441116d55e97124a067207bf57483dd3462bccfb034e56c4152675b0dcb118e7

Analysis

max time kernel
125s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-03-2024 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
Size

2.0MB
MD5

e32ef8a36b6a6c010b27a7871ebda037
SHA1

0ea7d9bf90c5fc6bfadaf3c14e140fc9c9aa5361
SHA256

0b8e9bc31964c9433bd5cc20e556cfd0590c3b17b0db23cdc3ad0547683f3820
SHA512

e98f941c7be2c650de033048b8a9d4556da2204f9b0c90d399c981dcb9e215d5322a765884aad1a4e5b31b23227827cb21fd1ed5d3a79cc7f83226c07f579eb3
SSDEEP

49152:pdGNHxQXLx6cHqNQDQg6nNw1WCj/vd2Xptvh4:pd0QXL/t

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\BqAMcAww\\yQsIQEwE.exe,"	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\ProgramData\\BqAMcAww\\yQsIQEwE.exe,"	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe

Modifies visibility of file extensions in Explorer 2 TTPs 17 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 17 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 4 IoCs

pid	Process
2892	UuIkgEMs.exe
2848	yQsIQEwE.exe
2836	cCsUIAMw.exe
464	yQsIQEwE.exe

Loads dropped DLL 12 IoCs

pid	Process
2744	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
2744	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
2892	UuIkgEMs.exe
2892	UuIkgEMs.exe
2892	UuIkgEMs.exe
2892	UuIkgEMs.exe
2892	UuIkgEMs.exe
2744	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
2744	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
2892	UuIkgEMs.exe
2892	UuIkgEMs.exe
2892	UuIkgEMs.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yQsIQEwE.exe = "C:\\ProgramData\\BqAMcAww\\yQsIQEwE.exe"	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yQsIQEwE.exe = "C:\\ProgramData\\BqAMcAww\\yQsIQEwE.exe"	cCsUIAMw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yQsIQEwE.exe = "C:\\ProgramData\\BqAMcAww\\yQsIQEwE.exe"	yQsIQEwE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yQsIQEwE.exe = "C:\\ProgramData\\BqAMcAww\\yQsIQEwE.exe"	yQsIQEwE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\UuIkgEMs.exe = "C:\\Users\\Admin\\desEIYsA\\UuIkgEMs.exe"	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\UuIkgEMs.exe = "C:\\Users\\Admin\\desEIYsA\\UuIkgEMs.exe"	UuIkgEMs.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\desEIYsA	cCsUIAMw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\desEIYsA\UuIkgEMs	cCsUIAMw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1728	reg.exe
944	reg.exe
1620	reg.exe
1612	reg.exe
2512	reg.exe
2700	reg.exe
2468	reg.exe
1012	reg.exe
1972	reg.exe
2700	reg.exe
480	reg.exe
940	reg.exe
2252	reg.exe
2240	reg.exe
1604	reg.exe
2392	reg.exe
3040	reg.exe
1976	reg.exe
2392	reg.exe
796	reg.exe
600	reg.exe
2532	reg.exe
2512	reg.exe
2704	reg.exe
1516	reg.exe
2676	reg.exe
3056	reg.exe
2072	reg.exe
1084	reg.exe
1128	reg.exe
2296	reg.exe
1508	reg.exe
228	reg.exe
2876	reg.exe
1156	reg.exe
2500	reg.exe
3040	reg.exe
2776	reg.exe
856	reg.exe
1504	reg.exe
2516	reg.exe
1540	reg.exe
2956	reg.exe
2964	reg.exe
1080	reg.exe
1516	reg.exe
2596	reg.exe
2748	reg.exe
1604	reg.exe
1148	reg.exe
1504	reg.exe
2456	reg.exe
820	reg.exe
568	reg.exe
2568	reg.exe
224	reg.exe
2508	reg.exe
2080	reg.exe
2060	reg.exe
1084	reg.exe
864	reg.exe
844	reg.exe
1540	reg.exe
2180	reg.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2744	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
2744	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
2892	UuIkgEMs.exe
564	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
564	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
2132	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
2132	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
1704	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
1704	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
2636	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
2636	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
1096	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
1096	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
2740	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
2740	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
1280	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
1280	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
2572	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
2572	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
896	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
896	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
2332	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
2332	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
2568	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
2568	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
3068	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
3068	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
216	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
216	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
2152	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
2152	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
2012	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
2012	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
2720	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
2720	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
2720	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
2720	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2004	vssvc.exe
Token: SeRestorePrivilege	2004	vssvc.exe
Token: SeAuditPrivilege	2004	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2892	2744	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	28
PID 2744 wrote to memory of 2892	2744	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	28
PID 2744 wrote to memory of 2892	2744	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	28
PID 2744 wrote to memory of 2892	2744	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	28
PID 2744 wrote to memory of 2848	2744	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	29
PID 2744 wrote to memory of 2848	2744	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	29
PID 2744 wrote to memory of 2848	2744	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	29
PID 2744 wrote to memory of 2848	2744	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	29
PID 2744 wrote to memory of 892	2744	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	33
PID 2744 wrote to memory of 892	2744	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	33
PID 2744 wrote to memory of 892	2744	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	33
PID 2744 wrote to memory of 892	2744	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	33
PID 892 wrote to memory of 564	892	cmd.exe	36
PID 892 wrote to memory of 564	892	cmd.exe	36
PID 892 wrote to memory of 564	892	cmd.exe	36
PID 892 wrote to memory of 564	892	cmd.exe	36
PID 2892 wrote to memory of 464	2892	UuIkgEMs.exe	37
PID 2892 wrote to memory of 464	2892	UuIkgEMs.exe	37
PID 2892 wrote to memory of 464	2892	UuIkgEMs.exe	37
PID 2892 wrote to memory of 464	2892	UuIkgEMs.exe	37
PID 2744 wrote to memory of 1728	2744	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	35
PID 2744 wrote to memory of 1728	2744	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	35
PID 2744 wrote to memory of 1728	2744	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	35
PID 2744 wrote to memory of 1728	2744	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	35
PID 2744 wrote to memory of 2468	2744	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	39
PID 2744 wrote to memory of 2468	2744	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	39
PID 2744 wrote to memory of 2468	2744	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	39
PID 2744 wrote to memory of 2468	2744	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	39
PID 2744 wrote to memory of 2676	2744	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	41
PID 2744 wrote to memory of 2676	2744	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	41
PID 2744 wrote to memory of 2676	2744	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	41
PID 2744 wrote to memory of 2676	2744	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	41
PID 564 wrote to memory of 2972	564	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	46
PID 564 wrote to memory of 2972	564	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	46
PID 564 wrote to memory of 2972	564	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	46
PID 564 wrote to memory of 2972	564	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	46
PID 564 wrote to memory of 1080	564	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	48
PID 564 wrote to memory of 1080	564	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	48
PID 564 wrote to memory of 1080	564	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	48
PID 564 wrote to memory of 1080	564	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	48
PID 564 wrote to memory of 2876	564	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	49
PID 564 wrote to memory of 2876	564	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	49
PID 564 wrote to memory of 2876	564	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	49
PID 564 wrote to memory of 2876	564	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	49
PID 564 wrote to memory of 944	564	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	50
PID 564 wrote to memory of 944	564	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	50
PID 564 wrote to memory of 944	564	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	50
PID 564 wrote to memory of 944	564	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	50
PID 2972 wrote to memory of 2132	2972	cmd.exe	52
PID 2972 wrote to memory of 2132	2972	cmd.exe	52
PID 2972 wrote to memory of 2132	2972	cmd.exe	52
PID 2972 wrote to memory of 2132	2972	cmd.exe	52
PID 2132 wrote to memory of 1628	2132	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	55
PID 2132 wrote to memory of 1628	2132	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	55
PID 2132 wrote to memory of 1628	2132	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	55
PID 2132 wrote to memory of 1628	2132	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	55
PID 2132 wrote to memory of 820	2132	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	57
PID 2132 wrote to memory of 820	2132	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	57
PID 2132 wrote to memory of 820	2132	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	57
PID 2132 wrote to memory of 820	2132	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	57
PID 2132 wrote to memory of 1516	2132	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	58
PID 2132 wrote to memory of 1516	2132	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	58
PID 2132 wrote to memory of 1516	2132	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	58
PID 2132 wrote to memory of 1516	2132	0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe	58

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
"C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Users\Admin\desEIYsA\UuIkgEMs.exe
  "C:\Users\Admin\desEIYsA\UuIkgEMs.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\ProgramData\BqAMcAww\yQsIQEwE.exe
    "C:\ProgramData\BqAMcAww\yQsIQEwE.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:464
- C:\ProgramData\BqAMcAww\yQsIQEwE.exe
  "C:\ProgramData\BqAMcAww\yQsIQEwE.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
    C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:564
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2972
    - - C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2132
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820"
        6⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820"
        8⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820"
        10⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820"
        12⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820"
        14⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820"
        16⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820"
        18⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820"
        20⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820"
        22⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820"
        24⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820"
        26⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820"
        28⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820"
        30⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820"
        32⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820"
        34⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820
        35⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820"
        36⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820
        37⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820"
        38⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820
        39⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820"
        40⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820
        41⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820"
        42⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820
        43⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820"
        44⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820
        45⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820"
        46⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
        
        C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820
        47⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies registry key
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        Modifies registry key
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies registry key
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        Modifies registry key
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies registry key
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        Modifies registry key
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies registry key
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        Modifies registry key
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies registry key
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        Modifies registry key
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies registry key
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        Modifies registry key
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        Modifies registry key
        
        PID:600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        Modifies registry key
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:1012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:2516
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:820
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:1516
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:3056
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:1080
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:2876
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:944
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:1728
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2468
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2676

C:\ProgramData\vIAcYAUg\cCsUIAMw.exe
C:\ProgramData\vIAcYAUg\cCsUIAMw.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2836

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "123603998217752774901475978494-1178632919202731654972854697460447991911089297"
1⤵
PID:1800

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "149967454-1112782762-8896638871142054550736345356813199181491772597-1480946519"
1⤵
PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
3.0MB

MD5
5907979e5619d70ce38101a516262e03

SHA1
adedfa20e2caf020757e1fc13663fe412de893b2

SHA256
b742fc8c2a30a55fdd40c43d174302826df640aeab5ec60c5169ea2bfadf2010

SHA512
2c54e4624c41e7927398abf8c4a277f952e551f472b7b6d3b13f143a154697b22d3492b3bb4f8e1feb770ecd818f258803933f4db54761699633ae1b8316fd41

Download Submit
C:\ProgramData\BqAMcAww\yQsIQEwE.exe

Filesize
1.2MB

MD5
d9e68407278cc979443ee8d18315be6f

SHA1
64d1f3b4ac7b8fe33616d7de6bf9842dd7f7fa2a

SHA256
a9249f14a64e85c32e33c0d8e29beec25aeaafa966c4b8afe290fc6521b57a08

SHA512
d3aa67f38fab24ad8b1fc3d539dfaab36d46d16a323f8705e09d91ed995db1477bbfbc8c941560bfab0ed818a33186366758d8cd99f2b5703b3ea994c88e7a31

Download Submit
C:\ProgramData\BqAMcAww\yQsIQEwE.exe

Filesize
1.5MB

MD5
001cd7feeb41eef22389a4f9797e9fa7

SHA1
b49013e5f72a55e6b23c0215410f0b0da76ebd82

SHA256
86e5dad5f6cf3ec37b254ba31c04d7ce5f32c7ba9e217859d953271b6a3d4083

SHA512
51f65272d9bd9362fba1f0ad28d42062513cd6be6fbc981f5c72e700f2cf16c3e0be33cb86e905f2597b519a39aaa8b148f30d7a69ef949715ee1f9a30b5f7d6

Download Submit
C:\ProgramData\vIAcYAUg\cCsUIAMw.exe

Filesize
2.0MB

MD5
a6b16434c9e8edf38485670a4a3571ff

SHA1
9f032541fa9dc18ee42960908531f3aba2f058e1

SHA256
09853f12b684f166ef97238186941a3b510b60c14721cf4c68f5998b29ea6048

SHA512
b38602db2615e58e2cb9862af2b3173ac0f4f434dd3a6836126efd35689192db8a0eb8dafaa41d498f932aea6c4ca6cea4b4489d285ce387687ee4dc13415625

Download Submit
C:\Users\Admin\AppData\Local\Temp\0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820

Filesize
6KB

MD5
1faaca27db89108e4db71601f485ec34

SHA1
0ba4ef92a3a4aa61bcc8be95e8353c7cca84855c

SHA256
938302353d9e5e040c36fb429ab96cd61b4e0948d1c6c027767f8ae00dc62171

SHA512
bd05d1a2d40a74d8049049b59c9bb6b6f99b3af0d115d5a14b8c83f8af3567b4e416517027001876821677d6464a6b3f343fd9adbf28bd196b6da97a56a9a97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DsQQAcAo.bat

Filesize
4B

MD5
2c25f860cfa21ff18117f80032022769

SHA1
00347185767e4b3f51536542635eb54dcbf4d640

SHA256
13b82abb8e57b2ff2f0891b57e573ab133ff00b282338184c369a6d6362bb782

SHA512
db1fa9e15e3984280e4b8658e829e09e64cf89c6bcc820943b07501a90d816dabbf6a3f465c75db1dd064bdbd7a477939fcf24842b12a88308f53f88310316db

Download Submit
C:\Users\Admin\AppData\Local\Temp\DusEAgAQ.bat

Filesize
4B

MD5
cc17b61afe25254c27c1327b16278e31

SHA1
f713b8a8c4c1f44c142b6490754abcea0e5de1b0

SHA256
6b8f03832a47fe6f50dfe1765dc9c26e5346b189f6e3adb3dec8e2913f95eb6e

SHA512
124b6ed6ff36ec84a6c44264745cffad224fecefe2f34da61e80fe587be5022b680e6416a4600b8d6db7c09cbf1d75673b6934af84b0fad0c761a525d9462c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAMwEwcY.bat

Filesize
4B

MD5
e525f9e61bf7de91ef568fc732303940

SHA1
035c8949be0c908d624d9f6a6602d9bc3db54ea2

SHA256
6cb39916e3fa779d592c881d8528d6ad15a3dfa91ea9e998e0dcda2b2acb12c9

SHA512
5363525593b86352215223d61f89b52b3af43b9b2ab2899df8d1783e7a401fb13fd35185a57db504bf7f673da5e53157a50515bf83a012b54d735a647aabd7c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\GegkwkEg.bat

Filesize
4B

MD5
436dfd9c3739a0700aecda9df572ab39

SHA1
8069af8966ca9a4da773cfcc2c2d2d8d7c9681e8

SHA256
38322f05a9e6d91083f2b035438b4dab03c9f8c3201641c28b6ad107ebbfc33c

SHA512
a7cdd4480a24911adf25744a2400b69d66b6bb349a5a3e88f4dcfcf3a3ad4cdc7e264cb51b2ce31b4e9a5ac572f89c0eba2811fd6d316c1d4aa0cb9b512d5941

Download Submit
C:\Users\Admin\AppData\Local\Temp\IKQsoUAw.bat

Filesize
4B

MD5
4896346a2cd53d35000a4fd7dfaa5a3d

SHA1
998322d8d2c205e159262bcfc2e55a3d3eae8350

SHA256
4e563195df944b2821f2f681caab899ed5f0bf043c65daeca0310bf9d0933380

SHA512
4027ac57079e926ea4584b6c273df85c807520a4512160bb03226d6ee1e77e1341c417191218e4cace9b9bfb2fce48e266934ff5299c72ba038ddc398b2e90c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQEQkMog.bat

Filesize
4B

MD5
f197756d40565093f72fcaca0bfdb199

SHA1
8b6ce8ca27f3b0cd709d321c85812520e7a9844c

SHA256
2a357058df4646a869888f9f2a74f5172eefe078e2e69546ca55ed2c56644f40

SHA512
a3dcddb32b3038ff59c37188d669707823115302f91b28a05c88d8a1f26d453838f4774d35c6091441e9bbb8a193091deba539224eb34ab830c0c966c5ab2e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\NyQcMkYA.bat

Filesize
4B

MD5
b3f520835eeb85a537a0739d346cadc4

SHA1
a3b5261019fb3c81f05af0ce509248409cc2a5ff

SHA256
d92ccf7606fd558149f1bda42e40caedd43f7d820aa90c4282f2da5dbc396e9b

SHA512
862ebf6fef746c79fb37e6b72cb0469528439668ed4d7a6157f1a4c6ac79b05b6ca52b0cbe675d66c99df2f668d860a4828805aff9c20d54d33d944bce0b51a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TugwEcUc.bat

Filesize
4B

MD5
cca1d311c5190633f8ba8a2fbb536b66

SHA1
32ca6f7f8bb18cf9639ba3fb3df4d47b07f704b1

SHA256
0193825eb706742e9a5a75ab901e1cb98cef31d43d44ab0a8a68acbd62db4b05

SHA512
e4be66053b921d426a7adcedecc3d44660dd14228e23ed581e17d13b2a2aaee8003178909c3ecea65f6c3a5795ab60109015a7ffb6558c0d88ee27682cb69151

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQMMkgAw.bat

Filesize
4B

MD5
fbf63173ef4d32f30e7f3844be4a4566

SHA1
cfcffb0d0b7ea4cc3794061cbd2e50da12212c03

SHA256
a74ef4bb8fd9a0bfc3159e3cafd5607c5d096c2ee4b871940188fc6ecb3c5d19

SHA512
31d48a5fd8705b817b05b94da5fad9a6ba3ed628268836561e53775494874beab1f0b59806e84b116a1bfa79425b28dd91245ca7930dd0d49c442cedcf0a8dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\VCgggQIM.bat

Filesize
4B

MD5
dda3025556795477ddcea50be1eb1651

SHA1
11a5088788ded314185023e8f25b67b1a3b6bf67

SHA256
f9b0959bb914ffdf7e0877c2ecd351b94c60cb5c418cb184550c3d0cee0e16ce

SHA512
a9195290550cad515b549f076e1a08999efb9402e1154a8de1429759f7ffaa28047de5e4cd2b154c570131877af921026cdd36271fac066dc6b3d8fc75ba9694

Download Submit
C:\Users\Admin\AppData\Local\Temp\XyIEMwAo.bat

Filesize
4B

MD5
5a10cbd0d1b7b35a6702158af009d269

SHA1
f27f6a5590802040bf457c53ad1e6364ff29a3cf

SHA256
74be16a9f25216d9c7afa06aeee448c334495cdc49291d6488aa224a07957364

SHA512
afd6065c3b91d1b31003f121de614b122248ab707d38d9470197ffe442e85165dbcc269a930c4a8f31e72c10b2af24cb040b133461d53faca9e95fd0615d9cfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XyMEIwMY.bat

Filesize
4B

MD5
037f5de03f5cc5286ff938a8e686915e

SHA1
d6d76cb3a97c29e3d5b3b9ab77cb429d3938f739

SHA256
ebde0b53f2844182837e9ea7697cc947af8d184a224b58a74207b5b28dd1fcf0

SHA512
31f2bca657f26fc149fed3688f3e9850f4d5e0679d5cd54f77d98a242c9b1498ad17413f14b9e2126710885a3590a23a609e3ab500f3f2712e73f4e48b1f0be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEcQcMAI.bat

Filesize
4B

MD5
59844cfea95f950c232107e79bc95a86

SHA1
013996268b324535e74be98ea455ab3a0f8361c8

SHA256
f0a86e45fb96da857e38132db8ac6bbddee593c6b6baf9b0fd079b8a3611dbb3

SHA512
7ff68a6de9b1cc786c75311ce38c361590d8d72303be11ed6c590fcc689d4296a42df9f85507a2fdeefb7b632e22d91e48b017bc3b74b4a7770ac2345bb2b1c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZiMMIgIE.bat

Filesize
4B

MD5
af4bb75978da43d63e718fd518cabdf2

SHA1
94ddc990309a1cad4b051b64242da93146884c29

SHA256
fa30f7f41eeb3560be582d0446ee90680e3ac62ad865ec865823913f17698d99

SHA512
258f8eb00963137164dbd44a23ae67c50b82f22664959f93b746ae55aee06310a5dfc0df021e53939ea9047e26275df4d0e24ace9b2d2b54f3f01c3377cd9ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZwYUkEYk.bat

Filesize
4B

MD5
71eea3e0d5bc7ecbe93c4c4a46133eb2

SHA1
39dae27e3e62b99b2432d52cc68350b44d533771

SHA256
087d886f524d1b8674c86d95427cf0efb90e0fe9749b13244f4cd6d541cdfa44

SHA512
01e36b6fa7bc5365eb5e6a8c66e51bb6c57b9aa273b7b22a2bd93fadfbc1e22f046c39e30633878f2ef2142311aaa33f351f87ab30586d0d92bb246283e2e960

Download Submit
C:\Users\Admin\AppData\Local\Temp\aOAMEwUM.bat

Filesize
4B

MD5
847faba4517364b228a53695442fec15

SHA1
c46bcde732298a0939950aea0529afc1f67125c0

SHA256
95070fe7bff10f43746aff32f9c67cefebff1bf3a2e7696c79209f6c357e04c8

SHA512
31f1a3e84ad2029101e89907f716c792bf793444021412113026f95c040191616f878c8f2207b8649318d650c81635034f50e81a9912ebacff9682f61341947f

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYccUsMk.bat

Filesize
4B

MD5
f5bde6d4a31defd88ee03a6ed980a7e9

SHA1
2d29c91e2cd43adce03ac943d88dc1690949cf34

SHA256
19c015cc95c954a532feb334ec0c3b96cfc3cc45decfa906f16039d9e6e66336

SHA512
d12590a5ec88db8a71f8ac59da5bd6bb63d9f6f9d654263977794b12d74aa12e4dd3d9008aecf2b89f0f61f8874f7e9df7360f4d1d7983a36c4c933696593a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\dEMUsUsM.bat

Filesize
4B

MD5
8218b7f5762e2feeb55a59d6046cc8ff

SHA1
6e3ec9f76be0124f416ddfccc7f8371aeea69fa4

SHA256
00f886faeb887a5cb43c4be541949603850a63c18a4acee62a538e045570c03b

SHA512
6066cd4943aa2e65a17180676579543a9b6667adcd17bbf62339a47e6d4a97f0d5785aa21f94bce342e36c86f3dcc19b8639c1464a004ffc547dbfe4b9d0e600

Download Submit
C:\Users\Admin\AppData\Local\Temp\dSYcoYoA.bat

Filesize
4B

MD5
de545e425834643e55d5f9f946c4a722

SHA1
4009d5d9d8cd7ec2bcacf4a325b9c7a5231ca751

SHA256
419be805e71d594fc34a111ca15f998a98396e5403cfa2fe4df2ac7983740ec4

SHA512
518fa4360af165e87762af5ffbf7ec74c4865f7d955b5faddc9b300637ce19899317b950305bc1d1edcdd9008abeaa9e443a4750189f37adaff4c20ad9375726

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioEkogwI.bat

Filesize
4B

MD5
4f2be3bd1bb4787527c43ba4f5e5f7f7

SHA1
68a4622adf12706959ad964d31a7c6ecfb32786c

SHA256
bb8862297e428c45ba164a3e98c02761dc89e71e6bd6f40c513a71e0f627d799

SHA512
4eefa3f01c8e7b8ef33b82162fa3ea3721b60e8102681a350cb2956c4a1a134153beab0e4f4d2c2d7034903fcabf22b6fb71572ff5691418243b810de8c1d697

Download Submit
C:\Users\Admin\AppData\Local\Temp\mKckAMAE.bat

Filesize
4B

MD5
b279cce4f9c854fdd6b890fe75c06cec

SHA1
7856eb5d4033ec33b3bd283ac28c0253a730d023

SHA256
6432a1ba7352bc9b2673ebb55a97fa0ad622041a726e943bb3caf5fc241df711

SHA512
2c1fac5f7da4994746219c2d06ebe3b8ba86e55372ee44933ee7c0cd44475d17f078846b2c29841d89ca616993acb3d9a3123bcc6e5acffd2f2d2b45efce4a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\nCkogIkY.bat

Filesize
4B

MD5
47c2bb5bc5a236ae212a43612f1567d5

SHA1
2a4788eef573d80e0d1a85e61d40904cf31ce7c4

SHA256
9f729f9993b59f8e889190b74e5452cc177f024124f505276bc80d56b53eeb0f

SHA512
fa01ced7576f349b39388cf9d4145b972afbeb685e7d8516cdff79753b3fa586babdd804a300beaf7741a94f04df477b1716d4e390ce86fe63a046bd2b6d6d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pesUAUsI.bat

Filesize
4B

MD5
0a86696ba9c9166140c53c24240bb655

SHA1
d726ab6d427161bb965fad1e3878fc691f5dc28b

SHA256
a40ffbf8a2fa7217116db3d0ac4def102b4911e79b74fd6fe91b708c6592594a

SHA512
85cd6c9f9fd18413fb5a4e82501e72c0f0e1788cb57a89eb469aeae978a0d880da155d13922b34541044ed4be15804b48416c8d6a84623b1deff645634aa9637

Download Submit
C:\Users\Admin\desEIYsA\UuIkgEMs.exe

Filesize
960KB

MD5
acb0a979a661f3b291635bd6db202c13

SHA1
d73578e1f1dce5c3418b0e19ce9ef978d3b3474a

SHA256
230b710f149ed6244a068ad321483d2df3600f1f38d17123748fc0ab68286a0e

SHA512
6bb5b249ef83e6a6480640593ece4bb2e4f4d991f34eccfe87cd10ab5fd592885c2025c24bdfc394aaa6c424a97ef29bc7a297ac25ed474689888b08071fb0d2

Download Submit
C:\Users\Admin\desEIYsA\UuIkgEMs.exe

Filesize
263KB

MD5
f4f9d108731f33eef74592e182954ad8

SHA1
2e8f6c5b6edc000daa33d9c78fbe62f2f61ae809

SHA256
f660d6bb018f80156962209bf8edf72871445e6db9af920add88671741084376

SHA512
397dc467e81faed04412f2bbf94b5003ca0ad776d1569ab2e994dbbb0f8da5c5139cca6cacb3df761e5caae248938142e6fbf93cac463a90ee58d1486077121b

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
818KB

MD5
a41e524f8d45f0074fd07805ff0c9b12

SHA1
948deacf95a60c3fdf17e0e4db1931a6f3fc5d38

SHA256
082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7

SHA512
91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
507KB

MD5
c87e561258f2f8650cef999bf643a731

SHA1
2c64b901284908e8ed59cf9c912f17d45b05e0af

SHA256
a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b

SHA512
dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

Download Submit
\ProgramData\BqAMcAww\yQsIQEwE.exe

Filesize
1.6MB

MD5
c28da2da36475c562eefcd5d3c735111

SHA1
381fb5d68afcbd06416331d867e45fd0996afe93

SHA256
e10d55edc48b80b8d549fe8c50f8f363c84ed0e53e0016c18fa7d679225ba59d

SHA512
3587a146b3d24749bae32e052c1138d419805daac953f65f0cf1fa9d447792ab3afa362707ee35b8daa06548e3724935bc542e44d307fb944853c5267c18be7a

Download Submit
\ProgramData\BqAMcAww\yQsIQEwE.exe

Filesize
1.3MB

MD5
6fb64a4aef021d93a91da409bd8b53ac

SHA1
c98a66e7343f3b1e35a14f099631a4bd0013233c

SHA256
1e2e247bd0596098da6d648733fa1f940224b8c9cd6678eece80ec12e6996392

SHA512
926bf87a2e0ca50e94784adcfe7dfc91ffbfdcb3a5e2602992b0b583197d32e06f9b35b3db69e8d0db5e8d4510b854f80bd466aba8247a69bb173655328158ba

Download Submit
\ProgramData\BqAMcAww\yQsIQEwE.exe

Filesize
2.0MB

MD5
708cb3ff1fb73edaea14d4b008ebde5e

SHA1
f16134a130c2727c5e9638635037ad0b77f66d53

SHA256
0e5d5c51bcee3bbaec23c4e5034c74d59e2e4a777851983a114157e476948a8e

SHA512
8c4016f2bef4fa4353234d9de935b7444a559e3763588859b928096f2dc666dd98252259741bade85d78197b196677fd416249e263619f4434fff8c3e49be5f8

Download Submit
\Users\Admin\desEIYsA\UuIkgEMs.exe

Filesize
1.7MB

MD5
22d87dbd2bd5e63537423fed022693ed

SHA1
0567e18c0ad9452194c41fff5b4d7c5fa83d2920

SHA256
4f105e1d91c35a4db60e08143c84e7c9b82fd0c8b0685e8ed5012aa712f1825e

SHA512
03bdeaf3159a234ac79a7f6a737104c7418b081e51c56fff0a70e94f5de100ac621cd891af893fe6a5d0d85fa07586c5aab8d0fd2a4c92735f1e35df57b2b9c4

Download Submit
\Users\Admin\desEIYsA\UuIkgEMs.exe

Filesize
1024KB

MD5
aa7154e4c586af235a1db8f7c02cd71a

SHA1
2379fdb25cfaeca472ed9e1e004bdc280e5484a4

SHA256
9cdf20655c50dee9fd02d084b75c6fd347ab58c602cb14e8b613575385f7ac00

SHA512
fbbea788384c898bf24c539f75362d38481b840c93de6d1a08be75d98453971ddb6a94f139adf5c0cdd46e014829d9cec3d5dbbd934ce71c813468a2d4f09f40

Download Submit
memory/216-229-0x0000000000220000-0x000000000027E000-memory.dmp

Filesize
376KB

Download
memory/216-304-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/216-232-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/464-63-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/464-134-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/464-58-0x0000000000610000-0x000000000070A000-memory.dmp

Filesize
1000KB

Download
memory/564-132-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/564-46-0x0000000000600000-0x000000000065E000-memory.dmp

Filesize
376KB

Download
memory/564-61-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/896-176-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/896-249-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1096-121-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1096-187-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1280-217-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1280-147-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1468-293-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1704-163-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1704-93-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1940-316-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2012-263-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2012-261-0x0000000000220000-0x000000000027E000-memory.dmp

Filesize
376KB

Download
memory/2012-330-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2132-146-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2132-75-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2152-243-0x00000000003A0000-0x00000000003FE000-memory.dmp

Filesize
376KB

Download
memory/2152-326-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2152-250-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2244-342-0x0000000000290000-0x00000000002EE000-memory.dmp

Filesize
376KB

Download
memory/2244-359-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2300-331-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2332-262-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2332-188-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2568-275-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2568-205-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2572-164-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2572-231-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2636-175-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2636-104-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2720-276-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2720-357-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2720-274-0x00000000002F0000-0x000000000034E000-memory.dmp

Filesize
376KB

Download
memory/2740-133-0x0000000000220000-0x000000000027E000-memory.dmp

Filesize
376KB

Download
memory/2740-204-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2740-135-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2744-57-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2744-1-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2744-0-0x0000000000220000-0x000000000027E000-memory.dmp

Filesize
376KB

Download
memory/2744-35-0x0000000000220000-0x000000000027E000-memory.dmp

Filesize
376KB

Download
memory/2836-36-0x0000000000400000-0x00000000005FD000-memory.dmp

Filesize
2.0MB

Download
memory/2836-86-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2836-92-0x0000000000400000-0x00000000005FD000-memory.dmp

Filesize
2.0MB

Download
memory/2836-34-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2848-120-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/2848-74-0x0000000001E60000-0x0000000001F5A000-memory.dmp

Filesize
1000KB

Download
memory/2848-59-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/2848-31-0x0000000001E60000-0x0000000001F5A000-memory.dmp

Filesize
1000KB

Download
memory/2872-305-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2892-62-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/2892-11-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/2892-10-0x00000000003C0000-0x00000000003D6000-memory.dmp

Filesize
88KB

Download
memory/2892-60-0x00000000003C0000-0x00000000003D6000-memory.dmp

Filesize
88KB

Download
memory/3068-218-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/3068-216-0x0000000000790000-0x00000000007EE000-memory.dmp

Filesize
376KB

Download
memory/3068-292-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download