7185e8c694984f512a44f240e4b89647c759ba756bd9e9947414941e4342d466

Analysis

max time kernel
1800s
max time network
1722s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17-07-2024 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
Size

2.0MB
MD5

c5d373a1954822afcddcc785e6ad6045
SHA1

4db2eea6bd6cf5ea40ea14c3ecbf3845d05dae73
SHA256

01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9
SHA512

67a44eef568aa7d3444313256146af4e26a8614326f0b6ecf029f765733c38fb8ab54986f25969a9030de3a3bf9408373e0c1d23b049e0cfb908fa8faf1d981a
SSDEEP

24576:S2IOcUV7/Fbi06CFZZxdhf8T7njJfl0POn2AknzL+STqPeoAt6ae7yStHq+p19Sk:S1UVbRioFZZxT6SOn2AHbSTJA9TyC131

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\ProgramData\\fQgMwwUQ\\zIckIAUY.exe,"	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\fQgMwwUQ\\zIckIAUY.exe,C:\\ProgramData\\HGIYIEIg\\NmUoQUoQ.exe,"	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\ProgramData\\fQgMwwUQ\\zIckIAUY.exe,C:\\ProgramData\\HGIYIEIg\\NmUoQUoQ.exe,"	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\fQgMwwUQ\\zIckIAUY.exe,"	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe

Modifies visibility of file extensions in Explorer 2 TTPs 12 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (64) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\Geo\Nation	zIckIAUY.exe

Executes dropped EXE 3 IoCs

pid	Process
1876	CyYwYkco.exe
2540	zIckIAUY.exe
1808	yOYgAIQQ.exe

Loads dropped DLL 38 IoCs

pid	Process
1676	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
1676	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
1676	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
1676	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zIckIAUY.exe = "C:\\ProgramData\\fQgMwwUQ\\zIckIAUY.exe"	yOYgAIQQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\OYEoIgoE.exe = "C:\\Users\\Admin\\IGMscoIU\\OYEoIgoE.exe"	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NmUoQUoQ.exe = "C:\\ProgramData\\HGIYIEIg\\NmUoQUoQ.exe"	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\CyYwYkco.exe = "C:\\Users\\Admin\\BiIYgQog\\CyYwYkco.exe"	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zIckIAUY.exe = "C:\\ProgramData\\fQgMwwUQ\\zIckIAUY.exe"	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zIckIAUY.exe = "C:\\ProgramData\\fQgMwwUQ\\zIckIAUY.exe"	zIckIAUY.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\CyYwYkco.exe = "C:\\Users\\Admin\\BiIYgQog\\CyYwYkco.exe"	CyYwYkco.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\BiIYgQog\CyYwYkco	yOYgAIQQ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\BiIYgQog	yOYgAIQQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1356	2772	WerFault.exe	53
2500	2312	WerFault.exe	54
1648	1396	WerFault.exe	55

Modifies registry key 1 TTPs 36 IoCs

Modify Registry

T1112

pid	Process
1824	reg.exe
1708	reg.exe
912	reg.exe
716	reg.exe
1732	reg.exe
1880	reg.exe
880	reg.exe
1756	reg.exe
2636	reg.exe
1296	reg.exe
2412	reg.exe
2000	reg.exe
2228	reg.exe
2836	reg.exe
808	reg.exe
888	reg.exe
2232	reg.exe
2560	reg.exe
1840	reg.exe
2132	reg.exe
764	reg.exe
2936	reg.exe
1372	reg.exe
2096	reg.exe
1700	reg.exe
1724	reg.exe
1852	reg.exe
1268	reg.exe
1708	reg.exe
1344	reg.exe
1244	reg.exe
1588	reg.exe
316	reg.exe
2296	reg.exe
1632	reg.exe
688	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1676	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
1676	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
2568	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
2568	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
2120	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
2120	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
1636	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
1636	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
1492	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
1492	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
2232	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
2232	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
2204	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
2204	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
1596	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
1596	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
2072	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
2072	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
2540	zIckIAUY.exe
1864	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
1864	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
1680	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
1680	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1808	yOYgAIQQ.exe
2540	zIckIAUY.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2600	vssvc.exe
Token: SeRestorePrivilege	2600	vssvc.exe
Token: SeAuditPrivilege	2600	vssvc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe
2540	zIckIAUY.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 1876	1676	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	30
PID 1676 wrote to memory of 1876	1676	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	30
PID 1676 wrote to memory of 1876	1676	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	30
PID 1676 wrote to memory of 1876	1676	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	30
PID 1676 wrote to memory of 2540	1676	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	31
PID 1676 wrote to memory of 2540	1676	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	31
PID 1676 wrote to memory of 2540	1676	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	31
PID 1676 wrote to memory of 2540	1676	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	31
PID 1676 wrote to memory of 328	1676	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	33
PID 1676 wrote to memory of 328	1676	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	33
PID 1676 wrote to memory of 328	1676	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	33
PID 1676 wrote to memory of 328	1676	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	33
PID 328 wrote to memory of 2568	328	cmd.exe	35
PID 328 wrote to memory of 2568	328	cmd.exe	35
PID 328 wrote to memory of 2568	328	cmd.exe	35
PID 328 wrote to memory of 2568	328	cmd.exe	35
PID 1676 wrote to memory of 2096	1676	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	36
PID 1676 wrote to memory of 2096	1676	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	36
PID 1676 wrote to memory of 2096	1676	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	36
PID 1676 wrote to memory of 2096	1676	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	36
PID 1676 wrote to memory of 2412	1676	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	37
PID 1676 wrote to memory of 2412	1676	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	37
PID 1676 wrote to memory of 2412	1676	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	37
PID 1676 wrote to memory of 2412	1676	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	37
PID 1676 wrote to memory of 1732	1676	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	60
PID 1676 wrote to memory of 1732	1676	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	60
PID 1676 wrote to memory of 1732	1676	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	60
PID 1676 wrote to memory of 1732	1676	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	60
PID 2568 wrote to memory of 1900	2568	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	43
PID 2568 wrote to memory of 1900	2568	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	43
PID 2568 wrote to memory of 1900	2568	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	43
PID 2568 wrote to memory of 1900	2568	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	43
PID 1900 wrote to memory of 2464	1900	cmd.exe	45
PID 1900 wrote to memory of 2464	1900	cmd.exe	45
PID 1900 wrote to memory of 2464	1900	cmd.exe	45
PID 1900 wrote to memory of 2464	1900	cmd.exe	45
PID 2568 wrote to memory of 1588	2568	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	46
PID 2568 wrote to memory of 1588	2568	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	46
PID 2568 wrote to memory of 1588	2568	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	46
PID 2568 wrote to memory of 1588	2568	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	46
PID 2568 wrote to memory of 1824	2568	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	47
PID 2568 wrote to memory of 1824	2568	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	47
PID 2568 wrote to memory of 1824	2568	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	47
PID 2568 wrote to memory of 1824	2568	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	47
PID 2568 wrote to memory of 1700	2568	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	48
PID 2568 wrote to memory of 1700	2568	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	48
PID 2568 wrote to memory of 1700	2568	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	48
PID 2568 wrote to memory of 1700	2568	01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe	48
PID 2772 wrote to memory of 1356	2772	OYEoIgoE.exe	56
PID 2772 wrote to memory of 1356	2772	OYEoIgoE.exe	56
PID 2772 wrote to memory of 1356	2772	OYEoIgoE.exe	56
PID 2772 wrote to memory of 1356	2772	OYEoIgoE.exe	56
PID 2312 wrote to memory of 2500	2312	NmUoQUoQ.exe	57
PID 2312 wrote to memory of 2500	2312	NmUoQUoQ.exe	57
PID 2312 wrote to memory of 2500	2312	NmUoQUoQ.exe	57
PID 2312 wrote to memory of 2500	2312	NmUoQUoQ.exe	57
PID 1396 wrote to memory of 1648	1396	nOQQkoEA.exe	59
PID 1396 wrote to memory of 1648	1396	nOQQkoEA.exe	59
PID 1396 wrote to memory of 1648	1396	nOQQkoEA.exe	59
PID 1396 wrote to memory of 1648	1396	nOQQkoEA.exe	59
PID 2876 wrote to memory of 2120	2876	cmd.exe	63
PID 2876 wrote to memory of 2120	2876	cmd.exe	63
PID 2876 wrote to memory of 2120	2876	cmd.exe	63
PID 2876 wrote to memory of 2120	2876	cmd.exe	63

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
"C:\Users\Admin\AppData\Local\Temp\01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Users\Admin\BiIYgQog\CyYwYkco.exe
  "C:\Users\Admin\BiIYgQog\CyYwYkco.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1876
- C:\ProgramData\fQgMwwUQ\zIckIAUY.exe
  "C:\ProgramData\fQgMwwUQ\zIckIAUY.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:328
- - C:\Users\Admin\AppData\Local\Temp\01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
    C:\Users\Admin\AppData\Local\Temp\01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1900
    - - C:\Users\Admin\AppData\Local\Temp\01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
        
        C:\Users\Admin\AppData\Local\Temp\01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9
        5⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:2464
      - C:\Users\Admin\IGMscoIU\OYEoIgoE.exe
        
        "C:\Users\Admin\IGMscoIU\OYEoIgoE.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 88
        7⤵
        Program crash
        
        PID:1356
      - C:\ProgramData\HGIYIEIg\NmUoQUoQ.exe
        
        "C:\ProgramData\HGIYIEIg\NmUoQUoQ.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 88
        7⤵
        Program crash
        
        PID:2500
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
        
        C:\Users\Admin\AppData\Local\Temp\01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9"
        8⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
        
        C:\Users\Admin\AppData\Local\Temp\01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9"
        10⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
        
        C:\Users\Admin\AppData\Local\Temp\01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9"
        12⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
        
        C:\Users\Admin\AppData\Local\Temp\01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9"
        14⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
        
        C:\Users\Admin\AppData\Local\Temp\01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9"
        16⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
        
        C:\Users\Admin\AppData\Local\Temp\01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9"
        18⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
        
        C:\Users\Admin\AppData\Local\Temp\01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9"
        20⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
        
        C:\Users\Admin\AppData\Local\Temp\01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9"
        22⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
        
        C:\Users\Admin\AppData\Local\Temp\01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:2232
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:888
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:1852
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:1880
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:1588
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:1824
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:1700
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:2096
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2412
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:1732

C:\ProgramData\vqAAgYQo\yOYgAIQQ.exe
C:\ProgramData\vqAAgYQo\yOYgAIQQ.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
PID:1808

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\ProgramData\AaAcwwwc\nOQQkoEA.exe
C:\ProgramData\AaAcwwwc\nOQQkoEA.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 88
  2⤵
  - Program crash
  PID:1648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k swprv
1⤵
PID:1732

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11677262372054710-180087886638950605520062093447385024-228419429-75748165"
1⤵
PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
2.1MB

MD5
3b1861327c7e236b2c1ad90d536f086f

SHA1
5d3ddf3138fd1b7a1f553898987be463a735b413

SHA256
d15dc71d6f78433b48495a9fd2e46152ee8daf6b0f87f02edb404c5d6ad72334

SHA512
7fd70af1a610eea853f408bbbf258b720f813940826d328e4b2619920ee8af0465a02bef7c71f924428bcc926a75391167ebd7ddef05f65e00f42cc0029a1ef9

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
2.0MB

MD5
f074aba8ada0a988e730440d114af038

SHA1
35e25b07bfc9483edc17a7f812306ac8e886da74

SHA256
2da8003b29a62590b81378ae6dfa947cd50338fb498e6473a70f37f07ce78831

SHA512
8141708b99e5f750a0521720de210ef9c19354c844619e92e10bc3a63de97a74b88f90d9216d75f24e368ec7b88311cf07d4fc74ae047823e2b501d5bec088a4

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
2.1MB

MD5
ce5f394bc08c94f7fded501d3bce6c5f

SHA1
0019a9b67f29d2619b5c25035370895a5f73ac8d

SHA256
1c7d806020fffa8db9053bc2395ff1339cdcae3e1a8337e56f736cf6d8f7a4f3

SHA512
b8231746b8a2f00ccbfe28845e7c7784965f32a5ee956cd60a7269ca763c70c2512395c53cfc2df0861f950b3a63184865a4fe63b04559ac7bfda5025be1cc39

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
2.1MB

MD5
8a168ca03506a6f49b08e9fc419f4c15

SHA1
08c3a9dc8449839725ca1254cffafbf368a3fc28

SHA256
7dbc2eb7c192e13fa391e87dda4b12830f5991b9bc2f35a729a7e26ac3c3923a

SHA512
cd2ca0e37e1e13428dd8df2d21a9478d6418ab4e5437515584aeb30991ddc101720399c1f55972d0d2b99425d8842346dd820890b39517f2ab788bc3495d6997

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
2.1MB

MD5
a4800a213f4de17aa11db4730b73fb3a

SHA1
e804a5f1d33a021bee0307ff473bc6f9afcf7a58

SHA256
f0848e47f7c5dd7a5b1cacee955d343f7fa789a600a564b430ba56550d8f5cd9

SHA512
b65d043f753cebd85404dff9b628361c35fbdb16f274d34df3f448e13c27258b3d578625f8f4ad492bfc687c629aa9831f61df8f842f364f1181d1c5b4e63a48

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
2.0MB

MD5
6a14d0bcbbbef76bb90f0a50e417ec3c

SHA1
5a13361dae8ec554ea00ad22301e31d7c7472e36

SHA256
f0e186c736a01100343829d880596fe90f1f66acb66e08f6a9929655202de553

SHA512
5088ac3fe9500c5fa6da17871a1dec63cb45510e0b5ffb94f5d0f4f17a690c20a7d5241a206e65560f285f1da985b8504b5e43f912a4ceb5475075ea0de5770e

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

Filesize
2.1MB

MD5
1a67b302d165f883defc32a2bde92709

SHA1
a676016c2e217347359eed4ddd27bc23ea91de38

SHA256
b7e0ffd4b019c676e9218774610a9af6b9c90df0f29c4c49aa7d0e699f5e3ab4

SHA512
6b832d5055f84b22899de5f2b52bbf32458553b069d026c6ccd378ce406b0af6e49afd2754fa5a643bbf201b357eff7f5e5ea156cc98b7f65ff0ef190ff0b410

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

Filesize
2.1MB

MD5
bb1d9bacc667d13ff331aa98727bdbc3

SHA1
dbd6c91fd29b56f9e61edf84273932a48c41ec09

SHA256
f2014c932fcc85b1c47c0da78efdebe75b1774a22e9a91190f48a8f6f1eb702a

SHA512
35f11df63760a8b782319b51b598f81bbcdf72f4e93d472556db6272e0129cb09078f91739f3e8483a23faf2666695664dbb575f554ac580d976dcc2225d322a

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

Filesize
2.1MB

MD5
9765e661ba8d9eb225eb50f7c79b05eb

SHA1
2dc42bf0ea360b74a48350e944eba8f752a134a6

SHA256
0ecd9236730c7678f1852e61ea0ebb71461361c6230f600708a8955cb5302502

SHA512
12109940fe9b2fb82c1f7d59e47cc178fd98f2cd88c55c53ac2f118f4536a26bc0c0850135645baa9bb16ad95e87ad012fcde726571688c4a436c9e63b8c17bf

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

Filesize
2.0MB

MD5
3a9a32ea47cec23c6ce9b2a571eddcf3

SHA1
bab4c66207871be665784ba206a16db6cdd07807

SHA256
69f2826227090e4eae0d07b5a34a56ac057367b199043b1be2e25ac579565f43

SHA512
ae38c6da70b40b52586393ebee11637b0fe26c859726986b48447e1e1644e49aecbcc209a7857f6a167eec05dd17a1035738e860ab1dd256729b73a4358f6c6e

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

Filesize
2.1MB

MD5
1d0c12e5b43d4637dc9b71cc9daf86fb

SHA1
0dddddd9f72978caf799703c3445f5ec3c634e71

SHA256
7de870118136d912b097a0a3b2d0318f750257ba439cd71ce4d4b012460df555

SHA512
ab660ab9c9ed6b8c3120408ac4d75b2dfd8e2cf170b04f9db8f317e88bb1358961abda01836cf5572f115e8174113b9372a3852c5fddaac28e58c6e4c4541701

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

Filesize
2.1MB

MD5
66f8749974160e06c0d2acbfa6c2a1b1

SHA1
2144f3124d10b1e0c3b379d8e7ae2580b5857106

SHA256
50daa2d7d6ed8879d8d44b3fd5c7955bb4f878c66f854087a2242a42a0024f24

SHA512
2e0692e1e35fc6c2e5deb6181f76b277e3643de079678e64bac5c73c5aa966d951bf80851a25c4c5bc0a01f05d1ac0244600a6eb0bc5880330e53c5d8592e0af

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

Filesize
2.0MB

MD5
c7ac8e7c7913f8786cc22d9adeb1c882

SHA1
6e21b92d0e6b378207aa478b409c831d0de6b3f9

SHA256
8c63b38f5e4d9fabcb6a049a9d2797d6cc5ca625fd83817076197ac108919b1f

SHA512
518a0bc15467633dd22fbd05e955fad1be16fed2d5372ec08c9ea538965b1ae13594500619b2530b0a94bc4cfaf511b07b2977d0e05e2076170591552061c905

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

Filesize
2.0MB

MD5
4f99cbfa9cb6afa3268eed22e1c5ee75

SHA1
7fde1d872be0b9fcd8e14581ad1d9fddbf9f4677

SHA256
b1f08d652d72a6f92fbd1263c89977af8e1672474991e24695b4cf97afe41545

SHA512
6a1c04c81f87eb15784891e02ecda34f4753f383de898ec0705b51198ef2a978ed1de7cbcdfbf5d3565cc43253c2bf2ee02ac486fd9caf57acd4bcdf0d187e90

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

Filesize
2.0MB

MD5
bf45001c572bef2957ed5698ce03ee8c

SHA1
b98d4d2369e01743ee312a21e3dadce75b42c26e

SHA256
11a46f7cb4943d855aee9ee8c473023ae2367f9e550b863d0174960d209958d2

SHA512
922e034031a7b3167ed56ca0e9add772c0fc7abbe7e07d6d971acd7acdd6bdedf001210420c2cb71f7130575b4659cb8b243dbc40891a10c6a741fa525e03f14

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

Filesize
2.1MB

MD5
50525ea810fb3091e7478773eba7b677

SHA1
f54eaf377c22c45176dbd76b3d23e61d49d9a6f2

SHA256
c48a2aa1bb8776354187d59027718b060eb7b4170cac448c06b33a726a75d70a

SHA512
3e6ce1c859973f0c5fce0e229539645cd2f964d0c742aef09ca68ee14c1f593aca1e59e9bf9ac249a41d376587350d2fc39994a607f068a31004508a43836847

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

Filesize
2.1MB

MD5
349a5ad6d838ba3c85cf2111fdfed97f

SHA1
d248658d2d41f62582311ddaa3a54bda43ff59fe

SHA256
b9d0fddb9aecb3a4238add02330bdbbef1ad8f4847228f1dce93536405c4a7d2

SHA512
fe93954e19e9a6b582b75e23ce281ac1d7093274bdd663b12296bf6831585b5b921794a6db6b57a4c301f0d6498a95f8afda3367b2b2699377db8178b6eb7a90

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

Filesize
2.0MB

MD5
a809cfb92eeec1f7206678fd880f8040

SHA1
3a0fb0d1680ae1be91e7cd66e94aeec20495073c

SHA256
a0ef51a8835d2a3b82acffc4cd9e19316925fa78ec14d6de310b37c886aa5666

SHA512
f0e0f0deed1bd99d1161c615d2204efc57994ac9d43bc2e552b377c1517a360dfda4acd8684bbc0eaa1d3655071523b564958d6f94cb367bcd0a84ee495c67cb

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

Filesize
2.1MB

MD5
ff84972a73e40f99ece6ef08ce3bbb97

SHA1
4bdcec6e028ad7cb9ae32fbabc6d7abc62764735

SHA256
6a8df0a7163dc4b55ebe0d0ac2b9f953f6095e5d4761d4a3d58a53365c489dd1

SHA512
ae440a45ea211cde2a4fa97fba80e4437a8aa759fe545961610ddc589fa6e59dacc7aad246e71cceee1a8c1fc147b02cbedba72faa31b3402b7784c45bcc9b31

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

Filesize
2.0MB

MD5
2d5af8f80d4a2f3a7879aee55070e42d

SHA1
9ff9e72192b75e509635e62429306ef99dc52da0

SHA256
6a4e1166028f2452591eb33e5695aaea9d4bbfe4e60457423721ccfa17fdbcb1

SHA512
86b0e3b849a799a1e82a973d34ff9d8aedb90fffa01839314e7cda586b586c589774081ac7e86b0f3401b0e5469530b936df9a122d5d11f3c06f0c9422c03d32

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

Filesize
2.1MB

MD5
22810ed60212e2663265d5ca223907c5

SHA1
14b9531611753259ad9e68382a711cb2c282ce1b

SHA256
f901cb82c38f82557cfcc0cce6ec7928b5949bb29d8d910833219a5d639d72f5

SHA512
32f713f4a1056eef7bcf3b5734f63a2b25bee689a71ce75bf5b34235d35b9903b1505dceeb69a7118def0f96fa8dcf8387e190215652d79a9fc77208a0626874

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

Filesize
2.0MB

MD5
c5c562d436f42831c3df63bbd268fa39

SHA1
eafd6754bcf03bb166c6ccb39c5ca388e0488257

SHA256
8ac0c7a14bc11af8c0a873a0c9a95bb0470cfc578ff40e2214980a1242c3583e

SHA512
7e0d095366029957c132468ba035d5565d5e2fdd28cebe4bf1b0d3e673d0ece7588d9e48688229f1001b9d73b6b3f8248707ad48ecf04b1f3fb01af89c17d021

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

Filesize
2.0MB

MD5
7c165b965b3c7f8b901f6e6b15e5693c

SHA1
d5a76a65fc2b77351b017c2b54e4fd373f223330

SHA256
941f8abb1a4ca6bcdb0a4b70526b05e65efba41a2394db75e0ad57a12aff109d

SHA512
217e3e83b19feb7b7683ca75cbc1683ebcb576d048fbe8d0bc548d2140e5176461907e29c59e8e6af376e6ebffda33797c46c6ac0dc04fde457cf915eb9b30cf

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

Filesize
2.0MB

MD5
e0607d8a5e3356b8303d42b14b665f15

SHA1
e15da1296801bbc497a16b02f7ba693fe583d573

SHA256
16cdeeeaa24f369652f2e65e8634a462e64ee7b179ab899ef7bf15239728187c

SHA512
e423d7497b70ee89fdb2f676f13a46eada00631dfe515324842b68937141fb9790cdf6291bc271b82bf76df6d765c77814fc73892b58cbc77b0938b31879a8c3

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

Filesize
2.0MB

MD5
9bc590b2671ce2ba1147ca642d4bb9ef

SHA1
369e414ce0afc04e8bed5656f5efccf53d36645e

SHA256
e26e5976a1df3b700cb29b467f95192329e861a2c82ce5e6a3dda6eb0dd968a3

SHA512
5a1853c2b9c05a19100a29197b3cf15fd8571fda83533582d7da276885b17882afc28b72318478d04019b15381ac0ce3e10cd4fd2ee13ce6addea0323f3b1bbd

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

Filesize
2.0MB

MD5
3a5dfc1d25714bc37b667c754b5c438c

SHA1
8ed5c828e5658fa43294d50b32eb1319b3dcf682

SHA256
eb1e2386f56a4b1b7884752e050c5261fd007577be10a52bfd55010351654321

SHA512
673f2f2ffa8b7fc63b0aa61e6026113dfa633346a55a4eef8d6c91365b26f9f567373cf558248b0dc62837d7df52887cb90aa674bad083dee34574f2921cec16

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

Filesize
2.1MB

MD5
2ef85c31fc68d6027a8ef58777d36e11

SHA1
1a8384dbc0da8c81a3230baf101527ed9876c45e

SHA256
efbd114d29ae9a1f0f3f3619456d9b39717aafe1f14ca783ec1686f637562ea6

SHA512
f00bae638916f1cc7be3a1a417524423a71333517750393c4a512742acf53b4444345101e1e67b9c52855da51003935ebb40acd94d7920e4bfd7c8c6d971180a

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

Filesize
2.1MB

MD5
3300960c78e78178e5c797d1cd6e44d8

SHA1
ee4300a1e1605a9bdd8ca4d619067280b240c436

SHA256
9ff02cb21c972c8d3d7d46562c5ffbefd6ebfba8d7b968f989bf67108eaa50b7

SHA512
c192db690c86b9b59ec45db217ccb5a6d554c42f7f8122958c5980a7935d1089d02326f47313b2c436e22bf7c23ba91c7416f8faa3752c61daebcf51ac55a08b

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

Filesize
2.0MB

MD5
56abb3177c92f78614944acc4628c2d2

SHA1
45feec262348ccf900a6b3547beb274a52bd3a00

SHA256
bceb60e928d9c5decc1ee1379ee6b4d87dffa9f59eac7b8192810b3069ca22f3

SHA512
f25ad6db045960d7aa8f9aedc3220ac35f039075049c94dd6e1366b1b6a314a0ab29317813e0f2d2025c9d7a79451401c755638947e7e32fe3ab86879f0b16a4

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

Filesize
2.0MB

MD5
f987d1b5e1239d96512d3c92c7e73f1a

SHA1
ddfd2e2112ca040b0b9978417c437efc58bbf396

SHA256
dd8aeeb3912014ff4f9fa07d806089f8faffbdda5f5cba74c0362e24a888cc3a

SHA512
2ed8a88a30423dff65901b03dfa2ffc804fc8f1b295486dd8f31bb66b1a8fd8118f670a86f259803a9726589509f4a33b78dc0f3e36631e9602b7a344f19fcd6

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

Filesize
2.2MB

MD5
08008093b6516fcd28b705676f8c71a6

SHA1
24c9cd2e2e613e3e5b801c323c87669cd384bd12

SHA256
41e949e45efd424c72408d499e06d162f100d44b6fc102e85c0a6b6cdc300bdb

SHA512
17ff2870ccdb8aeda889e79ed22f577b9f231ddb448ad416879db2f671c70aec0ada445feb53276ea43bb255e24b49637a2e3c3a5ae58fa091bc823844bb56d4

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

Filesize
2.0MB

MD5
bb60401fc64682330c1753bad81f58ec

SHA1
2ceb0b5367fe8ca8c8a794e6347d247b2a1bc98c

SHA256
67174ae644b00cd73881a08759dedc57903b90e272d7e6666c65d3e3a45f368e

SHA512
bb976d7d3261fb3c5a5680e822f7db0dc651b79e1555fd74679d2a6cfed97b63f7bca57c90f483823d613bd3be9215a35172b969cb04fc2cbcbf66c75b7da97b

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

Filesize
2.0MB

MD5
355f5ef6451bd5b39ec1e494db8a2edd

SHA1
ee58a1403d7e6826a0dde89fd63e1f8cd0daa217

SHA256
1db7e45f592ccb6a623f0b55c51806094bf0cec27f3ab175a39024580094957c

SHA512
819070e887b84333cd0785c227b355461b54eff078fbd9d0cccfa4f2841c307e0ff355a0852ecb8f8de2b56ca9226c4b311b6449554c8465c42a2f661d6cc66a

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

Filesize
2.0MB

MD5
d4aeff5447801f6c956044c1a98664e5

SHA1
b2b524394cef724dd3f269b8054c8c43132c6dd2

SHA256
a4aba6e3a97d5e5ccf29052f8983ffb1a87eabfca4ef83e9e9218abff17704c2

SHA512
cf9c9294c534e38919ac584952ea379a8dd53ffef4d4eb72ac4a068f30ad81e04f3a3ba4eb35533bbc178f22fbc6cb86e79bcaf00a15c625714880d45e711c16

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

Filesize
2.0MB

MD5
b27660a71ee7a638a60a49e9e5cd6df6

SHA1
1145840c78bcd0a6c157ea3ac07de965e18d6274

SHA256
43816292970926a5c63b7032a9786de116791b73a4cd2f4f1b98fbb34a971efd

SHA512
ceeeb7ab2c8fdb326d5403e3f5848db4edd8b2788b6e8aa01f4d24d58517313bf2db0f94f12527f313be5d84e99762e15818c96084984c7d79281fdd294170b8

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

Filesize
2.0MB

MD5
ecdfb7787d70ea5bf974944ba77e532f

SHA1
33f2e95bfecb9dd7c2247f9232d596bc9dfa36a6

SHA256
fa21cd33a64b19c9c709dc9d6715f30a46e7adf4a9e8765fae59e0658218ea22

SHA512
60a1ace82e7de9ecb41e423ae099d4f6f57baad90a950e7c67e450228a172665e1c99f6ddaac535767632f7b8fdfef6a9dad4edff51b284d1d5b42916d9405b0

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

Filesize
2.0MB

MD5
1ebe4ec51d96b9d4d570c2643b0d6b02

SHA1
63fbebc07cd91e9bd69e68ab281256dc66c80c13

SHA256
2eeba2a8fa3c679cf6cbf9f4d2d705fb4b1ac7af4b2df9fcf055014b1bf95ca4

SHA512
c4d44aa98dcf090aa5e9cbd0e8eab8d86c961b2e75e8715e266a495bbe4c656103db1a456fcd6ec070d27e85002bbc978508d994825d61e7c83b9ab84b6cc310

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

Filesize
2.1MB

MD5
0463d36d3a662c02bc4f0843e425fb31

SHA1
6be521d64885be7c37292ee8a1f9760332e6b187

SHA256
37d524fd93ddc216aa12e79a491697eb99fa453e35d1f3b131cc747e136587c9

SHA512
e7c0f01a7332f2dd74611cfbf456eefaa4984e5c10533117c4ea82704af03803083650ae4372cb87550dc5c1a05a2df3b7ca13784f017346d2b480ba6808c86f

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

Filesize
2.0MB

MD5
2d4770a8ddd6727d00e89721ddbee8dc

SHA1
d699839459504ea4d4f04fd28574441a04754d61

SHA256
26ad8494a412f18c3b967deabd8c852e3e6f5ded749299baf3275f3cd96f7f54

SHA512
5b1584e3666e2c2ea20373e4b0fa2f5e596daf2a56df55f129aa601cc1d071edf3d0ce2d577bf63f02a3962d8c2b94ceddb57231472bd3ee077119dd90ba411b

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

Filesize
2.0MB

MD5
cf60bc4b5e6b417163c8da981a66bce3

SHA1
3df1aa171a5d0e765c06c190460ccab7eee9aef8

SHA256
ce233b5624b4958b51ab6399623c1c06234c75752f426bf38e1666818771cdb4

SHA512
642a0b8a991c3d7ef151f46e6d291e2cf741472971d71576cee585c36fe82af57142d81dfe5238eeb53a5e75af3f6074be5aa0d54014638e323ed6480b234e0f

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

Filesize
2.1MB

MD5
02e80a87c0f06311a63db470d201c9b0

SHA1
274eb45b3282b7165d89f1b5491e9fddf196dddc

SHA256
5adf22f4e5dbb3c4159b8874e96ab81b5f7c3e5a95318c4e442511e761f8cd48

SHA512
e2dd6102d7fca8d0bb3e6493a6511fb6ccde629ca2d5fbb7a205e5489b3112ad4ca27522d05efa6c952e0a2241bbb82bd0dc9e3b909ed336cefe64b7a0483a3c

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

Filesize
2.1MB

MD5
582a14c17a214f96e5157530f6199548

SHA1
fa345d2231f77f1478e143efbff58d1143e389a5

SHA256
cd600beb2e1087cf7a78d48b1475217d6f7b1115ef99126d40d1810de2edcb3a

SHA512
74ed1807a27f98062f80b5d0535cdfe6f63aeadec2e5427e983266738f297c5dcf7a8a0834705150b665ad5383b8ae562236db8eadf512acc3b9420006965cc1

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

Filesize
2.1MB

MD5
ebb41b85582221fbe8da8c82ec161a34

SHA1
cb362163c6563cbc3ea63911f65d13497157d989

SHA256
17730410afc6e21084d5c7bc098427f52963cfd4e85c0405a4e42167f5e7b9a5

SHA512
54e53345819504cee3abd0cc3c1b5a5f11a1ca3dffc9fc5a8556bf2c6b0b16650d00fa2b8e305294741cfd36e1a886d461d2b207796041593d7e395ebfcd660b

Download Submit
C:\ProgramData\fQgMwwUQ\zIckIAUY.exe

Filesize
2.0MB

MD5
6e279cb6f35379e75f08555c42b917b7

SHA1
738003f73e49964f1e5757f166acfbd566bbf2d7

SHA256
27b7dc43291a755cf69e35ab8ab2acbf6c7ea6ea1dbc842ce88d0aba3b60b75f

SHA512
56736d103fbe183ab8cea3735de8a794f31ca9548428f52d9a036984d89f6b38f0e2b588e54994bf7d3d98eaec4bb2e2124bf83e61ee2c7bace83bbe642906fe

Download Submit
C:\ProgramData\vqAAgYQo\yOYgAIQQ.exe

Filesize
2.0MB

MD5
148f8ada5e06f90de32986d95019b80d

SHA1
4424fe51a5d03e5992592c783094f376a2c6afe1

SHA256
2a715661cc7e2e4bd147eefc0dc0f3cc1f72127ef2e80be0de67f6cc6805626d

SHA512
73c2b9a1e962a530beaae24c3ac85aca67035ae03b2e616a846d2820cc9c583764d1d261320137cb764971673623f95aeedd004e4d54bef87b0ad2dafcf2b1e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9

Filesize
6KB

MD5
8243501c8bec7c2fabcac8cb47d98048

SHA1
f03c28e2f966b10efdc0eafda6ed6d3ab14b7d43

SHA256
4f5230f4e5338c433953dfe6fc203f2cb1936ca7ad8a9d6aed0afb583a1639fd

SHA512
5de50003977c1b5c4f55132465d0a5589a32a00f388c6c57fbc9da42fcb7368578ebb6e9b541e2656dc07fb9c0a77cea75f990316be67ed5bffeed47385a5aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\JisAwcwA.bat

Filesize
4B

MD5
7fcadc60c5ebc6074050f8b521352184

SHA1
162c41b14bd02c78d44eaad00279927fe571e815

SHA256
64def3afaa0cef80ea0264a5d34e79e105da8b7014a6d38301697b0e5300dc8e

SHA512
e9201c2ae5cc675810f9741f9029b7f26cda30775ff4adb040af9466a441ad25c51fe86cdc23cd25f840bd25d63561e30606c06a9b7049366d0a334a9ff1bb4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LKwgcAok.bat

Filesize
4B

MD5
f56f7eaaa3b1f8d3a03b820cf0fa701e

SHA1
34c89783be8d16df6d89ae9046b10663d565855a

SHA256
85c2e324ddebca3b14676f0b33a120ca80d2a132650a4505216a21e562556cdf

SHA512
e93d04628537fbb3a875ec56e32d1b5d3c0836b7f02837e5af9eaf4705e9b96ac71a66bc4429559eb1129630029616356cb32777ccac223926b14808129e20f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\NeMsIgUE.bat

Filesize
4B

MD5
41b4673b9c8c150221da2b143376f451

SHA1
562569e2fd0b5ae2b78c92c0e6de637377cd5633

SHA256
3953b64831b1967100a5f4be50c13e55036a2bc25e468a1e1b81018edb24eb00

SHA512
acdb05d651a80fd4f4061564110916f75bca9f8b2d334549b07bd33f95fd96b81823ae78825cfd62677b4fd8f546c91addba47b0afc7313ffd90e1cb0891e901

Download Submit
C:\Users\Admin\AppData\Local\Temp\TsEsEkoQ.bat

Filesize
4B

MD5
b7655a4b73475469bfe7757c51a4f7d2

SHA1
41a67b9c28c027115a48504d1852a0c7005a89f0

SHA256
272b420887687085ae34c68bce6c3d96104de51147179be48968744bf16abcc6

SHA512
10bdca06b5a31a3b15d269da6dc6d870543bd3de515f41e40ae0ffbae369705cae9639ad2b080a1917d5e9020fa76efb7bc2ddbe0a7a990a3bf83a200c69c703

Download Submit
C:\Users\Admin\AppData\Local\Temp\WKAYcswQ.bat

Filesize
4B

MD5
7d5cd8b6d9de117a04d8cc94caebf247

SHA1
8d17a577adc6a52b426aa68c1e4b933e12fdd61f

SHA256
548be5d0f2b273f476b81d3bbf984b94c3a212ae716d7db3d9683e3c25675486

SHA512
b4016f5c2c77a11428c6d1dcaa4a808abd76c92eeb15e08c5d33aefc3ed5bbc62b931a77a228f4f2d31eb194ccbe188c465b3b0cc705d09eeb1bf76fb4768b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aOwkIEEo.bat

Filesize
4B

MD5
75bea0542a209d56e1f5d6abc32e7529

SHA1
73cdabfa2fcbf44a0c7d82f3bad4f4d82208fe2f

SHA256
ff94f00c04fc4aae90460e4704bd6e8c705c677585c279af3d8c553ad7c44b9b

SHA512
a30394839fb53f75728c9533f81fe143ebf592f7d140ed82234c157ed8e288fbfd99e4a609ba4496127146ee4d58d9cbb843a4433780b61ea8382bad666adfbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jsgQoUYA.bat

Filesize
4B

MD5
efb3e3f6be08f6414350073df6378ec6

SHA1
ee726d4394ff26f7206c24b41962a51d917046cc

SHA256
0d9765500d50a76ff4e85bfb0d3e4c6248fa6b2838a9808343c3b992d0e9f73a

SHA512
4e5f0697d3b3eca7fda0a3678004c013e4be187e7fc9acab0e9757f20d59556585fc31412c4a9d0af9297b3da4039576a7756f940044effe83c6ce9aacb52f42

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksQAoAwE.bat

Filesize
4B

MD5
5662b64f2526d1f6c6d4e219c0d0b27a

SHA1
9ba86756fbccc64881cb9a7b559d7ee37f47cde1

SHA256
80618be3741fe93e6700f2d1b3b97662eda93262647f11d2c291178170b1dbaa

SHA512
2c56d353e1bfda6043d47fbfa4c3a3229b7a12ba5974c8e4b44794df51ba49f4c8f100c50dff8c59390cb94711643c0de5fe2a3d5241f2bfe3367a3e8c47ce08

Download Submit
C:\Users\Admin\AppData\Local\Temp\owUkUMsk.bat

Filesize
4B

MD5
56ef15e9d13a2fe90bf346a74b6a7478

SHA1
1cc809460a3d70fd6e40e812e01dcb4da714c4ce

SHA256
d126c7b60fa53a324e65c689744ef146058b65a997d3957f8a2bef651e5e0a82

SHA512
daafc269db57cb7fdacddafa361da86b1d1d832728738e9b52f4189977fdee15e9ba83cb3006b04623fc9bc3af036d20a2c0a8e12473451464c3db6823a13d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\weQEAAYQ.bat

Filesize
4B

MD5
4bdbbf3630da968e29fbf50eda1a2d90

SHA1
39524053ce3f8cbc677ae6f1ede1b4d90c9cab48

SHA256
5fb9e8614b50a7da18ab0bb51b56cc7b357515d47dfb48e25cbfa2ee5146489b

SHA512
c72559f71c311732f1d5ea591f3cb121a66039bee4515418ee3bdc6c87618abe9f589901c8feb6d026379a4ddfdaf015789586650c22ca8d499ca01d86cee080

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
818KB

MD5
a41e524f8d45f0074fd07805ff0c9b12

SHA1
948deacf95a60c3fdf17e0e4db1931a6f3fc5d38

SHA256
082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7

SHA512
91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
507KB

MD5
c87e561258f2f8650cef999bf643a731

SHA1
2c64b901284908e8ed59cf9c912f17d45b05e0af

SHA256
a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b

SHA512
dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

Download Submit
\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
445KB

MD5
1191ba2a9908ee79c0220221233e850a

SHA1
f2acd26b864b38821ba3637f8f701b8ba19c434f

SHA256
4670e1ecb4b136d81148401cd71737ccf1376c772fa513a3e176b8ce8b8f982d

SHA512
da61b9baa2f2aedc5ecb1d664368afffe080f76e5d167494cea9f8e72a03a8c2484c24a36d4042a6fd8602ab1adc946546a83fc6a4968dfaa8955e3e3a4c2e50

Download Submit
\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
633KB

MD5
a9993e4a107abf84e456b796c65a9899

SHA1
5852b1acacd33118bce4c46348ee6c5aa7ad12eb

SHA256
dfa88ba4491ac48f49c1b80011eddfd650cc14de43f5a4d3218fb79acb2f2dbc

SHA512
d75c44a1a1264c878a9db71993f5e923dc18935aa925b23b147d18807605e6fe8048af92b0efe43934252d688f8b0279363b1418293664a668a491d901aef1d9

Download Submit
\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
634KB

MD5
3cfb3ae4a227ece66ce051e42cc2df00

SHA1
0a2bb202c5ce2aa8f5cda30676aece9a489fd725

SHA256
54fbe7fdf0fd2e95c38822074e77907e6a3c8726e4ab38d2222deeffa6c0ccaf

SHA512
60d808d08afd4920583e540c3740d71e4f9dc5b16a0696537fea243cb8a79fb1df36004f560742a541761b0378bf0b5bc5be88569cd828a11afe9c3d61d9d4f1

Download Submit
\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
455KB

MD5
6503c081f51457300e9bdef49253b867

SHA1
9313190893fdb4b732a5890845bd2337ea05366e

SHA256
5ebba234b1d2ff66d4797e2334f97e0ed38f066df15403db241ca9feb92730ea

SHA512
4477dbcee202971973786d62a8c22f889ea1f95b76a7279f0f11c315216d7e0f9e57018eabf2cf09fda0b58cae2178c14dcb70e2dee7efd3705c8b857f9d3901

Download Submit
\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
444KB

MD5
2b48f69517044d82e1ee675b1690c08b

SHA1
83ca22c8a8e9355d2b184c516e58b5400d8343e0

SHA256
507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496

SHA512
97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

Download Submit
\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
455KB

MD5
e9e67cfb6c0c74912d3743176879fc44

SHA1
c6b6791a900020abf046e0950b12939d5854c988

SHA256
bacba0359c51bf0c74388273a35b95365a00f88b235143ab096dcca93ad4790c

SHA512
9bba881d9046ce31794a488b73b87b3e9c3ff09d641d21f4003b525d9078ae5cd91d2b002278e69699117e3c85bfa44a2cc7a184a42f38ca087616b699091aec

Download Submit
\Users\Admin\BiIYgQog\CyYwYkco.exe

Filesize
2.1MB

MD5
cef201e0bd12096885c8532c075c5d28

SHA1
579ba33a95408615288e0c67818b7246d867a654

SHA256
b44edb214336c69340afeea0a85990ad3f8a0ddce32b0ad247a358f837b7979f

SHA512
929b9cf290be191e72909143fd907edf448f8fd2eafff97ee37d1c5870e37fd642d5ec0de77d562dd3405d496035c405e9a9f1e74ef6b415eefefaf1870b2cf6

Download Submit
memory/1676-0-0x0000000000310000-0x00000000003A2000-memory.dmp

Filesize
584KB

Download
memory/1676-1-0x000000000040C000-0x00000000004A1000-memory.dmp

Filesize
596KB

Download
memory/1676-1076-0x0000000000310000-0x00000000003A2000-memory.dmp

Filesize
584KB

Download
memory/1676-1077-0x000000000040C000-0x00000000004A1000-memory.dmp

Filesize
596KB

Download