0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469

Analysis

max time kernel
58s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-03-2024 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
Size

2.5MB
MD5

dde4e07ddb8b8aa4669abc688504112d
SHA1

a9260ada32e49444ecbe6df5d474314ff6c74b9a
SHA256

0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469
SHA512

5f009610c4eea37a72d54673525a026821df4719878884856a8aec508bcc4ed83432713576deb34b71deb2671280e08c0e0acd2d796880fe74e73e70afe41eb5
SSDEEP

49152:9dhfq+I03uLpmwpKML2fyU3ZlMnMc3hQlKp8NqdnB:Az03nLyAZlA

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\lAkgYwUg\\iUggIYcE.exe,"	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\ProgramData\\lAkgYwUg\\iUggIYcE.exe,"	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe

Modifies visibility of file extensions in Explorer 2 TTPs 10 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 10 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 4 IoCs

pid	Process
3048	iUggIYcE.exe
364	GYQYUsQI.exe
2668	HKIkYsEg.exe
324	iUggIYcE.exe

Loads dropped DLL 26 IoCs

pid	Process
2168	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
2168	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
2168	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
2168	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
364	GYQYUsQI.exe
364	GYQYUsQI.exe
364	GYQYUsQI.exe
364	GYQYUsQI.exe
364	GYQYUsQI.exe
364	GYQYUsQI.exe
364	GYQYUsQI.exe
364	GYQYUsQI.exe
364	GYQYUsQI.exe
364	GYQYUsQI.exe
364	GYQYUsQI.exe
364	GYQYUsQI.exe
364	GYQYUsQI.exe
364	GYQYUsQI.exe
364	GYQYUsQI.exe
364	GYQYUsQI.exe
364	GYQYUsQI.exe
364	GYQYUsQI.exe
364	GYQYUsQI.exe
364	GYQYUsQI.exe
364	GYQYUsQI.exe
364	GYQYUsQI.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\GYQYUsQI.exe = "C:\\Users\\Admin\\JiUwoAgg\\GYQYUsQI.exe"	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iUggIYcE.exe = "C:\\ProgramData\\lAkgYwUg\\iUggIYcE.exe"	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\GYQYUsQI.exe = "C:\\Users\\Admin\\JiUwoAgg\\GYQYUsQI.exe"	GYQYUsQI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iUggIYcE.exe = "C:\\ProgramData\\lAkgYwUg\\iUggIYcE.exe"	HKIkYsEg.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\JiUwoAgg	HKIkYsEg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\JiUwoAgg\GYQYUsQI	HKIkYsEg.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	GYQYUsQI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 54 IoCs

Modify Registry

T1112

pid	Process
2440	reg.exe
1512	reg.exe
960	reg.exe
3044	reg.exe
1148	reg.exe
2568	reg.exe
2808	reg.exe
1100	reg.exe
328	reg.exe
3044	reg.exe
3000	reg.exe
1628	reg.exe
1608	reg.exe
2460	reg.exe
2428	reg.exe
2008	reg.exe
2132	reg.exe
660	reg.exe
2612	reg.exe
2112	reg.exe
2916	reg.exe
2396	reg.exe
1496	reg.exe
2344	reg.exe
1608	reg.exe
2748	reg.exe
1804	reg.exe
1260	reg.exe
2768	reg.exe
1980	reg.exe
1996	reg.exe
1408	reg.exe
2800	reg.exe
2628	reg.exe
1504	reg.exe
2208	reg.exe
1792	reg.exe
2864	reg.exe
1752	reg.exe
844	reg.exe
2016	reg.exe
936	reg.exe
2292	reg.exe
2892	reg.exe
1700	reg.exe
2468	reg.exe
2436	reg.exe
2332	reg.exe
2692	reg.exe
1952	reg.exe
3068	reg.exe
3068	reg.exe
1460	reg.exe
1720	reg.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2168	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
2168	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
364	GYQYUsQI.exe
2760	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
2760	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
2124	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
2124	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
2536	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
2536	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
1620	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
1620	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
296	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
296	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
1440	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
1440	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
1888	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
1888	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
2444	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
2444	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
2948	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
2948	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
1240	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
1240	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
2704	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
2704	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
2924	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
2924	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
2924	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
2924	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	600	vssvc.exe
Token: SeRestorePrivilege	600	vssvc.exe
Token: SeAuditPrivilege	600	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 364	2168	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	28
PID 2168 wrote to memory of 364	2168	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	28
PID 2168 wrote to memory of 364	2168	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	28
PID 2168 wrote to memory of 364	2168	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	28
PID 2168 wrote to memory of 3048	2168	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	29
PID 2168 wrote to memory of 3048	2168	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	29
PID 2168 wrote to memory of 3048	2168	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	29
PID 2168 wrote to memory of 3048	2168	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	29
PID 2168 wrote to memory of 2920	2168	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	31
PID 2168 wrote to memory of 2920	2168	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	31
PID 2168 wrote to memory of 2920	2168	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	31
PID 2168 wrote to memory of 2920	2168	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	31
PID 2168 wrote to memory of 2396	2168	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	33
PID 2168 wrote to memory of 2396	2168	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	33
PID 2168 wrote to memory of 2396	2168	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	33
PID 2168 wrote to memory of 2396	2168	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	33
PID 2168 wrote to memory of 1980	2168	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	34
PID 2168 wrote to memory of 1980	2168	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	34
PID 2168 wrote to memory of 1980	2168	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	34
PID 2168 wrote to memory of 1980	2168	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	34
PID 2168 wrote to memory of 2008	2168	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	35
PID 2168 wrote to memory of 2008	2168	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	35
PID 2168 wrote to memory of 2008	2168	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	35
PID 2168 wrote to memory of 2008	2168	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	35
PID 2920 wrote to memory of 2760	2920	cmd.exe	39
PID 2920 wrote to memory of 2760	2920	cmd.exe	39
PID 2920 wrote to memory of 2760	2920	cmd.exe	39
PID 2920 wrote to memory of 2760	2920	cmd.exe	39
PID 364 wrote to memory of 324	364	GYQYUsQI.exe	40
PID 364 wrote to memory of 324	364	GYQYUsQI.exe	40
PID 364 wrote to memory of 324	364	GYQYUsQI.exe	40
PID 364 wrote to memory of 324	364	GYQYUsQI.exe	40
PID 2760 wrote to memory of 2096	2760	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	44
PID 2760 wrote to memory of 2096	2760	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	44
PID 2760 wrote to memory of 2096	2760	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	44
PID 2760 wrote to memory of 2096	2760	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	44
PID 2760 wrote to memory of 3000	2760	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	46
PID 2760 wrote to memory of 3000	2760	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	46
PID 2760 wrote to memory of 3000	2760	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	46
PID 2760 wrote to memory of 3000	2760	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	46
PID 2760 wrote to memory of 1460	2760	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	47
PID 2760 wrote to memory of 1460	2760	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	47
PID 2760 wrote to memory of 1460	2760	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	47
PID 2760 wrote to memory of 1460	2760	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	47
PID 2096 wrote to memory of 2124	2096	cmd.exe	51
PID 2096 wrote to memory of 2124	2096	cmd.exe	51
PID 2096 wrote to memory of 2124	2096	cmd.exe	51
PID 2096 wrote to memory of 2124	2096	cmd.exe	51
PID 2760 wrote to memory of 1720	2760	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	50
PID 2760 wrote to memory of 1720	2760	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	50
PID 2760 wrote to memory of 1720	2760	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	50
PID 2760 wrote to memory of 1720	2760	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	50
PID 2124 wrote to memory of 892	2124	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	53
PID 2124 wrote to memory of 892	2124	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	53
PID 2124 wrote to memory of 892	2124	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	53
PID 2124 wrote to memory of 892	2124	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	53
PID 2124 wrote to memory of 1996	2124	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	55
PID 2124 wrote to memory of 1996	2124	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	55
PID 2124 wrote to memory of 1996	2124	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	55
PID 2124 wrote to memory of 1996	2124	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	55
PID 2124 wrote to memory of 1608	2124	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	57
PID 2124 wrote to memory of 1608	2124	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	57
PID 2124 wrote to memory of 1608	2124	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	57
PID 2124 wrote to memory of 1608	2124	0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe	57

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
"C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Users\Admin\JiUwoAgg\GYQYUsQI.exe
  "C:\Users\Admin\JiUwoAgg\GYQYUsQI.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:364
- - C:\ProgramData\lAkgYwUg\iUggIYcE.exe
    "C:\ProgramData\lAkgYwUg\iUggIYcE.exe"
    3⤵
    - Executes dropped EXE
    PID:324
- - C:\ProgramData\lAkgYwUg\iUggIYcE.exe
    "C:\ProgramData\lAkgYwUg\iUggIYcE.exe"
    3⤵
    PID:936
- - C:\ProgramData\lAkgYwUg\iUggIYcE.exe
    "C:\ProgramData\lAkgYwUg\iUggIYcE.exe"
    3⤵
    PID:2428
- C:\ProgramData\lAkgYwUg\iUggIYcE.exe
  "C:\ProgramData\lAkgYwUg\iUggIYcE.exe"
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
    C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2096
    - - C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
        
        C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2124
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469"
        6⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
        
        C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469"
        8⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
        
        C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469"
        10⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
        
        C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469"
        12⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
        
        C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469"
        14⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
        
        C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469"
        16⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
        
        C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469"
        18⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
        
        C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469"
        20⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
        
        C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469"
        22⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
        
        C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469"
        24⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
        
        C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469"
        26⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
        
        C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469
        27⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469"
        28⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
        
        C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469
        29⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469"
        30⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
        
        C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469
        31⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469"
        32⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
        
        C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469
        33⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469"
        34⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469.exe
        
        C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469
        35⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies registry key
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        Modifies registry key
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies registry key
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        Modifies registry key
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies registry key
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        Modifies registry key
        
        PID:1260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies registry key
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        Modifies registry key
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies registry key
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        Modifies registry key
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies registry key
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        Modifies registry key
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies registry key
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        Modifies registry key
        
        PID:660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies registry key
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        Modifies registry key
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:960
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1996
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:1608
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:2748
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:3000
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:1460
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:1720
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:2396
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1980
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2008

C:\ProgramData\QGMEUYYo\HKIkYsEg.exe
C:\ProgramData\QGMEUYYo\HKIkYsEg.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2668

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1315592523-1621778028-5677570091956490254174061167716265227-1920630232-1023814907"
1⤵
PID:1148

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2046452907277308589-1273759516-1299124944-1633063921163974854520422228081137194969"
1⤵
PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
2.1MB

MD5
8dafcdea83354f3617aa11d937f97f96

SHA1
f98b26c0adb6a15119d5a0c15340668920451e95

SHA256
fd0cbdbdb8bfdd214a84e3a068dd2330425e367176580f2df367a6e7079d14eb

SHA512
ce340c664e08ea661c78b26f66ab780916de9c5fa5cca9c011687f5da569b9d02388bed371ef0922505e207744decb8c572a94806f9761ab0b2a045189288673

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
2.0MB

MD5
c594b0a92ff384fdf8857f5dd0530bca

SHA1
743983b921a15c2cf14f720aee35bbeefd48de6d

SHA256
03c2e4c00e71b00093cc3fcc818e0a5a449e16c4d75a48b73d5979e2946f7e95

SHA512
16ce1e3eb3ec7fb7e0c620b0234dc646d26a6b33783ea93887f95124e831a8b09b0f6c2fb7188496215e658459d1ee75d59f4f0c739573996d94f8f4f521f7f6

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
2.1MB

MD5
dd457f6cedb0f0d1a2b69eba8f9473b1

SHA1
2fb90bf204d17c34a90722a2095ff75404a81730

SHA256
783bc7c0a5861d7b409c7c7621be37d4e59e07d4b567d93dd19d24f2e9d700af

SHA512
f24c059199eddd4998750a1f5ea8688ba1b19ca8ea51999f107582b3d155f1f31059751d0b27be0c15946b2cf42126b10ea3be003b76669f21fb31e625816d5b

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
2.0MB

MD5
f63cb506e04519bbc109d0d3e914acad

SHA1
04daacca9cf92eba72125e69e1c854cfccbece70

SHA256
dc54ea5d7eb0e31dcacdf78f6835bb20210a61a07cdcfb665e7a6d558579ad1c

SHA512
40a94c1819f900495b800206c32c06ce89444cb5e83e32c5fa6b851a9439ff3b9c6357a46ce38920f0404998555632e304b599a0bc19aacdad5f1aeed7f5f035

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
2.1MB

MD5
971c22ff1c60083fe85f0477489a7f49

SHA1
2ac7ba32a71f0cd11f568486516b5e65eb536639

SHA256
9eab55ca210fc6b826a3058c0309f0a2d99a538c39cca6138918843a085650f7

SHA512
9d0058a37a0e905994f1a7be34cb64745941f698a2f5e6d66fc27c0ba4638676e64479b55d606c27e71f4859cc96ca799e45da2259c4adaf43b70cd945369616

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
1.2MB

MD5
f12383b6d49795e9dfbf2e3430a608d7

SHA1
cdd7386f497da76b9287e0dc42705d1fda95d633

SHA256
b039d8b2a1bff4807f5c499823f348b81e7e8c1750abc442d67482d9396d76a6

SHA512
95b3ed3771199a1f511880eae6b4acfcec65ec620bfb96235678613ceeef52062a0912669d8a0b25c58b13cbeaf88e29c01915c929a5cb9f1fb9c17e1fe57821

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

Filesize
2.0MB

MD5
89e70f6f94983a6f540436c9422a98d1

SHA1
47932be6b236661550ef87bce6b3a0b91d26c6a7

SHA256
92fc56d9ce02626593b5eab969be0b31408bba102e5eff6171a53da3b8786f66

SHA512
187ff91ba164cee9d0c467898d2dd031e709f2be2e6b94398b1b86d91ea036eec413012e72f086efaafc8c9d677154fcf4dcae4c1d0eb247757896d028f2f5ce

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

Filesize
2.0MB

MD5
dbfb219a09359c80c1c090c6b18356ef

SHA1
9159bfd32a119e8f72b05aa4d44e3ef11194b6c0

SHA256
b0f675539aaeacfb61e95aa0e6fb959b22488444029dfa02aefe2bfd0233853d

SHA512
213bbcbe49eab2e8b0896e0faf236e28618aea82f3c5372af41da0840e8a216c72ec33f3c41acf759b945bb6f74db6f1af21f4a0122e495cb0f1f6badd0c32bd

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

Filesize
2.1MB

MD5
e924d23de97ca681fe5bf6b397287a46

SHA1
c6289372805d1fdd1fef21dfe1a7176e4765a986

SHA256
9407cb15ec62b7c805e60545eb90cc48a8b89115f9a3e4a2a9f1516928f2b906

SHA512
b7cf3535fd4b88e56f29e89c4716bce7d88010f7dc3e354280f174c549492d7c496546087efa98016d83aca8f09346909efcc8b55f0abdb2fe577a469d7f7399

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

Filesize
1.0MB

MD5
125ad23d858e8704160408972bb8ee5e

SHA1
a39e291790f63d519105969ab158f5b0e6173c29

SHA256
4ab254d85df548105d08f9fa5a9d62246f9abc6b1e7c979b03113a56f2628edb

SHA512
38aba8faa6ca019123d075c9527bf73a8e4e706615df44180025688ae53111ddeffdb2bd7f85d91c743794f54ffe5da0cc77bf716ec2387dd1f1850154f04ea2

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

Filesize
2.0MB

MD5
eaf35a6235318f43a3d8c1b5ce75d981

SHA1
dcb53e63b9b774e33be09abcfcbff213bb27e533

SHA256
7f9cf5d7ee19b550201e1d39aebe0fef7b6e1d42cca2b16eea89682f9eb87a18

SHA512
02987341e28dfbaa70c10dca340abe0f0b7eb0051a31c4b956ae45ebbd0ab1bfec3d930ad9e8095ce254593317ce72052bcdc2767d183c8e0e537a2767e960c0

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

Filesize
1.9MB

MD5
c376b77672cfffcdcb9004fef642aa51

SHA1
53be74002340f5d64d0c4753f1cdb149dc4e2be9

SHA256
586740bc13fc28b28c477b00e33beddace01729720037a14a91b3b0d373eb302

SHA512
bdfaaa42732ec7693c5876dee669536d75c6d48d40440422bff32731a81b146146bece124b87fcb2793044335a721284a78efb1d52e9b97014524f3415db0abd

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

Filesize
2.1MB

MD5
e08f75a002f20d77f1f1a903438da105

SHA1
0c41c9a3935c6d4f28a84cd02d047dfb2bb19e25

SHA256
5f2a095f64a6b91eea48c347fbe1d3237d12d0279dbf1082c4ebbba5a9c85dcc

SHA512
a374375cf6f8685d87be0c2f798ac03f4fbf18eea0fd15087ec4a2fea127c1b87e6a86754a733778ecbfcffe5df16f96cf5f3d5084dbebf6400c8aef73a47dcf

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

Filesize
2.1MB

MD5
04fd381ffd8425d03e56689331182bab

SHA1
2d6df7257b30b6b6761ecc3841070c27d7f88b3b

SHA256
fee841a88b89f9e69e244f278f6461a8a25145400de178266e9227a2dd4d99d2

SHA512
1e8e9967d4bca43e402b3a4d87099daa55552e34c44be4f8ff8e892fbb36a4b463628a58b60db9ccdd84d6e6b4dae5655d12aa916bad336040ce5744221eadef

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

Filesize
2.0MB

MD5
d8919693e5a266942664b8ad456e2353

SHA1
990db878b665680bb3ce01d8b4146581344bf4ab

SHA256
f9c81912d6d5f619364a27afb61797dc02b26f79f8830f779860040a7f8f9afd

SHA512
abe6f5186ed31ca42acf615e0acd0e2fb3a56d1f849250c9392a32f62b17b5c7c09ebabfb5b4856569a1903b6562d4a6689d69c00e2f0721c0275c4a99f7ef0b

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

Filesize
1.8MB

MD5
c20196570324177baa71de5775989565

SHA1
37ba7d2f06fb64ed8939d1c8ea70da64eead7526

SHA256
eb837a196e3a3d0aeb9a45db730f5b73a9953079e72a47ecab5c9c8b6f3f1892

SHA512
0a6da86fd33c7ad49816785c1ce8539559faacbed5b995894011b35bce664fd80fce72a0b2386fe9ea6ceef8e7d46d2729ede0ba0a50d26fe545dfec17ed1b09

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

Filesize
2.0MB

MD5
33056387191687be8b01b6941382f06f

SHA1
8168f407b403f0ea04431b9910e598a3d64cb3f4

SHA256
0e898cc3f6c482503e80408cd3ef41db47c0f7a81a081ffadac8677fd79ccf5e

SHA512
879e3263a622c0521748b9a04af2be2afde3e8fa17b922317e86c9517522c1cf311e584e0f5416708ecba9a08a009ea05994e88314f34d72938fff4f1ae06b4a

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

Filesize
2.0MB

MD5
85625cd7c62c60a7ec30489398151881

SHA1
c0edb5426ed99d7bce7cd2b2609386e2490474ce

SHA256
6e2f06ceb9fbd6cd5c7ab5290890d450eb4a716ef6a37902d67fa96d428601e5

SHA512
1f1bf2d5b2998c925d8d152be5d978daaae3ea6964a5b6e507173b8594e044db654891ad064683cd7b39c7088275a7d469d0c475b208a1c4ebeee3ba6d289aeb

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

Filesize
2.0MB

MD5
1f0c39e90b5a3f86f982ab2999b35f03

SHA1
b91db7f1a2654280c04e43b889442acc6b94e29c

SHA256
d9ecaadcb84c515318c60bc0b6689ddc9d69bf29acec45b48ae0b8b3c40aea9c

SHA512
b5eee7e25a419d7b8da9327bcfe26163b347eb16f20cafa0ebc930b7d3affec1cae93aed3cc94d71e1d828eb87a4c1ad20e156e0402987ebb6b89dd97e754948

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

Filesize
2.0MB

MD5
746986d9675c9f4d1e299f6d2e06bc4e

SHA1
92c51426048c1f93a410932ad93f2f21aa98f339

SHA256
2b8d200b487acf33c145249c66f8c3463519eed6c98c99f6a328fa3818afd013

SHA512
52dde37b14a48d5f68f070a60827cbbd9af61356c5fc84227dc34dc1e6722031f338b52a138a1bb7a242166b055fdc67172eb1607783de98e8de1d582f1338ba

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

Filesize
2.0MB

MD5
3ac90f1a52f198de78dc454220cdfb6c

SHA1
653aea4bcb5d0edbbc9d7fb3bd2786b6e09b9584

SHA256
c86d51dd5cf16fc734747c4b16b2c8b36d17c491c67d410a24cddb43f3391f56

SHA512
2d6ce8c558dc0d4a739af5c0a78ee524ba352dc217e0a4c8214c4679012b93feef7ee0b3aecb1d51d384c9153a4717601eecc761567fe11d57d820351bd1f0f6

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

Filesize
2.1MB

MD5
82982254a10b583da1a18aac29f4897a

SHA1
80981f05c081d66e610af1ec3cd18e5cab718a7a

SHA256
61ebfbff9888859d29cebcfa0aa21fbb62c0114e715fc6ed89919746b7b74241

SHA512
9b76fa6fab3de3cdf8c13c11f732430cb467b7ab07de78ec6387586aa2466ff65a5b117798eb74c9f69a3c07fdcf728e43bcded13ba855238c286a5e65149430

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

Filesize
2.0MB

MD5
8a0d987c4ae28b4433ebd7b93d42b0f0

SHA1
ca9aa41b5278690736fe8c387477b54da3e22fd5

SHA256
da9ad12be248fd8597bbcd6f1e3aae8e24e42220e8cbc163e84c36251d96f3e1

SHA512
a7265d37ecfa9a4a3be3caefa8575e4f3f5c888f89d6011c250b4fb0fd86faf3a2a2e38f869f62a188e0d37410191872970e48fc16b440d05349e2d26c22e874

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

Filesize
2.1MB

MD5
2ce551a94a0e610fb81e1b5871d784c0

SHA1
0567ac1a722b3da86ca069c3a23ec3214719a6e7

SHA256
f4391df3c3a8cc03f7f57eef5f1c7b4d549a1554689f913d7c76a46ca772546a

SHA512
20d3abfc31f922b768430cd403c9d9292f71f037b0eca24f735378abc6a67eefab03da46a078063a3e99583f4efbe68464c95d4f71cb26a1a2002149d9dd817d

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

Filesize
2.0MB

MD5
2a5896c23a1807b71fff39bb9d7e4576

SHA1
9a3c2dafe8ea7633a8da8296ea258e4375aa5e0b

SHA256
ce980a9bc59d85f99a3b21f18b99f8aa199b6c666a8013ed5209253bb7b60540

SHA512
cdb9c73c8ddc6f955a878714cf7985086004228e8ac258faa0b4906c565d5844894f6f9c9c2839574f60039846d6a1c6646f56c2832402a637d6168ffef0a197

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

Filesize
2.1MB

MD5
5c3f7a0e66c954d3cf745fc92cd35189

SHA1
75e4967de737674d350695c722988995a48e7680

SHA256
168b56029a093df9dbbb215079d5da8944d9911dab812d8df15101f314503ced

SHA512
c7efbe69d2cba5a4ed1df14451b70077510d9af731ffe5be25a47c4060784decd076c29baea9fe7bc92b987c5492e531a56289663ba454a2db5024eec14a7fe0

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

Filesize
2.0MB

MD5
51477b043d83f8c5476aa4a07b95ad46

SHA1
055145ec2fa479d22545158bb8451602eb2334b7

SHA256
cbbf390943f2d58f274b5c485ff30ae6df223923f0027deb946b2db60e3ee27a

SHA512
10bee62b533997a63c465f1ce0aa4b95c16aeb2ebe7af40da87b444e5b23efdcaf5c31082e4c473434b3885f9744d10de5856b51b765284d9c0b3c5495327cfd

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

Filesize
2.0MB

MD5
62dd67904ea829d38ce5090e196f55c4

SHA1
036f30af0790891980d3e27844fe223b2a1059d8

SHA256
72f1c00aa768daed74ff22c2cdb4e549da54636f7509d6c6204d36f6b55e990b

SHA512
c27f791a8f237105b66b2080d0f92920227aa207e6c21167be1a4c9698d732582cb6faa810d179bde84dc649f979a1b69da95d452ce513f8a77d1b1b7d442c09

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

Filesize
2.1MB

MD5
c005a2eaa96ed309691d519d0f177087

SHA1
e0bcbb9393665c0dd738608030d2aaae4dd4a00d

SHA256
0cfc5e6e588b5563fa195ea39753678183e5d6d8134321defa6f04d5d7af432e

SHA512
67abb08fd668e7cfbba9a695b2d13d2e794b7bec7cecc1f2217485786af6d13894078c3078aa56713ee87ced92535151e8c3462d02b402427ae9c8360ce9e562

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

Filesize
2.1MB

MD5
512b4c9610dac10df8651da9f6cfaacb

SHA1
6a67d94be1b121075f82acac93455c0a443313e6

SHA256
76438dca730d4b55bf5b17a568981c8a5687f134be6d0c4bd0a57dffa0ded19d

SHA512
9416fe998a20bb719220d47ec67498d1d0190c3f9947f188fffd7e89efd408c5c7d9c8f74e116edca285aedbf775e258598c34678bc97a0cac754fa4516f1346

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

Filesize
2.0MB

MD5
83ecef4d67c85b34a40ad1d85c328af8

SHA1
2d3eccdadc667980e7fe22aee17b64225002dae1

SHA256
4c1772043fdc6bb8f4a9218b8217a745089cfb899bea2620c64a7f250b27e9dc

SHA512
75d51649d0e1df1f44f0f87d279dda2392d98bba3cbf8867925d48ef21d3bfaff383c3757ae6621713d78e716d5a3942a515afcdc4acd9bdc81901683414abcf

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

Filesize
2.1MB

MD5
ee6e0c98e4ad9f44c6c8f7f849579c86

SHA1
eff18ed684647e808caab7fa971ee776865d7519

SHA256
c2001b4c8684330d80ae74e801c26564d23e133a2fd188210ebf3ba7c03e4712

SHA512
872a45f668e82320e8c12eaaad57bdbdb26e2799651235beb43add3ca4f7a43b9207a303deb780e1d202eee46ac61e172fb7891488374f57e50927d74f84fb36

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

Filesize
1.2MB

MD5
f10e05d326c393353e90b943c115ae74

SHA1
539622eb8599903f81da47829ab9b4ea21a49034

SHA256
7864f98acfa8383f8e363bdb0f5bf3d5ba95671fee2df21801cd89bb0f034903

SHA512
314cef6ec55812d1c89ce15800b222320ba999c1665756c5996c76f4c96687f1da5ffd33ca5778d2eb4d0d2d6f212e22d7f74fec8cd333f07c871bdc635f9cca

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

Filesize
2.1MB

MD5
2da6ca80c2cff7b50a9f32650bc0aa4e

SHA1
10cc89bc8379fde2df9e70eaf7363f6b0a5d21cd

SHA256
b2290342f477da237278d2607ed67e9f46fdabd74bc08146824f34c3ef7f7c90

SHA512
e551dfb4c975b8ec3492ad2e525cf21f9e795d2b89e864ad9747629e6087687a64f0a24afae4e1516d46054da2101e0c5f435180db1311993aa46ae37d5d1f8a

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

Filesize
2.0MB

MD5
3418e882a4cc6812b86fd33f26bd958c

SHA1
c16fc4d603bf57719d82c44123bfb12e0130f69c

SHA256
3688e9e268f7db8426de840e71ed2bcdf179a1a85effcca578b3f194ccd02485

SHA512
d3fcc924e1ce26db21d0223475abbd62f2b17dceb0ab5e511245c7f06b8cebd53f879c2422d8563918f97444673fb5cbc35b585edec436f5e620a286c5c77efd

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

Filesize
2.0MB

MD5
535c9c33568ea1b3b061e4d57b11f533

SHA1
b38ed380d383ce3d87f0244741de21a71ef776fe

SHA256
58104f6826af225ac409aa8bb9939ea7f8c2205b09f851ffe739f8031fd0afd6

SHA512
9386470e8a38e7a73ff85b4726eb21de569ebb0a8a6a2d37fe7159171ed98efb1f7cf1f5ab5d9e786f3ac96fad19548e6a59fff5d9da7272e5a86eefb12bea2d

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

Filesize
2.0MB

MD5
27da3ea49cdbda36d6b7693ae17992fa

SHA1
0ecddf589bcfa4013a72b8ec39c2166b6c2ddca6

SHA256
c325494ad09daa95e1e38185e95a178cfe1ec3b3c221b9d359d2aa29ad1637f4

SHA512
fbd269f3f8c9d616296649464f286268bb2bdf0fee70e07f7f3df26f7407d96db7155d6a5969be6ec1c3994c5828367ad9a9172af3203cdb71a906cc9a32599b

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

Filesize
2.0MB

MD5
e15af5f4d3e99506af4b52d6fe08c9dc

SHA1
c6c0be667e2dea20f6378df98c4e43a2447e69ea

SHA256
15645f1883b007dbbcd671cc1ca6d619c81f4d3194c7baf9278c251ab315340c

SHA512
0b3b6d3d7331938b2edfb2d12b702774eba1f4d798d7799c7e497ef0438877d604308df4203eed9c5455cdaf35662cc2d100f5d065ec19fe26955d07db54250a

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

Filesize
2.1MB

MD5
07f9d00a2bf24b026af080e0d15a3a1b

SHA1
13eecb999a6a8b1c07356b3a4186e28774499a08

SHA256
6984f3ef4dec11f67d3ce59e2e3be9be9d524764c6245a7b318db7fc068727dc

SHA512
d200304f54b78a7869fd84a73437cd46fb9f94ab0855b666334cf0c974e5dea88d50c3a317064832a6d9528d4e7253706971732bd835faccfa4bd90b21df57d4

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

Filesize
2.0MB

MD5
8b2b28b8810c0ff4e1f4dc324eb1dd05

SHA1
c2b253417b2c81d834743419befe91a772ec25f4

SHA256
83784a9afca61ae31c6ef3a5e56115f436eab9d1cb201befba35700fde36cbaa

SHA512
9d54463bb25dc61a20cec7cd5adcc97891fa19bd255d9c7d8e509665156cebc65b3e047f7f4f522fabf69c60bf989173c39f597f7b99578cb78b2797dea902c8

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

Filesize
64KB

MD5
413d30325d10eae732a8c6e9bae56df2

SHA1
a5d99c024b01b3bdbfc3a9fc008b3a8ddcc89d1b

SHA256
ff17f7e47d0904a2ed0aeb4adf774298c8df0037fe66af3e233f29a6ae6d6849

SHA512
5c6561e64ffc49365c7ee0de0ac06fb0f48c6605ecc9da8cd95267901b6b792601d424bf715c876941d397c106873f21f1e59ad71c159d1754fd377817437117

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

Filesize
2.1MB

MD5
2da92597867acfcee7794c4c337f3f18

SHA1
750b739a149448d518a9970c26f903cd3487cd47

SHA256
1fe004dbf76025e56994347942ffcca823886fd8e209634becb7b713ce29f305

SHA512
3f44b662fcdc1ddef1e6966fe70a9deba14603e6fdbbd06361f2ccc2763e5532eeeefcdda9c051a7b516db38e3a0bb413df673b53b77986a054655a0493684df

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

Filesize
2.1MB

MD5
84bba0db6ffe6ce8ae72d83bdde3244a

SHA1
b43749e43f3337c744b2e85bbcbe8bf0a44bf2af

SHA256
d73f3b6c136e004e679806a241fff9fca9b12549a5d58ea03da83440a35f08fe

SHA512
43dde57de692ef2af83bae5d1f1f799c22ad8ee12a980311d97aebeb45dcf10102800cb88318c7aaabd67a454fd4a47972e1fe44dc6587cef9971554184f3579

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
2.4MB

MD5
f266cfd7f8b4f966379aa55a12486cba

SHA1
e075ada36df254a6ee5afe7379dcbd523a19e341

SHA256
bb98c0cf5e17acfb9266bc777277d88f9be783d3221202f17e7a8311b1fa5952

SHA512
3935ad368918101d95711d4ff046d68217eb6e7c65d8a55631bf61d3389b34adb2c218e6ee7ae6a513d0c8c8a0139dd1192be52b4da486d85e62b77b82de7668

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
2.6MB

MD5
0b5c874f121d707455d0a968813888ab

SHA1
79552f1b830f1ea3f0b8d21deb9847430d11daea

SHA256
b437d8e1f90da127a5b0687d050a2497e3aa6c18f9d8529a4b58f7d395a917ce

SHA512
5163a97d348cdb798e1c5405cb0d6f98f13116a47e0cff05262a43a8f346f40c5e884b916eba7619d00ee642d54ff2f6da34800799fcf692fd097465856e9865

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
19KB

MD5
06bbb574c2f01f17d6747f9c75eb7f9e

SHA1
36fe28ba5d5ace9f3a957dd59376b226103869e0

SHA256
84ebbcd19fbb07c117badd32f4816d7c780912ea220ea8298ec46ed5a5205ded

SHA512
ebde4bba53edf493acd1bfa469f5f6d7201a21a82ff406bc7290a51ec372093983cf7674e392737e717cbf7879e50cd1f815b35229e132cf70f3323878d74731

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
2.5MB

MD5
29ff1213aae4cbaafea00e796928248d

SHA1
e103306722f431fdb39a1c2bd703dfcb0d1819b7

SHA256
9cc291ff7c87c60361e12347969cde523758df6da060e877415917e39958bf2b

SHA512
1bc96b126530a2726405be35bff32112ae3828998d269e31cccfecdaad9507ef4d45b041ab26445342cbcc2969d1c9d554468f61ceba7b6658eb4721c0d2ca2c

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
2.4MB

MD5
9fb7f0514f4bbf404e35de9fdcabf89b

SHA1
563ba991be8e3e164e787dc38ed160082c999bcb

SHA256
99cd2eda8724ec089f5baa8ba1765f2122e2f371145f3263a21d3e04d2e0ff8d

SHA512
254cb9937ffa8cb2b15efd9dd5f0e638d8539a8338ccd106872cef1b7ab075e0d02efff798d11b14431cb6864987d7306fbf8f5a3b0e296617b88669b21f82a1

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
2.4MB

MD5
a74835d57a99e33e525c422d61795dd7

SHA1
31fe9434ea8cb71bf38411d10fe13497796cbeb4

SHA256
88383fcfadcad80924eefc9e9be499b528a2b1668b21c2094e83466856dce10f

SHA512
b91836737f582b5fadd59be9af3573f6a82f7ffaa6a5b74892fde082bcf87aa45f0407f0449582201096dd24082238a267bffd42e14906a7749d596ec367ff04

Download Submit
C:\ProgramData\QGMEUYYo\HKIkYsEg.exe

Filesize
684KB

MD5
6cf9990b582147fec99e5bda58779c58

SHA1
8987432e3378fd4b15692502d85f91054a6c96b8

SHA256
fc5720f333ef152b7d4f33fdd1df27d14b4deb7d378a4a38a9190f8bceee33cc

SHA512
99d41578bad0bd90bfbc84122ddc7c24cceb25a45e3a9e7b137c6ca74b4adf4f0f017751eca60382e01154df9011d9d244cbb9fe6469c068c8fcd7f5a459ea46

Download Submit
C:\ProgramData\QGMEUYYo\HKIkYsEg.exe

Filesize
2.0MB

MD5
f2949808ccd229bf9a52b3a280c0a57a

SHA1
6e7e58657733ff83a8c07ddb036eb66b9a30335c

SHA256
d344e03ed7d5387b857b82fd19de98b355064e6e886b3d5cd17bf7fbd32fc1fb

SHA512
4c7c2c012cdcfc13a16487505029d87bd4a3e7ae87a79f72ba51d20d0230fb99427ecc9cadbca3f6bdb87e2efc267e735b1b8184660007f63ddad0eb52d6f071

Download Submit
C:\ProgramData\lAkgYwUg\iUggIYcE.exe

Filesize
1.8MB

MD5
3fbe76b09cfac8c2075ea159bb4b4551

SHA1
a7376c6c0e121ec88267d16cbc1c9fce54251546

SHA256
642a7fc8e91c39d4ac0a3259c9b10c52a251abd98ff23225389d696ea01f6b07

SHA512
5a6278925c37a5d8ff38d579d90cf2327e976e0ba0e2795b39ac818fb7275f2865f9771cbb5388a69180e0427f586515623994fe730f54449d830874ac1e152e

Download Submit
C:\ProgramData\lAkgYwUg\iUggIYcE.exe

Filesize
1.5MB

MD5
dc30467957e30b31644ba69e50fa2b7e

SHA1
8930d99d41ff4ae0ae24ce05e7f61cef958ba236

SHA256
54ec1172bdae8c69c6e63e4376e2b85f60476d45d3cee9bee577a4572f900add

SHA512
49ab03e5296b8c555755de64556e411f4f239d259520c9e07106fbeae373cc609d6c67694cedc23370ab44b0d1ce2612b7c1247896d7faa4cb4b314bb990e910

Download Submit
C:\ProgramData\lAkgYwUg\iUggIYcE.exe

Filesize
996KB

MD5
656dbb6679491adea223705782cabf16

SHA1
13d33d84eabcddee803d0a47eb3f1b5f2ea4c032

SHA256
73b78e32e6a15b1765c349c44ab1b42c5b738eb08e51350781e4e93263417dc0

SHA512
9e3b04de718a2ba257e887e659143e6161c58d048c95324d758dc2c3bb9f786c20f8f8514a7bb2c86c986da73604413b7d43ab13b4db73e65596bb2ee38d4e8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469

Filesize
599KB

MD5
f2271fe569c058dc724d9b9e53811e31

SHA1
ea276fc14127875413ac387f017bd2291a987f4b

SHA256
bf0074851e2435a255b512e502b831ed2c456774971f8fc57004d597769364a6

SHA512
c324428534f64879aa17b190206e538066308486d95e9fa1b8b7238bc79067042717c232034ef8926376b72d3123be169852b05bfe58c7f69887245d91e5b53d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CGMosUYI.bat

Filesize
4B

MD5
f0d929305a223335ea46ca1d65fda020

SHA1
7679350d2c9eaf406a6924d28aebfccf53fcfa37

SHA256
fe731fa683e8ba8dd9fb37a78eacbc23fc87a03e67f7b847d2e22ee9ae14ae7e

SHA512
b5ab4dac9a7d2ad8697c60e2aba44c516e3aadcb1fb0f30412fa1dc23f8d4aff48c26f237f5856d5b1faed8667e922b3be9a9764e9134870f9d37bd0af62d0f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIkQQQwQ.bat

Filesize
4B

MD5
fd3d74b62f71ae087f7d5e42862d026e

SHA1
0ff22ef5f5feab7cfc6f522825eaa1eac1e38eab

SHA256
12ea09e70954e73d164b121a6b6a9dae575a4704225e750faa37cbc72660ee01

SHA512
7e3b1e4ac9edc6e409508bab9d3d2942042358dbcf52e2b7a51eb1c8952fed2615825d0a2d72512b28d3b4dd99f590a4b4d8072f3ecf987ca43a7c3fb9aed395

Download Submit
C:\Users\Admin\AppData\Local\Temp\FmYccoAM.bat

Filesize
4B

MD5
7a920bc9f16007db73dac8524667e9c2

SHA1
b8780546639c3f270d181e54a95dae12b286beba

SHA256
d011383f2cc54087ef87b77a0614951712ac1544fa3ef364977832ea74460c9f

SHA512
82514f8cddad87347bf574d6625991e6b5454f28138da93256a0500f8dfe4476a40d9fa6dc5ff63fad9dfcbe433afb34e759da6de02dd1296ac341c80992845c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HCkEckQI.bat

Filesize
4B

MD5
0cb8ac5a768ce607422c1dec3f3351ae

SHA1
e339c196f331e317064ae825addcc92908083cb3

SHA256
99a0890d9c2a2c78a262e12ca2d4bb972e7857a9c3df47d684531e5d8013b1f8

SHA512
b18eec5c0fa64429c33542a2e6c6f9085cc101e0a1d8cf0907a8fea122c2da81f626983a8d335797802c7fd7adb7e11efef1dafbe21a10abe55181a99bcd1113

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMUMogUk.bat

Filesize
4B

MD5
7ede7391e0e1ce6d120e0c98a71666dc

SHA1
d66f7813adf7d205c1b9b4215699a2a4a2a54ce7

SHA256
37ff2f7c62e7a66b549e73d33bf970cfcffd4b16e7fa4561f63ba135ec08a87e

SHA512
01e1bb8787f512113b48d7a7738f1e56561d516ee90cd4ebee3ddcd95376bf71e1e08eb0e3ad3f7434d5be56ff0a6576c4e5a3ac220d14658207b181c15b6867

Download Submit
C:\Users\Admin\AppData\Local\Temp\JgEUYEMU.bat

Filesize
4B

MD5
363fe719bc4312ada2fd7fe055de7008

SHA1
5fd1efcde29f7d5c9eab88078162a41a5cc6f226

SHA256
30cf284b414c96b96274d9ae52d6d8ceb99cb8577ad3560b0007a1a20d4d65c1

SHA512
9049c6415372801109bc090434cb898a09a4cc54f011b11ca7882010f534be3cf5e3eb4b06a182fcb27fd0d886b07eae9242ce88303652e7586db65aa8086770

Download Submit
C:\Users\Admin\AppData\Local\Temp\JycUwgoI.bat

Filesize
4B

MD5
8ff2554fa01f266f0df9b4899f3a01f8

SHA1
92600c4e8dd71c2f9e361511cd03802c6d7234a2

SHA256
935dac4a41c42d4db0a7de42327bddc5233d583b13fbdcef1c8a8a014c52ff10

SHA512
353316a6525c8a3191c3629774f422d0996792798ff6e03eb1395ddb2f29f9867dab27a19eaacd5295d10885c1a9ba481405345c26b893ef8b09deab8ea01a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyMcowcA.bat

Filesize
4B

MD5
97e12c7b54efc93063f24a7b97e68aac

SHA1
a30b3ed9011989b1f064e33c4ac60d610ba9327c

SHA256
f8f7680fa6096caf37fd39fe77b037bd2cac348423987c2bd0ab0e4c83e4a00e

SHA512
470df0a25cb8811712fe3c4c08fbfe1de9919540381fbb53383a799c9fbf6987f2ed1c86f3c56933cf2c0ed5941b82a13c68457f0e2f427cc9fe5a78c69e241d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwYswcQc.bat

Filesize
4B

MD5
e1cfd03990692f472f945a0e2704356c

SHA1
ad8dbe542caaede243c54fcd0eea66954eda4b16

SHA256
453beec1e853d1ac72260486a0fe4777031dbdc3e7a321144d89a7a8c1d212ec

SHA512
25235fe2183f06e91a1f91d09787ed28662887a37aa1bb27acbe5af2fbec1dc7b8793eb0376b5340361df15e33afdbe06a79cefe9b2c69bf78e82147135a2054

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZiMAgQwc.bat

Filesize
4B

MD5
aa36aa59608ad9d6a03139feef92147b

SHA1
c35788a5cb1fe2f38c25a26f342313b380a09e6f

SHA256
ffa48a184c0d5d02fc6caa13677e3940ed8bbe07783465f9952453677050cf9b

SHA512
9d59314f6c173fd80d9616c7c85e02175bc3b28d8297e897c55a9dba19df0e9601ce9cd4c6e207478bc20b9305b10441bafaab294b468d2a018599c493122c90

Download Submit
C:\Users\Admin\AppData\Local\Temp\aGMoYwEc.bat

Filesize
4B

MD5
078d9d1ffe465b35708d08c8404a8e3a

SHA1
0ff7774dc6798f8c6a35052277adfaff1285d014

SHA256
5b918924961e61a5ce05f1da47dcfde4f2e8547fe12a898fa5941356a4dd0175

SHA512
ac9ea106bab94f3b03230a7064a2c6c18a29baab75b66a506960a01da138022a1ea833d775b25c2c010dc2c0998cbb8746f1b9ee3f5fdfba7850938e03257f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aSgMoQoA.bat

Filesize
4B

MD5
9133530d1a539a299685fa29d5a7739e

SHA1
e850b3ede7b153a13a806e6764d0163042b0e539

SHA256
4712488ee37173f3f83de994e3dc4c088fa2a136cddf48a31754610080cf7e16

SHA512
3d731d6a399c91239eb32054909e6e894b4edbc83d466b493a35f1c97a73ebf35d0ae8ae4efe7c6265476cb18225728326fcb57ab402534e3e318bc01163b345

Download Submit
C:\Users\Admin\AppData\Local\Temp\dKMAwswY.bat

Filesize
4B

MD5
19c6bbe5c3f72f604b91a59e82b05965

SHA1
c5dcd7bce3f4faf8218c7d8e45d46b0ddb145447

SHA256
393338fdbfdf031615d31dcbcbe67d83a120f357d39a5fc514bc79fcfb5f3edf

SHA512
b393a4f0fedd9c16209aa9201ebfdaa2c1b53409ad3d1b779961d9fc8a3d079d8d431d06baa758a50969079b5f528408835c9669d61561015f1490369670381e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gicIMcwk.bat

Filesize
4B

MD5
1691e23f84414c354c704bed9f1bc307

SHA1
6d2b996f772377115d5288bce30a67ded0854ff9

SHA256
65d6f6a83abc0cbd4285f2b2b35ba092bc0509b9bcfdbab6ae082e061c74f8eb

SHA512
21b5143e6326f88ae15746b7adff15342f5ea9778873ba784117650ee2878cf9b408d09684f05a8aaaa243aa6dfeb4bad2029bcce350f9b3231b2d1030469717

Download Submit
C:\Users\Admin\AppData\Local\Temp\hoQsMAwM.bat

Filesize
4B

MD5
bf669b5b3f89e15a62775bbf741daffb

SHA1
5b587397acea6f0529763f7480c922061b528f0d

SHA256
930c0a8b9ba750523c43ddc6e94cdbab411c7fb57d8ae237a8b13a5fc134152b

SHA512
d68a8a7be6dcb98272fbad686bd27c27921b199f86203564048f46c64fc46f49c9c8c52d53cc480024d1df099cbdd2bbb3e06b6e2faa3bf3a22c952df4445ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\jIQIUUMk.bat

Filesize
4B

MD5
a65da6cff6b492ba72e3f9b467f764e3

SHA1
3f356c9fea4e6857572fd14fb101c02c43e62379

SHA256
b61de967a23eb97ccb750cd1c71a756d20c1bbc2bac85e6ed8a41cb5b3ecb800

SHA512
fda3855bb19ace8b053f0cfd59c2198c989ec7e5d5154d6e92958c597275d58248835b36c519f82db85a9023100b8e1d0e67ab5ba23b851bd64c0621d5b8d062

Download Submit
C:\Users\Admin\AppData\Local\Temp\qKgYMMsw.bat

Filesize
4B

MD5
6506ef2ca2b7b9b479261138cc4cd1e0

SHA1
5a68d6abec22fefc0ae81185b2c0057c7dd2ebc1

SHA256
9c044a0e0e99b0e056ca1f52999e85b849260ffb3f5ce7ef515f2cd75f7e10ac

SHA512
578c0efabe50e48257bfcd37a52dd79ff8d49136119b028a682be9829210aa9408fbda4cfcfedb94a06550b2e134598d3bc2e8d239ff9be15e13b8bb769904e8

Download Submit
C:\Users\Admin\JiUwoAgg\GYQYUsQI.exe

Filesize
1.8MB

MD5
9a186eaf029579802e2eadda06607ef6

SHA1
f2658746c9a2fcc44f7b84e22a3e7b90b974622c

SHA256
57d69c10c5658712cf360a5ff2cb675f50f7059e45e2f09ad02ad26acf0a7485

SHA512
fbe92ae6dd2ab75cfe05d343a50d87805898519fcdb90b8a10ebea201986909c40d9b9239b404fcc81429b690be942b3de46c8f2c159de9ee5d34ec8493ce543

Download Submit
C:\Users\Admin\JiUwoAgg\GYQYUsQI.exe

Filesize
1.9MB

MD5
c324f86b5b8792c1f3c4076897f175ce

SHA1
ca98155f479120c748230d16c61157102f555b5f

SHA256
3600a418bf618fae7847668d3cde48a65f29ad55ef57444a6900832c7114044c

SHA512
cac62842b784abdeab93d44c8777ac33d6d27d28d1efa78efc60fe19c470162e0c69811418adbcf22f33bb7377c6edfd1bb5952a06d22f9f35fb782b0aafcf1c

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
818KB

MD5
a41e524f8d45f0074fd07805ff0c9b12

SHA1
948deacf95a60c3fdf17e0e4db1931a6f3fc5d38

SHA256
082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7

SHA512
91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
507KB

MD5
c87e561258f2f8650cef999bf643a731

SHA1
2c64b901284908e8ed59cf9c912f17d45b05e0af

SHA256
a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b

SHA512
dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

Download Submit
\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
445KB

MD5
1191ba2a9908ee79c0220221233e850a

SHA1
f2acd26b864b38821ba3637f8f701b8ba19c434f

SHA256
4670e1ecb4b136d81148401cd71737ccf1376c772fa513a3e176b8ce8b8f982d

SHA512
da61b9baa2f2aedc5ecb1d664368afffe080f76e5d167494cea9f8e72a03a8c2484c24a36d4042a6fd8602ab1adc946546a83fc6a4968dfaa8955e3e3a4c2e50

Download Submit
\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
633KB

MD5
a9993e4a107abf84e456b796c65a9899

SHA1
5852b1acacd33118bce4c46348ee6c5aa7ad12eb

SHA256
dfa88ba4491ac48f49c1b80011eddfd650cc14de43f5a4d3218fb79acb2f2dbc

SHA512
d75c44a1a1264c878a9db71993f5e923dc18935aa925b23b147d18807605e6fe8048af92b0efe43934252d688f8b0279363b1418293664a668a491d901aef1d9

Download Submit
\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
634KB

MD5
3cfb3ae4a227ece66ce051e42cc2df00

SHA1
0a2bb202c5ce2aa8f5cda30676aece9a489fd725

SHA256
54fbe7fdf0fd2e95c38822074e77907e6a3c8726e4ab38d2222deeffa6c0ccaf

SHA512
60d808d08afd4920583e540c3740d71e4f9dc5b16a0696537fea243cb8a79fb1df36004f560742a541761b0378bf0b5bc5be88569cd828a11afe9c3d61d9d4f1

Download Submit
\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
455KB

MD5
6503c081f51457300e9bdef49253b867

SHA1
9313190893fdb4b732a5890845bd2337ea05366e

SHA256
5ebba234b1d2ff66d4797e2334f97e0ed38f066df15403db241ca9feb92730ea

SHA512
4477dbcee202971973786d62a8c22f889ea1f95b76a7279f0f11c315216d7e0f9e57018eabf2cf09fda0b58cae2178c14dcb70e2dee7efd3705c8b857f9d3901

Download Submit
\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
444KB

MD5
2b48f69517044d82e1ee675b1690c08b

SHA1
83ca22c8a8e9355d2b184c516e58b5400d8343e0

SHA256
507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496

SHA512
97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

Download Submit
\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
455KB

MD5
e9e67cfb6c0c74912d3743176879fc44

SHA1
c6b6791a900020abf046e0950b12939d5854c988

SHA256
bacba0359c51bf0c74388273a35b95365a00f88b235143ab096dcca93ad4790c

SHA512
9bba881d9046ce31794a488b73b87b3e9c3ff09d641d21f4003b525d9078ae5cd91d2b002278e69699117e3c85bfa44a2cc7a184a42f38ca087616b699091aec

Download Submit
\ProgramData\lAkgYwUg\iUggIYcE.exe

Filesize
2.0MB

MD5
098983eeff35b43ed0d3342eaf2a6e79

SHA1
adebeaa125ee1bda78810c145b79093023d4c48b

SHA256
e0d8018472a36bbe91c4477967964c53dff7e4d9c149e05e03a4becf2674076f

SHA512
849753cde8636962f4407d34f1710be4e5212e98bf9280732d9fea3d780230eb73fc895134b354135841b5a8540a4f4492a0b58673d4e0db3f3bebd102175c36

Download Submit
\ProgramData\lAkgYwUg\iUggIYcE.exe

Filesize
1.9MB

MD5
dac4d88a551ba5978b3dfa8873dcf33d

SHA1
79aea2a618ca96cdb4d809b0848a93375d166857

SHA256
b406ed46dfa26d5e9da804f33785fc83f73b3644933a0597b63f94c1368162f4

SHA512
5dae8857d308db87be48bc59dcc4d714468030e4b52dfe6e2d2be0f3a05118f85c5fd945288bfdacfb92c7831832fe81db97bc2df40f6760441f4f385dc8d30f

Download Submit
\ProgramData\lAkgYwUg\iUggIYcE.exe

Filesize
1.4MB

MD5
eaaa862fcd94d74e66d71438cb076c08

SHA1
179de8dd1dca6bcaf92eb0f32a1801a464b09618

SHA256
875158d137098c85a9bf5e198c1ff70903bbcf9fb13202ca6ecceb4c13274762

SHA512
47fc84253b9f589f48118826171c46fc6055fa5a894c6a6a1aef647c403fcdc97e69e8ea13db172aee8aa9ea1c12caddafa1ee663f6d513f0422acf2d0739c63

Download Submit
\ProgramData\lAkgYwUg\iUggIYcE.exe

Filesize
841KB

MD5
1fe113879a765c7c295a8ada88b44a8f

SHA1
2903d1b72ffb546bd3b7e2a2be4703383939a615

SHA256
bab8f807eaf018f50048d161c063c73d3fddcd3dca34a68abb6b76f69afd0883

SHA512
420a6191c1d7fb3971f34059b01af22be9deaabcdeccbba53e2f5d1fe91f208d8d4494ed8a8d18cd128a5dfcaa5c6a82eaf6c33e832faa574a0972d2816eadf0

Download Submit
\Users\Admin\JiUwoAgg\GYQYUsQI.exe

Filesize
2.0MB

MD5
cd2f478a1078f20ef11b80a3441b2405

SHA1
f860f64e2d4103b7234298e520985b6c55db2173

SHA256
5b0e40fe7b415085b9405869a8c96d87f3a6b90c9a49dd3772cbbe8d7341a8f8

SHA512
fdc66e68914e456828e11839173c3876e7e632e28afc5e3973bc77e60e639703ee87c1a30cfff010c3e50ab31e873061f861a147a142891488ff0753dd621f2a

Download Submit
memory/296-368-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/296-542-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/324-379-0x0000000001E40000-0x0000000001F07000-memory.dmp

Filesize
796KB

Download
memory/324-54-0x0000000001E40000-0x0000000001F07000-memory.dmp

Filesize
796KB

Download
memory/364-1078-0x0000000006320000-0x0000000006325000-memory.dmp

Filesize
20KB

Download
memory/364-268-0x00000000002A0000-0x0000000000376000-memory.dmp

Filesize
856KB

Download
memory/364-23-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/364-1080-0x00000000068C0000-0x00000000068E6000-memory.dmp

Filesize
152KB

Download
memory/364-347-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/364-20-0x00000000002A0000-0x0000000000376000-memory.dmp

Filesize
856KB

Download
memory/936-889-0x0000000000220000-0x00000000002E7000-memory.dmp

Filesize
796KB

Download
memory/936-1079-0x0000000000220000-0x00000000002E7000-memory.dmp

Filesize
796KB

Download
memory/1240-848-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/1240-543-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/1440-380-0x00000000002A0000-0x000000000033F000-memory.dmp

Filesize
636KB

Download
memory/1440-601-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/1440-382-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/1620-348-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/1620-494-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/1620-318-0x0000000000300000-0x000000000039F000-memory.dmp

Filesize
636KB

Download
memory/1648-938-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/1648-1082-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/1728-849-0x0000000000300000-0x000000000039F000-memory.dmp

Filesize
636KB

Download
memory/1728-858-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/1728-1077-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/1888-409-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/1888-669-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/2124-408-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/2124-152-0x0000000000690000-0x000000000072F000-memory.dmp

Filesize
636KB

Download
memory/2124-174-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/2168-0-0x00000000002E0000-0x000000000037F000-memory.dmp

Filesize
636KB

Download
memory/2168-173-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/2168-1-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/2168-146-0x00000000002E0000-0x000000000037F000-memory.dmp

Filesize
636KB

Download
memory/2248-1032-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/2296-781-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/2296-763-0x0000000001E80000-0x0000000001F1F000-memory.dmp

Filesize
636KB

Download
memory/2296-1068-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/2444-447-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/2444-440-0x0000000000220000-0x00000000002BF000-memory.dmp

Filesize
636KB

Download
memory/2444-754-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/2536-226-0x0000000000220000-0x00000000002BF000-memory.dmp

Filesize
636KB

Download
memory/2536-273-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/2536-446-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/2668-367-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/2668-24-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/2668-22-0x0000000000600000-0x000000000068C000-memory.dmp

Filesize
560KB

Download
memory/2668-317-0x0000000000600000-0x000000000068C000-memory.dmp

Filesize
560KB

Download
memory/2704-888-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/2704-602-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/2760-51-0x0000000000690000-0x000000000072F000-memory.dmp

Filesize
636KB

Download
memory/2760-120-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/2760-381-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/2876-1076-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/2876-1074-0x0000000000690000-0x000000000072F000-memory.dmp

Filesize
636KB

Download
memory/2876-1081-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/2924-1011-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/2924-670-0x0000000000220000-0x00000000002BF000-memory.dmp

Filesize
636KB

Download
memory/2924-695-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/2948-483-0x0000000000340000-0x00000000003DF000-memory.dmp

Filesize
636KB

Download
memory/2948-780-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/2948-495-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/3048-225-0x0000000001DF0000-0x0000000001EB7000-memory.dmp

Filesize
796KB

Download
memory/3048-17-0x0000000001DF0000-0x0000000001EB7000-memory.dmp

Filesize
796KB

Download