba2a9908ee79c0220221233e850a

SHA1
f2acd26b864b38821ba3637f8f701b8ba19c434f

SHA256
4670e1ecb4b136d81148401cd71737ccf1376c772fa513a3e176b8ce8b8f982d

SHA512
da61b9baa2f2aedc5ecb1d664368afffe080f76e5d167494cea9f8e72a03a8c2484c24a36d4042a6fd8602ab1adc946546a83fc6a4968dfaa8955e3e3a4c2e50

Download Submit
\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
445KB

MD5
1191ba2a9908ee79c0220221233e850a

SHA1
f2acd26b864b38821ba3637f8f701b8ba19c434f

SHA256
4670e1ecb4b136d81148401cd71737ccf1376c772fa513a3e176b8ce8b8f982d

SHA512
da61b9baa2f2aedc5ecb1d664368afffe080f76e5d167494cea9f8e72a03a8c2484c24a36d4042a6fd8602ab1adc946546a83fc6a4968dfaa8955e3e3a4c2e50

Download Submit
\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
633KB

MD5
a9993e4a107abf84e456b796c65a9899

SHA1
5852b1acacd33118bce4c46348ee6c5aa7ad12eb

SHA256
dfa88ba4491ac48f49c1b80011eddfd650cc14de43f5a4d3218fb79acb2f2dbc

SHA512
d75c44a1a1264c878a9db71993f5e923dc18935aa925b23b147d18807605e6fe8048af92b0efe43934252d688f8b0279363b1418293664a668a491d901aef1d9

Download Submit
\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
633KB

MD5
a9993e4a107abf84e456b796c65a9899

SHA1
5852b1acacd33118bce4c46348ee6c5aa7ad12eb

SHA256
dfa88ba4491ac48f49c1b80011eddfd650cc14de43f5a4d3218fb79acb2f2dbc

SHA512
d75c44a1a1264c878a9db71993f5e923dc18935aa925b23b147d18807605e6fe8048af92b0efe43934252d688f8b0279363b1418293664a668a491d901aef1d9

Download Submit
\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
634KB

MD5
3cfb3ae4a227ece66ce051e42cc2df00

SHA1
0a2bb202c5ce2aa8f5cda30676aece9a489fd725

SHA256
54fbe7fdf0fd2e95c38822074e77907e6a3c8726e4ab38d2222deeffa6c0ccaf

SHA512
60d808d08afd4920583e540c3740d71e4f9dc5b16a0696537fea243cb8a79fb1df36004f560742a541761b0378bf0b5bc5be88569cd828a11afe9c3d61d9d4f1

Download Submit
\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
634KB

MD5
3cfb3ae4a227ece66ce051e42cc2df00

SHA1
0a2bb202c5ce2aa8f5cda30676aece9a489fd725

SHA256
54fbe7fdf0fd2e95c38822074e77907e6a3c8726e4ab38d2222deeffa6c0ccaf

SHA512
60d808d08afd4920583e540c3740d71e4f9dc5b16a0696537fea243cb8a79fb1df36004f560742a541761b0378bf0b5bc5be88569cd828a11afe9c3d61d9d4f1

Download Submit
\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
455KB

MD5
6503c081f51457300e9bdef49253b867

SHA1
9313190893fdb4b732a5890845bd2337ea05366e

SHA256
5ebba234b1d2ff66d4797e2334f97e0ed38f066df15403db241ca9feb92730ea

SHA512
4477dbcee202971973786d62a8c22f889ea1f95b76a7279f0f11c315216d7e0f9e57018eabf2cf09fda0b58cae2178c14dcb70e2dee7efd3705c8b857f9d3901

Download Submit
\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
455KB

MD5
6503c081f51457300e9bdef49253b867

SHA1
9313190893fdb4b732a5890845bd2337ea05366e

SHA256
5ebba234b1d2ff66d4797e2334f97e0ed38f066df15403db241ca9feb92730ea

SHA512
4477dbcee202971973786d62a8c22f889ea1f95b76a7279f0f11c315216d7e0f9e57018eabf2cf09fda0b58cae2178c14dcb70e2dee7efd3705c8b857f9d3901

Download Submit
\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
444KB

MD5
2b48f69517044d82e1ee675b1690c08b

SHA1
83ca22c8a8e9355d2b184c516e58b5400d8343e0

SHA256
507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496

SHA512
97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

Download Submit
\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
444KB

MD5
2b48f69517044d82e1ee675b1690c08b

SHA1
83ca22c8a8e9355d2b184c516e58b5400d8343e0

SHA256
507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496

SHA512
97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

Download Submit
\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
455KB

MD5
e9e67cfb6c0c74912d3743176879fc44

SHA1
c6b6791a900020abf046e0950b12939d5854c988

SHA256
bacba0359c51bf0c74388273a35b95365a00f88b235143ab096dcca93ad4790c

SHA512
9bba881d9046ce31794a488b73b87b3e9c3ff09d641d21f4003b525d9078ae5cd91d2b002278e69699117e3c85bfa44a2cc7a184a42f38ca087616b699091aec

Download Submit
\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
455KB

MD5
e9e67cfb6c0c74912d3743176879fc44

SHA1
c6b6791a900020abf046e0950b12939d5854c988

SHA256
bacba0359c51bf0c74388273a35b95365a00f88b235143ab096dcca93ad4790c

SHA512
9bba881d9046ce31794a488b73b87b3e9c3ff09d641d21f4003b525d9078ae5cd91d2b002278e69699117e3c85bfa44a2cc7a184a42f38ca087616b699091aec

Download Submit
\ProgramData\hYwkcckc\AcIQgoQM.exe

Filesize
2.0MB

MD5
9d9f3f095f6d0eae036201d8a4c4b328

SHA1
88fdfda484496e61cb2a3cfffbe845bf77e796a0

SHA256
109fe3432d25658811e565cd6062cfd3094773f94beddc468c4a6463a0edc3e2

SHA512
5c5a4c36a9ebcbb1ab2471e3bef8c1cc637578520b2087d8b774cd70ef7159dd48650794f90248d8524e855b01d6ebaf22f8f54c7ef3a3ce18a867e90177de74

Download Submit
\ProgramData\hYwkcckc\AcIQgoQM.exe

Filesize
2.0MB

MD5
9d9f3f095f6d0eae036201d8a4c4b328

SHA1
88fdfda484496e61cb2a3cfffbe845bf77e796a0

SHA256
109fe3432d25658811e565cd6062cfd3094773f94beddc468c4a6463a0edc3e2

SHA512
5c5a4c36a9ebcbb1ab2471e3bef8c1cc637578520b2087d8b774cd70ef7159dd48650794f90248d8524e855b01d6ebaf22f8f54c7ef3a3ce18a867e90177de74

Download Submit
\ProgramData\hYwkcckc\AcIQgoQM.exe

Filesize
2.0MB

MD5
9d9f3f095f6d0eae036201d8a4c4b328

SHA1
88fdfda484496e61cb2a3cfffbe845bf77e796a0

SHA256
109fe3432d25658811e565cd6062cfd3094773f94beddc468c4a6463a0edc3e2

SHA512
5c5a4c36a9ebcbb1ab2471e3bef8c1cc637578520b2087d8b774cd70ef7159dd48650794f90248d8524e855b01d6ebaf22f8f54c7ef3a3ce18a867e90177de74

Download Submit
\ProgramData\hYwkcckc\AcIQgoQM.exe

Filesize
2.0MB

MD5
9d9f3f095f6d0eae036201d8a4c4b328

SHA1
88fdfda484496e61cb2a3cfffbe845bf77e796a0

SHA256
109fe3432d25658811e565cd6062cfd3094773f94beddc468c4a6463a0edc3e2

SHA512
5c5a4c36a9ebcbb1ab2471e3bef8c1cc637578520b2087d8b774cd70ef7159dd48650794f90248d8524e855b01d6ebaf22f8f54c7ef3a3ce18a867e90177de74

Download Submit
\ProgramData\kqgEAMYI\ZawgQMcI.exe

Filesize
2.0MB

MD5
644d4a851224a8f72cbac96331b17067

SHA1
702d28976c96b4133b7368ed67eebd7db4ab43aa

SHA256
f8a09ec3f092b2e3daff42a80aeea189f4c4a222cf02141d322553e6a8f2191c

SHA512
2b0a8faf9f20e0e656f24d1b8088d08d9177572901db831ceed1a62356dcd75691033b5a4ccd4979454655f2df8177afc4d40ffc82425861ad824c6ed277c7e9

Download Submit
\ProgramData\kqgEAMYI\ZawgQMcI.exe

Filesize
2.0MB

MD5
644d4a851224a8f72cbac96331b17067

SHA1
702d28976c96b4133b7368ed67eebd7db4ab43aa

SHA256
f8a09ec3f092b2e3daff42a80aeea189f4c4a222cf02141d322553e6a8f2191c

SHA512
2b0a8faf9f20e0e656f24d1b8088d08d9177572901db831ceed1a62356dcd75691033b5a4ccd4979454655f2df8177afc4d40ffc82425861ad824c6ed277c7e9

Download Submit
\Users\Admin\EqkswEoQ\UsAYAgAA.exe

Filesize
2.0MB

MD5
3ebd997a7dfb25e0a6b4bc54bf49274f

SHA1
69319ae2891f90e81ac15f37b94e1b61af2ad238

SHA256
05cdfe3c46d62232626a5825352fa62eeb6c9694001a4d4483f37c25e3ab3600

SHA512
861f8251664dc65d6e10ba76f4c60f9339f583a8dd565f8dba296bfcde6d4475207ba43d7bb66fed8f4e9e7b2aa2455cb6db92798f0281139952dd56af50af12

Download Submit
\Users\Admin\EqkswEoQ\UsAYAgAA.exe

Filesize
2.0MB

MD5
3ebd997a7dfb25e0a6b4bc54bf49274f

SHA1
69319ae2891f90e81ac15f37b94e1b61af2ad238

SHA256
05cdfe3c46d62232626a5825352fa62eeb6c9694001a4d4483f37c25e3ab3600

SHA512
861f8251664dc65d6e10ba76f4c60f9339f583a8dd565f8dba296bfcde6d4475207ba43d7bb66fed8f4e9e7b2aa2455cb6db92798f0281139952dd56af50af12

Download Submit
memory/728-78-0x0000000000B00000-0x0000000000C03000-memory.dmp

Filesize
1.0MB

Download
memory/728-231-0x0000000000B00000-0x0000000000C03000-memory.dmp

Filesize
1.0MB

Download
memory/812-273-0x0000000000610000-0x00000000006D5000-memory.dmp

Filesize
788KB

Download
memory/884-76-0x0000000000220000-0x0000000000274000-memory.dmp

Filesize
336KB

Download
memory/884-73-0x0000000000220000-0x0000000000274000-memory.dmp

Filesize
336KB

Download
memory/1156-72-0x0000000000220000-0x000000000025B000-memory.dmp

Filesize
236KB

Download
memory/1156-75-0x0000000000220000-0x000000000025B000-memory.dmp

Filesize
236KB

Download
memory/1204-295-0x0000000000610000-0x00000000006D5000-memory.dmp

Filesize
788KB

Download
memory/1412-54-0x0000000000220000-0x00000000002E5000-memory.dmp

Filesize
788KB

Download
memory/1412-74-0x0000000000220000-0x00000000002E5000-memory.dmp

Filesize
788KB

Download
memory/1608-238-0x0000000001E40000-0x0000000001F05000-memory.dmp

Filesize
788KB

Download
memory/2420-534-0x0000000000330000-0x00000000003F5000-memory.dmp

Filesize
788KB

Download
memory/2560-453-0x0000000000330000-0x00000000003F5000-memory.dmp

Filesize
788KB

Download
memory/3020-473-0x0000000000610000-0x00000000006D5000-memory.dmp

Filesize
788KB

Download