SecondWrite DeepView - 1176637004956c3cde0de41c5dde29ad7be714d07d6426174d89b56b85669f9b

100

Malicious

This predictive confidence of maliciousness for this sample is 100%.

1176637004956c3cde0de41c5dde29ad7be714d07d6426174d89b56b85669f9b

1.7 MB

Size

2020-09-21 18:34:32

1600713272

Windows PE32 Executable

Classification

Full Detail

Ransomware

High

Trojan

High

Virus

High

Banker

Low

Bot

Low

Rat

Low

Adware

Low

Infostealer

Low

Worm

Low

Spyware

Low

Indicators

DeepView™ Indicators

Forced Code Execution

Automatic Sequence Detection

Program Level Indicators

Anti-Analysis

Attempts to repeatedly call a single API many times in order to delay analysis time

Anti-Av

Disables Windows Security features

Anti-Sandbox

A process attempted to delay the analysis task.

Av-Tools

This sample is detected by clamav as: BC.Win.Virus.Ransom-9157.B

One or more AV tool detects this sample as malicious: Trojan:Win32/NabucurObfs

Dropper

Drops a binary and executes it

Generic

Sample writes a large amount of files (Over 100)

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Creates executable files on the filesystem

Expresses interest in specific running processes

Reads data out of its own binary image

Attempts to disable UAC

Automatic Sequence Detection maliciousness score: 56%

Http

Performs some HTTP requests

HTTP traffic contains suspicious features which may be indicative of malware related traffic

Network

Sample contacts servers at uncommon ports

Performs some DNS requests

Packer

Allocates read-write-execute memory (usually to unpack itself)

PID	API	Arguments
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x003c0000 allocation_type: 4096 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 1691648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0c520000 allocation_type: 4096 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x003d0000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x003e0000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 31457280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0c6c0000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x00640000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x003f0000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x00660000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x006f0000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x00700000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x00710000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x00720000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x00730000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x00740000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x00750000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x00770000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x00780000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x00780000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x00790000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x00780000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x00790000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x007a0000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x008b0000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x008c0000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x008d0000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x008e0000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x008f0000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x00900000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x00900000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x00910000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x00900000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x00910000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x00900000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x00910000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x00900000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x00910000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x00900000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x00910000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x00920000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x00930000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x00940000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x00950000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x00960000 allocation_type: 12288 process_handle: 0xffffffff
2452	NtAllocateVirtualMemory	process_identifier: 2452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0e790000 allocation_type: 12288 process_handle: 0xffffffff

The binary likely contains encrypted or compressed data.

Persistence

Installs itself for autorun at Windows startup

Program-Level-Features

Contains obfuscated control-flow to defeat static analysis.

Uses anti-binary translation code by allocating huge blocks.

Service

Creates a service

PID	API	Arguments
2484	CreateServiceW	service_start_name: start_type: 2 password: display_name: yMckgwkS filepath: C:\ProgramData\BaYccoIY\CAMIMsAM.exe service_name: yMckgwkS filepath_r: C:\ProgramData\BaYccoIY\CAMIMsAM.exe service_handle: 0x0072e1f0 desired_access: 983103 service_type: 16 error_control: 0 service_manager_handle: 0x0072e268

Static

This sample contains high entropy sections

Stealth

A process created a hidden window

Deletes its original binary from disk

Attempts to modify Explorer settings to prevent file extensions from being displayed

Attempts to modify Explorer settings to prevent hidden files from being displayed

Yara

Yara Pattern Name	Description
IsPE32	No Description Available
ImportTableIsBad	ImportTable Check
HasRichSignature	Rich Signature Check

MITRE ATT&CK^®

Enterprise Matrix (Tactics and Techniques)

Initial Access TA0001

Execution TA0002

Persistence TA0003

Registry Run Keys / Startup Folder T1060

Hidden Files and Directories T1158

Privilege Escalation TA0004

Bypass User Account Control T1088

Defense Evasion TA0005

Virtualization / Sandbox Evasion T1497

Hidden Window T1143

Software Packing T1045

File Deletion T1107

Bypass User Account Control T1088

Hidden Files and Directories T1158

Disabling Security Tools T1089

Credential Access TA0006

Discovery TA0007

Virtualization / Sandbox Evasion T1497

Process Discovery T1057

Lateral Movement TA0008

Remote File Copy T1105

Collection TA0009

Command and Control TA0011

Uncommonly Used Port T1065

Remote File Copy T1105

Commonly Used Port T1043

Custom Command and Control Protocol T1094

Exfiltration TA0010

Impact TA0040

Static Analysis

Sections

Name	Virtual Address	Virtual Size	Size of Raw Data	Entropy
.text	0x00001000	0x001a0c26	0x001a0e00	7.15092474856
.rsrc	0x001a2000	0x0000115c	0x00001200	5.98976900047

Resources

Name	Offset	Size	Language	Sub-language	File type
RT_ICON	0x001a20a0	0x000010a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_GROUP_ICON	0x001a3148	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	None

Strings

!This program cannot be run in DOS mode.
Rich!4O
PzB[VZ
),Q'*,
p/0JRL
dTB<PP
3"F74I
7o${w
hXKY4[%q
uTV{AR
i*n\3>N4
6&nI[!>
nIr >
`>.oG>
Y*Q?lA{
Y*Q?lAz
&lZoJ,
N?lr?k
N?lr?g
)w*S4]p
XslC`FZ
M,H`uV
M,T`uV
rA5tuVn
,d`uVbX
;M,\`uV
<T`uVV
BRnhmw
s$s|9f9
dG<pfGT
G27#C5
2G7cGT
k2s\e
E2s\G!
^6jf^^
H+R-c$;
h<q|lC
861&;6
+<FO+
E'lQ,)lB
?'l20}l
rb/PQ:GC
Qs0'l<
zLjCw8
uh[c|s
Vae'Vc
X:s R<rY^&d
S&tY_,
sYH'a
_%eW~&n
X*tYI&
S,tY\'dYI;yY\.a
R-eYU(sY_,e
R-eYT:
X;iT,dYD&u
X-. R<
S,tY^&n
T'gY^!e
V,dYS&wWi;yY\.a
\' 4R<n
X- )R%i
=oYM(yY\if
S,?Yi!e
DiaY[ n
*a?X-e
\% ;H;e
R' 7R=i
( T'eC[+iWZ&v8H:t
\' *X*r
^, *X;v
\0sYI&
XsW.jgG6kgA,j
&fYI!i
nYI!eYM,r
i!eYt't
\% )O&p
O=yY|%l
P8J>wWt
u&wYI&
Xv -U,r
( T'eCi!i
Q%yY_%o
:oI>a
I,dWd&u
O:tTI m
&fX'd
( T'eYR/H
U sY^&m
fYI!eY[ n
sYS&tYM(i
Q% T%e
I:,YP,d
&nYI!i
X,nYX'c
-U,yYJ l
+eYM,r
I%yYO,m
K,dYT/
U, T'eYT:
\ dYR;
R?eYI!i
sYY,t
( T'eC
H; T'eYR'l
Z! ;T=C
t:R nYT:
T-eW~%i
=oY[ n
T%lY_,
V,dY\/t
^(lY^&u
R<rY[ n
(tYI!eY
JgAYN9e
T(lYO,s
T&nYN&f
+yYP(i
U nY\iw
sYP(d
T'eY[ n
&fY~(n
+yY~!a
fYI!eY[ n
sYS&tYM(i
U nYI!r
D:,Y\iw
T*hYJ l
+eY[&r
^(lY\<t
X- R;
Z!tYT'f
sY\if
T$eYI!a
=oY[ v
Xe R;f
iUWngCYNg5I
iUWngCYNg2J
\?eY_,e
&nYD&u
O" T%e
/T,wYX'c
t:R nYk,n
R;s1R>
\'sX;
T'sYI&
U, R%l
T*kYI&
y=IAI,rYI!eYM(y
X'tYT: T'a
X; -O(n
t:R nF
t:R nYT:
:oI>a
N,dYR'l
T*kYs,t
R;kY~&n
R'sY\'dY^&n
X*tYI&
U, 0S=e
S,t R<rY^&d
X-.Y|>a
Sg )\0m
S=sY\;eYM;o
=oY{;i
T,ry=I
T,ry=I
T,ry=I
T,ry=I
T,ry=I
y:TF;T=C
T' <E*h
t:R nY|
M(d7X=w
O" :R'n
Xd>*\?eWi!eY[ l
tYQ(t
OgA-p:
S,yYp,l
T,s9\+a
X*hW^&mW\<
I! ;O s
O.eYN= *D-n
Di-Y_&t
H;tYR/ )T=tYn= 4\%lt7cE
H, +R(dYn&u
0C*;Q(c
o :\/eY
_ nt7c6N
S, ;T=c
TnsY~(f
S,yYj,s
Ye :S; )T=tYn= 4\%lY\'dYp(r
X= *Ie :
W ,Yq,v
B=0C*5X?e
{ ?R&dY~&u
Ie ;H'd
De :\'b
O;aY~,n
R.yYm=yYq=dU
Ne 5X?e
s/\9eYq(bY
M, 5\+ ;T=c
I*hYu g
X,tW0C
I*hYu g
X,tYq&n
\% ;T=c
X%lYn=r
X= 1R%b
O',Yq&n
\=mW^&mt7D
-U, 6Q- *U&r
S- +Ye 5R'd
R;szx-m
~)zk(n
z)zn!e
})z|%b
x)zn(s
x)zi&r
{)zk c
a1P>IR
R*oWT'
SiA-pib
SiA-piM
P(pW^&mt7D
MYT' *U,r
R*kYu&l
{ *Ig 7jD
R'sW^(
N= <Y$o
I&nYp(l
S/o9_ t
S(lW^&mt7x0K
p 3\:p
o[,eYn!o
SiA-pD
M,rY|?e
H, <Y$o
I&nY|%b
O=at7!t
Ms/VD,g
I,rYm&n
Qe ?R;tYp*M
SiA-pD
x3Yu(r
T' *I;e
SiA-pi-Yp&n
T'tTq,o
\;dP0CM
X: 4X=r
e *X*t
R' +R<g
T' <N= *\ n
\-at7!t
Ms/VT's
SiA-pi-Yj;a
x ;R<l
-eYp(i
H?eYr<e
S/o9T's
X;sYi,r
Hn{ t7!t
Ms/VT's
d ;H0 ;T=c
T' 4R't
X(lt7|6K
-eYQ( :R=eTY,sTs,i
X:,Yp&n
R nYx$b
SiA-pi-Yp&n
_,ct7z4A
\;dYN=.YQ(u
X'tY0Ch
N:yW^(
N:yW^(
X(lUk15Yi,c
~ ;R<lW
X'tt7z4A
\;dYn(i
Ie 4R't
CYu{XY
N,dt7D
:X%l-X"
X=/t7{1L
\% 8K, <
e /\'c
}6I0Ch
X; ;T=c
X;,Y_*
d ;T=c
q6Yj,s
De /\'c
M%eWS,tt7
d ;T=c
Ii2H0Ch
NYvxNt7D
-U, ;H;b
o <\=e
x 1\3e
Ii2H0Ch
\% Qn(i
H1 )H*e
T' -R<c
X3 Qv o
Qg 4X=r
S=-5X&n
He~ :\'a
R nYq(c
R nYq(c
| 4I,eYY,sYm o
xSK0Ch
P nYY,
}/N0C2I
I/xe *u
iA;0Ch
R'sW^(
N= ?Q&a
T40C7T
^,,Yj!i
O8ye 4
Q,rW^(
N*0C2I
s0CE=y
E<viA0o
iM;0C2I
s0CW-~
Tt7{0M
x2Yn= 7jD
R&n^NiB
SiA-pii
S/o9_=c
x 2O(m
K- +X.i
\-at7>w
Hxz,Y~(n
si!eY{&x_{ d
I&-2T&s
x2Yn9e
^,rY|?eU
I! ;\0
R nYy,c
Xg,Yi&r
S=ot7!t
Ms/VJ>wWY,c
\% Qz(t
J(yYs,w
NYp|GY
d /T*t
Mt7x1I
\e ;~e :\'a
S/o9_ t
1\%i\1 7R?aYn*o
I,dY\= =H;t
N! )H+
si!eYq(m
N, ;T=c
Y,rY\im
N! )H+ H
Q, *IiH
Ee 7niBJwi2;=
Ns/VJ>wW^(v
\*st7+i
K,sY~&fX,,Y
y 1R>eYn=.t7a
Kp} :\'a
*aV0C1T
I:vd5L
D: >R%dYq=dt7(a
Y( .T-eY
~ 6O-z
R- )\;kt7D
&fYn(t
N!it7?a
Q=oN(t
N!iW^&mt7a8L
y1t7a5H
y1t7z4I
O0 *I;e
Ie ,S tY
O-,Yr't
I*ht7*o
I*hW^&mt7
T%:YN<p
R;t9^&i
t:R n
T'sW^&mt7D
R nt7=r
_=cW^&mt7D
1R%y-O(n
T&nW^&mt7D
:R n-O(d
\$pWS,tt7D
:\:hYt't
V,B-~D
:R n+S
sJ>wW^&i
O'rW^&mt7D
R nW^&mt7D
:R n:\/et7*o
S*aXgc
\:eW^&mt7D
T' :\/eU
d KS- ?Q&o
{2K0CP
}6t7:u
S*aXgc
R$.t7D
5\"e;i
sJ>wWQ(k
_=cW^&mt7D
X:s:R nt7,x
T*kW^&
&tt7+i
R<st7+i
R nW^&.
R nW^&.
{ *U&r
Z! *I;e
R nQ&o
S/oVS3.
ZW^&mt7
T%:Y^&n
\*t9_ t
t:R nW^&.
\-eY|<s
X:k9_=r
Q aW^&mt7
O%dYn8u
T' )I0 5I-
Q at7*o
1\;d;Q&c
R*kWS,tt7D
:R n5R/tt7*o
S%oIgc
Js :\'a
T(nYx1c
T(nYx1c
S(lYx1c
t:R nYT:
:oI>a
N,dYN,c
S(lYQ(wYX'f
X'tY\.e
=oYM(yY\if
S,?t7x.)H;c
\:eY_ t
MW0C2Wi;a
=oYI!eY\-d
M0)C0CT
\=eYI!eYS,a
X:tYX1c
&rY\' 8i
M,nYI!eY^&r
Q&wW0C
Q,tYR;
\'tYI&
I,rY\in
Q&wYI!eYT's
X= ;O&w
X;.Yz&
R<rYXdm
Yg 4\"eYN<r
R<rYM(s
:aX%yU
_%yYR/f
T'eQ^%i
Y`.Y{&l
=oYI!eYN,c
Z nYI&
R nYJ(l
Z nY~%i
I,rYI!eYM(p
tYP(n
T*kYR' ^|-dYm;i
\=eYv,y^
X9 2X0'W
R nY_(l
S*eYO,f
t:R nYM(y
^" ^n,n
X0'YR'
N:,Y^%i
Vi'*X'dYm(y
R;eY\+o
T'sWT'f
V /0S=r
i YX'.
V />X=t
V /;H0i
S: YX'.
V /4\ n&m(g
DO9@y=<Q
9mL}=I
9mX{=I
&@y=?8
p9=Hu&
|O9@y?I
9mL}=I
9mX{=I
8;p9=M
9@y=<E
;p9=HusU
9mL}=I
9mX{=I
p9=Iu~
;p9=Iu~
p9=Hun
;p9=Hu~
DO9@y?<
p9=Iu~
DO9@y?<
p9=Hu~
8-o9=J
&@yWHjy
:H^j:U-o9=
/WdhkT
sY\ic
Yie[&r
+yYhgSW
\',Yx<r
U,rYQ(wYX'f
X'tY\.e
R:sYI!eYZ%o
T'gY^&m
DC9@ycF
DC9@yKF
7p9=,t5
L#9@yUe
y=!,x=IS)
9m*z=IX
}IhU<I
7p9=EtQ
9m>z=IX
Lg9@yUe
y=!,x=IS)
}IhU<I
p9=!,x=IhU<I
9mwx=I[
j,Uan!=
M$#f#k
9mcx=I
9mwx=I
9mMx=I[
9mg{=IX
9mIz=IX
|Y&@y>L
7p9=nu7
9m[{=IX
y=!,x=IS)
DO9@y=<C
}IhU<I
|b:Xym
p9=Itk
j~Urg!=
9m,x=IX
p9=KuJ
"WRh{U
"WghdU
9m,x=IX
9mFx=I[
DO9@y<F
9m6x=I[
9m@x=I
9m@x=I
7p9=nugWY
y=Iu`WY
9@y<<O
p9=Hu>
p9=H4]
p9=H<]
9m,x=I
D[0XyWY
DO9@y9F
/Wch$I
9@y=<d
/WZh3I
/WZh5L
DO9@y>F
juUnt!=
/WNh:I
H8Uf!=x
'lgrOl
./aYsA
LmmGMb
;mLbjS
]hLb.k
C5J]z5U)*0
haPslx
hVslBU0
<R\uQm
^P9p[c
z %rzp
<%8lAD
4SPe'bS>
,:r>[t
tr6[xr>[|
S&lCo;p
Em#]@+X
|"-'bJ(
Jy*BG!
}I&lBN6E
z;b!og
!oe]K6
xoeUK6
!oeHK6
mkoFoy
k>*%<H
k"*%8H
XMQT[Y
zLjB7*V
"VnHv>kt
i! &lE
{q96.
4UO{pY
&(Yl/_Y
J@\&&(Y
!S;lC7
EC`4FW
Qna4F
4kMu4-
&l!fRl
&l!fRlB
`62;[Lg
&lQ5:l
hp&<lC
&lB9MR
)\tcpfZF
Rep25aV
v4RMtHlMg
Rep25a
v4RMtHlMg
Rep25a<
v4RMtHlMg
Rep25a
w4SMvHlMd
Qep25a
Rep2-y
u4QMtHlMg
Rep2-y[
u4QMtHlMg
Rep2-yu
u4QMtHlMg
R]d2-{
mG4P]g
R]d2-{$pg%
mG4P]g
R]d2-{w
Q]f25c
mT4R]d
Q]f25cu
R]d2=k
P]g2%s
P]g2%s\
P]g2%s,
P]g2%s
Lw|Wq1
,yv-9\
E<?;-9
\:-9su
VzzK`H
cN?wcN's
w%B*,
}iS]oss9F2
Lq[QS3
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD

Dropped Files

004d4411daf46126_BwES.exe

Name: 004d4411daf46126_BwES.exe
Size: 1.7 MB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 5cd196169cc1bd6e5496a3318583423d
SHA1: 1576bf58be1f5ccec7e66b5171f352b0ce33b2cd
SHA256: 004d4411daf4612612eb5c249932d5067b0757f6f273d590741dfb71a7c964d2
SHA512: 3b8b08097aabe5eecc22616c7bba1e34db979391315a8870dc57f3e904c888d90042be46db3fde4ffe4f420c3d467eab1b53eb27d0e24d421498aabd89b292fd
Ssdeep: 24576:XW0fppnFFTiXhR5ry/XbDdTtRzFhvpwjshTjDRT7JDBJhNHfxL5O+TRfnV1z7Lta:5NCqt952/6Djbwet5uLuLI

0c1a9ade9fbeea9f_Ysoc.exe

Name: 0c1a9ade9fbeea9f_Ysoc.exe
Size: 17.7 MB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: b9afc43fdfe881315a74edb18a0ac34c
SHA1: 7c0b7b0df5b4cc0b01736291b359814ec087139c
SHA256: 0c1a9ade9fbeea9f45858515b4420116553ed1e5f3a11f8b595a53ef4adb919d
SHA512: 3ef3b30093f906e29580c1b72ddbb633c9a612c20a47704ae0a6f6e27d9ac20439d2026003dcbe6e87ecf35bce833d27f97bf3e330829507a612783629c8c4c8
Ssdeep: 393216:O92bSa/a5KRYyBHSQJY57/oNJSKJ/kwNLZy+ibgShozWGZt7xntaNAEooh7D:eKRYy8Q0onSKJ/kwNLZy+ibgShozWGZY

1176637004956c3c_1176637004956c3cde0de41c5dde29ad7be714d07d6426174d89b56b85669f9b.exe

Name: 1176637004956c3c_1176637004956c3cde0de41c5dde29ad7be714d07d6426174d89b56b85669f9b.exe
Size: 1.7 MB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: def0492c7b5af5c339d8bb602b9f338c
SHA1: 0113570223b581793fec2b905420daea6839ee96
SHA256: 1176637004956c3cde0de41c5dde29ad7be714d07d6426174d89b56b85669f9b
SHA512: 0de6178cc367b678356c1b7c77bc7ae979b00d9e6bfec718dd06324c11a9380a06cac6aa50b19f21f56f8288d9c88fabe32549cba2f2691e1422ec2ee1db4601
Ssdeep: 24576:H/HuP13Z12/rpCjq2MgFJ8i9gT2Swn8OxN:Pu9r2/rSvPAySwn5xN

199bbf15a1b0d52b_Yoky.exe

Name: 199bbf15a1b0d52b_Yoky.exe
Size: 6.9 MB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: a1ba0d40ab34b96a2cb6907766597545
SHA1: c33802aa0c9780dcb619f8ccdbdb4544d6863f61
SHA256: 199bbf15a1b0d52bf3b15e97cc0ca3a78405417f98d7db495c8301321abc0ff3
SHA512: 711f0d26f60452a27d2a571c6f7749f8c38dfaa3aacc8edc46cb8bbaf7eae71a86d0e67dc31b000229f1330b636c1f3b498fd1c285992f27428682638a680f86
Ssdeep: 98304:yoTWIXIZrLnbiUxJ8ZTXA9uXeS3r2vH6ZQ4aOEGgk2J8GuFuEp:FPXIZHGRQ9OeS3rQH347p

398dd9b8096a4345_rYUw.exe

Name: 398dd9b8096a4345_rYUw.exe
Size: 5.5 MB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 1037baecc14f700acfbb1581b5cab5b8
SHA1: be0cc861895f6e9de0c3ce763b33e30838e7e1d0
SHA256: 398dd9b8096a4345b4ca72c551398342198be46fbefeaec8b605f3aba50dce56
SHA512: 9fac914f2c69b8c94301ecfa8c2ba3fcb9fc9d3162e4b07542b787ec4d9a405ad4dd1c050df98945c1d6b501c4f0a19663b65d6fed787de27a4e00fa7c9376cb
Ssdeep: 98304:aiP2ntcOzYvHTQcpufUIT3RCbMsdld+pYAaTLH:kntcOzY7iRSMkEpYAaTLH

411e693d8e3ba2de_ksEW.exe

Name: 411e693d8e3ba2de_ksEW.exe
Size: 1.7 MB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: a6647a147bd5e4e3ed03ba8efafdf180
SHA1: 3977628a4d32e274434981b54186c342f93d61ee
SHA256: 411e693d8e3ba2de1997406de7cf22584b06b0725f72f8cbf91880d33cb7a325
SHA512: 041a292fbb1c87a59912ddbb40e2b7a3dd01e3fb4dedc692bff87c5b09c9fc71a43f0e25f9ac98468e1398ae07849af4f71b1c070a2bd273770b1cb1e7dcfe8d
Ssdeep: 12288:AtMqA0y967lBu1J41BsZhTJlF42zU1yO52ZmZnICSESd9CDCivsxDQb3xkzYe0dH:AGz03j1BAdHFb0fnI/zdy3aTz6LoYk+

48197d54bcf88cca_CcAW.exe

Name: 48197d54bcf88cca_CcAW.exe
Size: 1.7 MB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: d0ae68b5b0316b7907826e6985849ecb
SHA1: 12d24954834e545e5081b7dc0d7ce3a8823867d6
SHA256: 48197d54bcf88ccaeda1c56a583c89dbb3105747c3e2cd75223ec8dfa60e6a3d
SHA512: 8cdfe5b82535f47485f6d739b57f2f3e75da17c6140a1d8eff634b76be5eab35789a6f59b11216683b3ac8927e10582dc544a8f9ee4b1ff33000b79505e334cb
Ssdeep: 24576:X5Ra5E3Gfy7Qpd5wzghnquRXv+XZ1Jtd1:X5GfyA5w6n7v6ZvtL

5693b6a3f8c89525_gMQs.exe

Name: 5693b6a3f8c89525_gMQs.exe
Size: 1.7 MB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 0c8bea136757f45cf6d56937492faf64
SHA1: 66eda335a155a79690dab204b9479b797f85bf69
SHA256: 5693b6a3f8c89525ed27aab09861f701d14a1285e9f290a7ed726d88eb7c948d
SHA512: 398150124ad83e8f493c20549dd82b43f0b8a7a705571f847c2e703369ab4adb0b5de77a5f8836ff857be658a85ebe67ca9a78e8a4309cede30536b0319745ad
Ssdeep: 24576:iX+pqtcRmiceBsjvQq4C+pXWcZz8OOUQY:PmiceavQqSpXWO8OOO

8f78b8a201a573e3_nkse.exe

Name: 8f78b8a201a573e3_nkse.exe
Size: 5.5 MB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 8cd5cab649fb11b0ca5afc727550097b
SHA1: 72be2d5e8903a4a480194aac44be29f03427a7ef
SHA256: 8f78b8a201a573e3964d28d217f804275f361e8d8d21a7e98146ea5675025b81
SHA512: 43c369b6deecf7ea88d925569c1e63361031220c6cae4387458f90a56c1ad19ead39cdbf0be9ba8620649c63ca37185ee65ff9a181fc253e95a3055c0e83f327
Ssdeep: 98304:kE4yoK42bIZUShw5BzSfIWYOpBJMmtCuq6IumOlTOqUwMD:kyoKQZUShw5EIWYOpIwjIu1lCqUwMD

a7a08900f05f0174_cQUi.exe

Name: a7a08900f05f0174_cQUi.exe
Size: 1.8 MB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: a700ed1f608d1bd5a73f1cc0482a9e02
SHA1: 73ca2156260c8c7c9044ea26e444d82e5e46a7bd
SHA256: a7a08900f05f017486a72f5d23e596e07d8c6e04f9c2e3a52cc40191e49cd35b
SHA512: 8673299f7f333ec23432dd8fc5ef081168982a013775a13a94726424ad5c88cb0c67ede87915a9e4bf497a1813b373472235146cc41a8211ff846f1a0d53842e
Ssdeep: 24576:gELuLAiFQkTe7Of7vsHaixmazCELyYoA6CW5WQkkfO55P:SnGkTe7+Ttc0q55P

bd123f7874d232f7_ZYMm.exe

Name: bd123f7874d232f7_ZYMm.exe
Size: 1.7 MB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: ff78bc8ce3a66fac8b680a2bb166cbd8
SHA1: 3c68b2643b164f70db8b776299b668879f14a992
SHA256: bd123f7874d232f7e02034324e8e0ee93c4aa0c6949e60b1f07613f0ba660a6a
SHA512: c1872954867cbe464636640a131c69575b527fe063fe4f5b91d01551369d6550cfb8172cd4b74f3870bc84ccc458db5f7a44de2a3c94f14f5b92a8ad59e599b1
Ssdeep: 12288:3FPyMKE/irLQ1V/o7HdSwqIf3iUTl+cms1uIlpxURjJPBmKDAC8:3dQEKLi/04wxf3RJB1xojJAsF8

c2bb589f62cd071a_rAge.exe

Name: c2bb589f62cd071a_rAge.exe
Size: 1.8 MB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 01c80b88205a4c7825bff6540b704a6e
SHA1: 835135709f95ae63324f3b2a6e0688aa4897e9a5
SHA256: c2bb589f62cd071a0d02ba9e135a4f0a7c62402d76de8b1a4b373fb5f55da787
SHA512: 85dc8705594e2ede8092b2c753735383c9b1c3b44235683d2888451735990cfc402d9e91778b935a5a303a1ea23b38953aa7e20dd7f3e0f29d3e13dce86f22a5
Ssdeep: 24576:LRFOZ0RGu4TU843egmWpN+QHXH9mNQJEsnS:ou4TVUD/+m35JEsS

cacceb5eef6758ed_sAoE.exe

Name: cacceb5eef6758ed_sAoE.exe
Size: 1.7 MB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 322cd7300a113fb475c5be15f0333ed5
SHA1: 5f043109b71338cd4364c60dc1f79055992dc33b
SHA256: cacceb5eef6758ed1515c685cd620160d9dd044e66070bad8d72d7bd8802d552
SHA512: ec06871a8e2abf37ee7daa39730e6054db804fcd04d9f09ddcffb068395e8657f038d752256031b05072e4ac9f105976b692d994733bf41d7d442eae0607ad2d
Ssdeep: 24576:lEycDFBiyx+ks0uWtjDiHEmWdj1tgytS/PmKu3TmltYfOoM8H3FrdYHemlCrpehJ:l9EmWTtgytylCrpe3

ccc392602101b005_OoQS.exe

Name: ccc392602101b005_OoQS.exe
Size: 1.7 MB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 98a5f5c9fd545884047a04d3ea721cab
SHA1: 937da0b9e8cb09d42fdefd7410ab68ca0d07e32d
SHA256: ccc392602101b00585b533e7d6e25f70b6ec5be97b0ccfc14d48a6ea21655801
SHA512: 3c739c8f49ea3efb142d7b5d98cd90a3e88e7c8e94ddef7ca8b327c48216d7076e5d15ebc9e9e5e6c35d261b1c7adeba0508a4c6527390671c59a73afd11a18f
Ssdeep: 12288:8am5fI5GT8HTe1TyHETbnS4Z2tzvASdFJemG4265Ol/FbqaTwLea4:3n4T8HTwTykTbnEASrJemG4gZFNTw6J

df2645e89fb7b0dd_MQse.exe

Name: df2645e89fb7b0dd_MQse.exe
Size: 6.9 MB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: f3ee61811cde51edfbdb0c031be0e449
SHA1: 7f6e393afdee381f0e0acc150fd22250295692d4
SHA256: df2645e89fb7b0dd40ac512c45c6570366fdea6780152783f068706d6384fce4
SHA512: 7f298285ace7934497357a1245c5f345e0f54f331ab073b2f895ff98772885564a4d79d64ff3db7a0731f4ac8883257fd46e21c79893d9f151bcd64a5e1a0bef
Ssdeep: 98304:xWmpiu0RNRobKAOVBf7sm7hoPGSWxGhdjrQOgnEv:ziu0ObKAOjf7DGPGSUOgY

e3a255c2d30a7738_EAoe.exe

Name: e3a255c2d30a7738_EAoe.exe
Size: 1.8 MB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 4d825f40e7c528637c15c66f510da9f6
SHA1: 214730cd40ddcc5bb0a21491b187647c66897c0f
SHA256: e3a255c2d30a773828f265a93fa892b61031b3a4c5d7484e6eb37b88308e8de0
SHA512: ea623b1ccbb3cdc23528711481fa164ec52b76fefdde49295bbfa7097d59c4a7ee1ecc7aac4fb4d60fa3f64d5cfd6da0c62b7a2bc3c024dbb2347dfe855c1c21
Ssdeep: 12288:ybiG3xefog8UXJe/oBxPSVf+2V+E+zo84CylNtJXAXd9U4BYPJ9Ht4Hy+ND+:zG3Se/2e+2Vj+ICsJz4BlzS

e69ef0d8d45b2c53_gQgi.exe

Name: e69ef0d8d45b2c53_gQgi.exe
Size: 1.7 MB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: f4f6dfb5d230d7b2353f4303f5e43a10
SHA1: 712d868b0aeddeb72a83ff4c522130de555e290c
SHA256: e69ef0d8d45b2c5365f19029ea608d2406b9aab361de3bacfff9588272868a65
SHA512: 94d4ed55be9b7087c22d7b6eb9bfa5ec32ce248db82dc60527765bb894d6668f02765fad0219db706900f690d9f5601ff6b4d1a0893262104fc1f69a61cdc9a0
Ssdeep: 12288:6bKdfOl/vpjrJ4s7EIndN5EVZhiQHhYLRRmK8d46RTL11NjOXPDd/7+0jO:6eEA0EO2VvYaVdRRT8XZO

ea9779ffa0b2952f_FgsI.exe

Name: ea9779ffa0b2952f_FgsI.exe
Size: 17.7 MB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: f58ed15e47f970198b228af6a22edbcd
SHA1: ff2453d8711453be3e43d7f768f7f53c3b286a4f
SHA256: ea9779ffa0b2952f4819b0eae0b417ed946c786ce7b6ce39923e0cdb6bb8f08b
SHA512: e070865c948d3a56f8f901de67ade7e312b4bc66696e8d4bbffc72935698dbfab2c7b05d09a03a271a594d60461d9cd23fecd7bc5ea55e75e32032c2539cc632
Ssdeep: 196608:NfjeHTWdR3jSyiS8ewoqZqAQF0jffE8M4YDMdZSygKtr3vVr0bD:968ddbF8NYYd0A+D

f9338c07ae291282_hwoa.exe

Name: f9338c07ae291282_hwoa.exe
Size: 1.8 MB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 8ffc7be3c2b6fd29d823495a20ee6291
SHA1: 3068dc55d9b4a95def8bf4e3eed0bba01b15fd0e
SHA256: f9338c07ae291282ffae7e92fbb5925096d01334f8769baa3328c5105d198070
SHA512: 2f1b1ff715d6dede865aebe85c0f12d87bdba3f46183a7ea73ce835533545c770871a7e90e77cdd2ad2936e4094da0dcef723e0a4e969758c9650a3d76acdfe3
Ssdeep: 12288:9jwK4aPUBwrmrMnQC0tyuze8B3kogkoYlx0H7jxdkU/7+cXyoHhUCtX37:Rf346mrMQZze8azHYlxu1P7OxCtH7

fc87c70bbaf9154b_NUIa.exe

Name: fc87c70bbaf9154b_NUIa.exe
Size: 1.7 MB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: cd8b26522c2520f972d8b0224ac3ebbf
SHA1: 94ae0a49f49911a612fe750e5b8cf6800065fd78
SHA256: fc87c70bbaf9154b4e283c172774a82b9202d1e6083ef7b02305418e6bc7c2e1
SHA512: 375f196217b5d68f2d20f972fa5f9260312210869bc642bd97029e181b15f6c1e18b8b23bbffc808618d1303b6a674c086a3c58c9ab258a6aaace848ce6bc1f1
Ssdeep: 12288:Gw6+LBFY4LWWbT1ujmKTp/jfBtgmKqDeARD3bfOBX8BpRX58:Gw6AFXw3TprptgJqDvD3bfOZUfu

Network

DNS Requests

Domain	IP Address	Destination Location
google.com	172.217.13.238	US

HTTP Requests

http://google.com/

GET / HTTP/1.1
Host: google.com

http://google.com/

GET / HTTP/1.1
Host: google.com

Hosts Involved

IP Address	Country of Origin
172.217.22.206	US
200.87.164.69	BO
200.119.204.12	BO
190.186.45.170	BO
172.217.23.110	US

Geolocation

Destination Country

US:: 50%
BO:: 50%

File

Type: PE32 executable (GUI) Intel 80386, for MS Windows
CRC32: 603602AE
MD5: def0492c7b5af5c339d8bb602b9f338c
SHA1: 0113570223b581793fec2b905420daea6839ee96
SHA256: 1176637004956c3cde0de41c5dde29ad7be714d07d6426174d89b56b85669f9b
SHA512: 0de6178cc367b678356c1b7c77bc7ae979b00d9e6bfec718dd06324c11a9380a06cac6aa50b19f21f56f8288d9c88fabe32549cba2f2691e1422ec2ee1db4601
Ssdeep: 24576:H/HuP13Z12/rpCjq2MgFJ8i9gT2Swn8OxN:Pu9r2/rSvPAySwn5xN
PEiD: None matched

Screenshots

Behavior Summary

File-Read

C:\ProgramData\FeUgYgUs\geoswEAk.inf
C:\Users\Virtual\AppData\Local\Temp\AGcMQgAc.bat
C:\Users\Virtual\AppData\Local\Temp\AWAokYQc.bat
C:\Users\Virtual\AppData\Local\Temp\BgsswsQM.bat
C:\Users\Virtual\AppData\Local\Temp\CygcAEYM.bat
C:\Users\Virtual\AppData\Local\Temp\DQMsYoUQ.bat
C:\Users\Virtual\AppData\Local\Temp\FYAsMIkY.bat
C:\Users\Virtual\AppData\Local\Temp\GcEggoYs.bat
C:\Users\Virtual\AppData\Local\Temp\IGwQEwIE.bat
C:\Users\Virtual\AppData\Local\Temp\IIYooIIk.bat
C:\Users\Virtual\AppData\Local\Temp\IIgkkcMs.bat
C:\Users\Virtual\AppData\Local\Temp\JAkQMUgo.bat
C:\Users\Virtual\AppData\Local\Temp\KUoMwgww.bat
C:\Users\Virtual\AppData\Local\Temp\LEcQIIcw.bat
C:\Users\Virtual\AppData\Local\Temp\LIQEMYcs.bat
C:\Users\Virtual\AppData\Local\Temp\LmEUoQoc.bat
C:\Users\Virtual\AppData\Local\Temp\MAMMUwUM.bat
C:\Users\Virtual\AppData\Local\Temp\MOAAYwwM.bat
C:\Users\Virtual\AppData\Local\Temp\MgksIgYE.bat
C:\Users\Virtual\AppData\Local\Temp\NGsQAsYY.bat
C:\Users\Virtual\AppData\Local\Temp\NewQUcYo.bat
C:\Users\Virtual\AppData\Local\Temp\PKcAMYIQ.bat
C:\Users\Virtual\AppData\Local\Temp\QCEUQQAA.bat
C:\Users\Virtual\AppData\Local\Temp\QGkQAsQk.bat
C:\Users\Virtual\AppData\Local\Temp\QOQEMoIQ.bat
C:\Users\Virtual\AppData\Local\Temp\RAUoAMMA.bat
C:\Users\Virtual\AppData\Local\Temp\RewIsIkA.bat
C:\Users\Virtual\AppData\Local\Temp\RkUIgEQg.bat
C:\Users\Virtual\AppData\Local\Temp\RugkoksE.bat
C:\Users\Virtual\AppData\Local\Temp\ScwcgQMQ.bat
C:\Users\Virtual\AppData\Local\Temp\SksYkAIY.bat
C:\Users\Virtual\AppData\Local\Temp\SqEwoUcw.bat
C:\Users\Virtual\AppData\Local\Temp\TEIAAMok.bat
C:\Users\Virtual\AppData\Local\Temp\TSoAgogM.bat
C:\Users\Virtual\AppData\Local\Temp\TWgcAkUg.bat
C:\Users\Virtual\AppData\Local\Temp\TqskMAQI.bat
C:\Users\Virtual\AppData\Local\Temp\UKMgwEMI.bat
C:\Users\Virtual\AppData\Local\Temp\VOAgEMIM.bat
C:\Users\Virtual\AppData\Local\Temp\VkwoIsoE.bat
C:\Users\Virtual\AppData\Local\Temp\WYkUQUQA.bat
C:\Users\Virtual\AppData\Local\Temp\WsEMQYAI.bat
C:\Users\Virtual\AppData\Local\Temp\XEcooocQ.bat
C:\Users\Virtual\AppData\Local\Temp\XKgoIkoU.bat
C:\Users\Virtual\AppData\Local\Temp\XQccoEkY.bat
C:\Users\Virtual\AppData\Local\Temp\XUUwIocY.bat
C:\Users\Virtual\AppData\Local\Temp\XicwIwYk.bat
C:\Users\Virtual\AppData\Local\Temp\XikQckgI.bat
C:\Users\Virtual\AppData\Local\Temp\XikYkYQQ.bat
C:\Users\Virtual\AppData\Local\Temp\YUQEsgAA.bat
C:\Users\Virtual\AppData\Local\Temp\YoYAsAQw.bat
C:\Users\Virtual\AppData\Local\Temp\aYwgYYww.bat
C:\Users\Virtual\AppData\Local\Temp\bMwUcsks.bat
C:\Users\Virtual\AppData\Local\Temp\bQEsUsYQ.bat
C:\Users\Virtual\AppData\Local\Temp\bYUwMkQU.bat
C:\Users\Virtual\AppData\Local\Temp\cGEswwsQ.bat
C:\Users\Virtual\AppData\Local\Temp\cOcIgQsY.bat
C:\Users\Virtual\AppData\Local\Temp\cgAQosAU.bat
C:\Users\Virtual\AppData\Local\Temp\dCoUAwco.bat
C:\Users\Virtual\AppData\Local\Temp\dSkkYsAA.bat
C:\Users\Virtual\AppData\Local\Temp\eAosgMAU.bat
C:\Users\Virtual\AppData\Local\Temp\eIgoIwUs.bat
C:\Users\Virtual\AppData\Local\Temp\eOUskUkg.bat
C:\Users\Virtual\AppData\Local\Temp\fIoMYoMI.bat
C:\Users\Virtual\AppData\Local\Temp\fUQAwgIg.bat
C:\Users\Virtual\AppData\Local\Temp\file.vbs
C:\Users\Virtual\AppData\Local\Temp\gAQgcUwc.bat
C:\Users\Virtual\AppData\Local\Temp\hMwsgwEM.bat
C:\Users\Virtual\AppData\Local\Temp\hcIkQsUQ.bat
C:\Users\Virtual\AppData\Local\Temp\hkQYcsMs.bat
C:\Users\Virtual\AppData\Local\Temp\iYUMQIkQ.bat
C:\Users\Virtual\AppData\Local\Temp\iwckMAEA.bat
C:\Users\Virtual\AppData\Local\Temp\jMogQUkA.bat
C:\Users\Virtual\AppData\Local\Temp\jQwQMIwc.bat
C:\Users\Virtual\AppData\Local\Temp\lowkIwAk.bat
C:\Users\Virtual\AppData\Local\Temp\mUgMUAAE.bat
C:\Users\Virtual\AppData\Local\Temp\mWgMUcQc.bat
C:\Users\Virtual\AppData\Local\Temp\nKcgQcIY.bat
C:\Users\Virtual\AppData\Local\Temp\nuocskkU.bat
C:\Users\Virtual\AppData\Local\Temp\nwwsIUsw.bat
C:\Users\Virtual\AppData\Local\Temp\oCQEwscs.bat
C:\Users\Virtual\AppData\Local\Temp\oMUQgwsc.bat
C:\Users\Virtual\AppData\Local\Temp\oYIkAwks.bat
C:\Users\Virtual\AppData\Local\Temp\pcskMoIs.bat
C:\Users\Virtual\AppData\Local\Temp\pkgwkYQo.bat
C:\Users\Virtual\AppData\Local\Temp\qOMwgswk.bat
C:\Users\Virtual\AppData\Local\Temp\rCkMEgAQ.bat
C:\Users\Virtual\AppData\Local\Temp\riIMwccE.bat
C:\Users\Virtual\AppData\Local\Temp\skcQgMsE.bat
C:\Users\Virtual\AppData\Local\Temp\ssAAsQMU.bat
C:\Users\Virtual\AppData\Local\Temp\tAYsAcIQ.bat
C:\Users\Virtual\AppData\Local\Temp\toQAoUkw.bat
C:\Users\Virtual\AppData\Local\Temp\uCAgEAIQ.bat
C:\Users\Virtual\AppData\Local\Temp\uaQwIkoU.bat
C:\Users\Virtual\AppData\Local\Temp\uoYYMYkQ.bat
C:\Users\Virtual\AppData\Local\Temp\uowEAsgE.bat
C:\Users\Virtual\AppData\Local\Temp\uqEIccsI.bat
C:\Users\Virtual\AppData\Local\Temp\vsccgIoA.bat
C:\Users\Virtual\AppData\Local\Temp\wOIYYEcQ.bat
C:\Users\Virtual\AppData\Local\Temp\wcIkQUMA.bat
C:\Users\Virtual\AppData\Local\Temp\xEkMAwMM.bat
C:\Users\Virtual\AppData\Local\Temp\xIoMQokI.bat
C:\Users\Virtual\AppData\Local\Temp\xSUgYsEc.bat
C:\Users\Virtual\AppData\Local\Temp\xSocEkoI.bat
C:\Users\Virtual\AppData\Local\Temp\xawMQgUw.bat
C:\Users\Virtual\AppData\Local\Temp\xiokkAMk.bat
C:\Users\Virtual\AppData\Local\Temp\yOEEwgcs.bat
C:\Users\Virtual\AppData\Local\Temp\yewcEsgk.bat
C:\Users\Virtual\AppData\Local\Temp\ywEkUkMw.bat
C:\Users\Virtual\AppData\Local\Temp\zAcosMUo.bat
C:\Users\Virtual\AppData\Local\Temp\zGQQAcQw.bat
C:\Users\Virtual\AppData\Local\Temp\zSocMsIQ.bat
C:\Users\Virtual\AppData\Local\Temp\zyAUggMY.bat
C:\Users\Virtual\qOUwQcUU\DUckIoEY.inf
C:\Windows\SysWOW64\cscript.exe

File-Written

C:\ProgramData\BaYccoIY\CAMIMsAM.exe
C:\ProgramData\FeUgYgUs\geoswEAk.exe
C:\ProgramData\FeUgYgUs\geoswEAk.inf
C:\Users\Virtual\AppData\Local\Temp\1176637004956c3cde0de41c5dde29ad7be714d07d6426174d89b56b85669f9b
C:\Users\Virtual\AppData\Local\Temp\AGcMQgAc.bat
C:\Users\Virtual\AppData\Local\Temp\ASQUEMAg.bat
C:\Users\Virtual\AppData\Local\Temp\AWAokYQc.bat
C:\Users\Virtual\AppData\Local\Temp\BEMkUgYk.bat
C:\Users\Virtual\AppData\Local\Temp\BgsswsQM.bat
C:\Users\Virtual\AppData\Local\Temp\CQsIMoAA.bat
C:\Users\Virtual\AppData\Local\Temp\CaMAEEQo.bat
C:\Users\Virtual\AppData\Local\Temp\CygcAEYM.bat
C:\Users\Virtual\AppData\Local\Temp\DQMsYoUQ.bat
C:\Users\Virtual\AppData\Local\Temp\DwMYQIcU.bat
C:\Users\Virtual\AppData\Local\Temp\EggUQUcY.bat
C:\Users\Virtual\AppData\Local\Temp\FQEswIUU.bat
C:\Users\Virtual\AppData\Local\Temp\FWwYAUsI.bat
C:\Users\Virtual\AppData\Local\Temp\FYAsMIkY.bat
C:\Users\Virtual\AppData\Local\Temp\FiEkUggA.bat
C:\Users\Virtual\AppData\Local\Temp\FoUcMYoc.bat
C:\Users\Virtual\AppData\Local\Temp\FqkYYAYQ.bat
C:\Users\Virtual\AppData\Local\Temp\GcEggoYs.bat
C:\Users\Virtual\AppData\Local\Temp\HCEkAgkE.bat
C:\Users\Virtual\AppData\Local\Temp\IGwQEwIE.bat
C:\Users\Virtual\AppData\Local\Temp\IIYooIIk.bat
C:\Users\Virtual\AppData\Local\Temp\IIgkkcMs.bat
C:\Users\Virtual\AppData\Local\Temp\IOQwIUAM.bat
C:\Users\Virtual\AppData\Local\Temp\JAkQMUgo.bat
C:\Users\Virtual\AppData\Local\Temp\JiUQowAY.bat
C:\Users\Virtual\AppData\Local\Temp\KUoMwgww.bat
C:\Users\Virtual\AppData\Local\Temp\KWgIoIAI.bat
C:\Users\Virtual\AppData\Local\Temp\KmkEkwAE.bat
C:\Users\Virtual\AppData\Local\Temp\KmkkwUoo.bat
C:\Users\Virtual\AppData\Local\Temp\LEcQIIcw.bat
C:\Users\Virtual\AppData\Local\Temp\LIQEMYcs.bat
C:\Users\Virtual\AppData\Local\Temp\LUcYoQYo.bat
C:\Users\Virtual\AppData\Local\Temp\LmEUoQoc.bat
C:\Users\Virtual\AppData\Local\Temp\MAMMUwUM.bat
C:\Users\Virtual\AppData\Local\Temp\MMcAYQwE.bat
C:\Users\Virtual\AppData\Local\Temp\MOAAYwwM.bat
C:\Users\Virtual\AppData\Local\Temp\MgksIgYE.bat
C:\Users\Virtual\AppData\Local\Temp\MsQYQcMY.bat
C:\Users\Virtual\AppData\Local\Temp\NGsQAsYY.bat
C:\Users\Virtual\AppData\Local\Temp\NewQUcYo.bat
C:\Users\Virtual\AppData\Local\Temp\NgUsQkMI.bat
C:\Users\Virtual\AppData\Local\Temp\NkAkQsAw.bat
C:\Users\Virtual\AppData\Local\Temp\PKcAMYIQ.bat
C:\Users\Virtual\AppData\Local\Temp\QCEUQQAA.bat
C:\Users\Virtual\AppData\Local\Temp\QGkQAsQk.bat
C:\Users\Virtual\AppData\Local\Temp\QMwcUkgQ.bat
C:\Users\Virtual\AppData\Local\Temp\QOQEMoIQ.bat
C:\Users\Virtual\AppData\Local\Temp\RAUoAMMA.bat
C:\Users\Virtual\AppData\Local\Temp\RIsIkwIo.bat
C:\Users\Virtual\AppData\Local\Temp\RSccUksU.bat
C:\Users\Virtual\AppData\Local\Temp\RewIsIkA.bat
C:\Users\Virtual\AppData\Local\Temp\RkUIgEQg.bat
C:\Users\Virtual\AppData\Local\Temp\RugkoksE.bat
C:\Users\Virtual\AppData\Local\Temp\ScwcgQMQ.bat
C:\Users\Virtual\AppData\Local\Temp\SksYkAIY.bat
C:\Users\Virtual\AppData\Local\Temp\SqEwoUcw.bat
C:\Users\Virtual\AppData\Local\Temp\SyMscUkk.bat
C:\Users\Virtual\AppData\Local\Temp\TEIAAMok.bat
C:\Users\Virtual\AppData\Local\Temp\TGYAQUAU.bat
C:\Users\Virtual\AppData\Local\Temp\TMcgQsAE.bat
C:\Users\Virtual\AppData\Local\Temp\TSoAgogM.bat
C:\Users\Virtual\AppData\Local\Temp\TWgcAkUg.bat
C:\Users\Virtual\AppData\Local\Temp\ToUoUkcU.bat
C:\Users\Virtual\AppData\Local\Temp\TqskMAQI.bat
C:\Users\Virtual\AppData\Local\Temp\UKMgwEMI.bat
C:\Users\Virtual\AppData\Local\Temp\UWQIIQsA.bat
C:\Users\Virtual\AppData\Local\Temp\UaIAYIQc.bat
C:\Users\Virtual\AppData\Local\Temp\UgwMQQUk.bat
C:\Users\Virtual\AppData\Local\Temp\UskcscwQ.bat
C:\Users\Virtual\AppData\Local\Temp\VCAMEsco.bat
C:\Users\Virtual\AppData\Local\Temp\VOAgEMIM.bat
C:\Users\Virtual\AppData\Local\Temp\ViskwcQI.bat
C:\Users\Virtual\AppData\Local\Temp\VkwoIsoE.bat
C:\Users\Virtual\AppData\Local\Temp\WYkUQUQA.bat
C:\Users\Virtual\AppData\Local\Temp\WeUwcwEQ.bat
C:\Users\Virtual\AppData\Local\Temp\WsEMQYAI.bat
C:\Users\Virtual\AppData\Local\Temp\XEcooocQ.bat
C:\Users\Virtual\AppData\Local\Temp\XKgoIkoU.bat
C:\Users\Virtual\AppData\Local\Temp\XOUUwMMc.bat
C:\Users\Virtual\AppData\Local\Temp\XQccoEkY.bat
C:\Users\Virtual\AppData\Local\Temp\XUUwIocY.bat
C:\Users\Virtual\AppData\Local\Temp\XicwIwYk.bat
C:\Users\Virtual\AppData\Local\Temp\XikQckgI.bat
C:\Users\Virtual\AppData\Local\Temp\XikYkYQQ.bat
C:\Users\Virtual\AppData\Local\Temp\YEkIcQUc.bat
C:\Users\Virtual\AppData\Local\Temp\YUQEsgAA.bat
C:\Users\Virtual\AppData\Local\Temp\YeUowccA.bat
C:\Users\Virtual\AppData\Local\Temp\YoYAsAQw.bat
C:\Users\Virtual\AppData\Local\Temp\ZGEskowQ.bat
C:\Users\Virtual\AppData\Local\Temp\ZOoIoEUg.bat
C:\Users\Virtual\AppData\Local\Temp\aEAwogIY.bat
C:\Users\Virtual\AppData\Local\Temp\aSkccUEc.bat
C:\Users\Virtual\AppData\Local\Temp\aYwgYYww.bat
C:\Users\Virtual\AppData\Local\Temp\aqMAgcMc.bat
C:\Users\Virtual\AppData\Local\Temp\aqssAgUg.bat
C:\Users\Virtual\AppData\Local\Temp\bIYMEIoc.bat
C:\Users\Virtual\AppData\Local\Temp\bMwUcsks.bat
C:\Users\Virtual\AppData\Local\Temp\bQEsUsYQ.bat
C:\Users\Virtual\AppData\Local\Temp\bQkEcQcU.bat
C:\Users\Virtual\AppData\Local\Temp\bYUwMkQU.bat
C:\Users\Virtual\AppData\Local\Temp\bkgcQUUc.bat
C:\Users\Virtual\AppData\Local\Temp\bycoYAAA.bat
C:\Users\Virtual\AppData\Local\Temp\cGEswwsQ.bat
C:\Users\Virtual\AppData\Local\Temp\cOcIgQsY.bat
C:\Users\Virtual\AppData\Local\Temp\cgAQosAU.bat
C:\Users\Virtual\AppData\Local\Temp\dCoUAwco.bat
C:\Users\Virtual\AppData\Local\Temp\dMksgcYI.bat
C:\Users\Virtual\AppData\Local\Temp\dMswkwAo.bat
C:\Users\Virtual\AppData\Local\Temp\dQAUAgUg.bat
C:\Users\Virtual\AppData\Local\Temp\dSkkYsAA.bat
C:\Users\Virtual\AppData\Local\Temp\dgokIYoQ.bat
C:\Users\Virtual\AppData\Local\Temp\dwcUsUYs.bat
C:\Users\Virtual\AppData\Local\Temp\eAosgMAU.bat
C:\Users\Virtual\AppData\Local\Temp\eIgoIwUs.bat
C:\Users\Virtual\AppData\Local\Temp\eOUskUkg.bat
C:\Users\Virtual\AppData\Local\Temp\eYAEYIgI.bat
C:\Users\Virtual\AppData\Local\Temp\egMYAkoo.bat
C:\Users\Virtual\AppData\Local\Temp\fIoMYoMI.bat
C:\Users\Virtual\AppData\Local\Temp\fUQAwgIg.bat
C:\Users\Virtual\AppData\Local\Temp\feIMUcEo.bat
C:\Users\Virtual\AppData\Local\Temp\file.vbs
C:\Users\Virtual\AppData\Local\Temp\gAQgcUwc.bat
C:\Users\Virtual\AppData\Local\Temp\hCAEIsgk.bat
C:\Users\Virtual\AppData\Local\Temp\hMwsgwEM.bat
C:\Users\Virtual\AppData\Local\Temp\hcIkQsUQ.bat
C:\Users\Virtual\AppData\Local\Temp\hkQYcsMs.bat
C:\Users\Virtual\AppData\Local\Temp\iIcYsQoQ.bat
C:\Users\Virtual\AppData\Local\Temp\iOMsgcIA.bat
C:\Users\Virtual\AppData\Local\Temp\iYUMQIkQ.bat
C:\Users\Virtual\AppData\Local\Temp\iwckMAEA.bat
C:\Users\Virtual\AppData\Local\Temp\jMogQUkA.bat
C:\Users\Virtual\AppData\Local\Temp\jOQMgckk.bat
C:\Users\Virtual\AppData\Local\Temp\jQwQMIwc.bat
C:\Users\Virtual\AppData\Local\Temp\jggsQAwo.bat
C:\Users\Virtual\AppData\Local\Temp\jmQEEkkY.bat
C:\Users\Virtual\AppData\Local\Temp\jsgwkcss.bat
C:\Users\Virtual\AppData\Local\Temp\kaUoYAIo.bat
C:\Users\Virtual\AppData\Local\Temp\kkcgwwgs.bat
C:\Users\Virtual\AppData\Local\Temp\kyQooYIM.bat
C:\Users\Virtual\AppData\Local\Temp\lMIEMMQI.bat
C:\Users\Virtual\AppData\Local\Temp\lowkIwAk.bat
C:\Users\Virtual\AppData\Local\Temp\luokcMME.bat
C:\Users\Virtual\AppData\Local\Temp\mGYwAckI.bat
C:\Users\Virtual\AppData\Local\Temp\mUgMUAAE.bat
C:\Users\Virtual\AppData\Local\Temp\mWMMEckU.bat
C:\Users\Virtual\AppData\Local\Temp\mWgMUcQc.bat
C:\Users\Virtual\AppData\Local\Temp\mWskMgoo.bat
C:\Users\Virtual\AppData\Local\Temp\mcUgcIEI.bat
C:\Users\Virtual\AppData\Local\Temp\moooUIIo.bat
C:\Users\Virtual\AppData\Local\Temp\mukkoowY.bat
C:\Users\Virtual\AppData\Local\Temp\mwUwIkIg.bat
C:\Users\Virtual\AppData\Local\Temp\nKcgQcIY.bat
C:\Users\Virtual\AppData\Local\Temp\nYAgAAUc.bat
C:\Users\Virtual\AppData\Local\Temp\nuocskkU.bat
C:\Users\Virtual\AppData\Local\Temp\nwwsIUsw.bat
C:\Users\Virtual\AppData\Local\Temp\oCQEwscs.bat
C:\Users\Virtual\AppData\Local\Temp\oEYkMgco.bat
C:\Users\Virtual\AppData\Local\Temp\oMUQgwsc.bat
C:\Users\Virtual\AppData\Local\Temp\oWQccoYc.bat
C:\Users\Virtual\AppData\Local\Temp\oYIkAwks.bat
C:\Users\Virtual\AppData\Local\Temp\omAsMEAg.bat
C:\Users\Virtual\AppData\Local\Temp\oyccAwos.bat
C:\Users\Virtual\AppData\Local\Temp\pOIMkkYI.bat
C:\Users\Virtual\AppData\Local\Temp\paIQkYQo.bat
C:\Users\Virtual\AppData\Local\Temp\paUogIEg.bat
C:\Users\Virtual\AppData\Local\Temp\pcskMoIs.bat
C:\Users\Virtual\AppData\Local\Temp\pkgwkYQo.bat
C:\Users\Virtual\AppData\Local\Temp\qKkQIAwg.bat
C:\Users\Virtual\AppData\Local\Temp\qOMwgswk.bat
C:\Users\Virtual\AppData\Local\Temp\qQQIsUYU.bat
C:\Users\Virtual\AppData\Local\Temp\rCkMEgAQ.bat
C:\Users\Virtual\AppData\Local\Temp\riIMwccE.bat
C:\Users\Virtual\AppData\Local\Temp\sEUoYQwQ.bat
C:\Users\Virtual\AppData\Local\Temp\sUYEYgsI.bat
C:\Users\Virtual\AppData\Local\Temp\skcQgMsE.bat
C:\Users\Virtual\AppData\Local\Temp\soAQsUUU.bat
C:\Users\Virtual\AppData\Local\Temp\ssAAsQMU.bat
C:\Users\Virtual\AppData\Local\Temp\swQEEYIE.bat
C:\Users\Virtual\AppData\Local\Temp\tAYsAcIQ.bat
C:\Users\Virtual\AppData\Local\Temp\tCAkgQcw.bat
C:\Users\Virtual\AppData\Local\Temp\tCQkgQoQ.bat
C:\Users\Virtual\AppData\Local\Temp\tEocEgco.bat
C:\Users\Virtual\AppData\Local\Temp\tIUkYEIE.bat
C:\Users\Virtual\AppData\Local\Temp\tIcQQMgg.bat
C:\Users\Virtual\AppData\Local\Temp\tQMIMQsw.bat
C:\Users\Virtual\AppData\Local\Temp\tWwgMcco.bat
C:\Users\Virtual\AppData\Local\Temp\tiUosMME.bat
C:\Users\Virtual\AppData\Local\Temp\toQAoUkw.bat
C:\Users\Virtual\AppData\Local\Temp\uCAgEAIQ.bat
C:\Users\Virtual\AppData\Local\Temp\uMUAQUgk.bat
C:\Users\Virtual\AppData\Local\Temp\uaQwIkoU.bat
C:\Users\Virtual\AppData\Local\Temp\uoAgogIY.bat
C:\Users\Virtual\AppData\Local\Temp\uoYYMYkQ.bat
C:\Users\Virtual\AppData\Local\Temp\uowEAsgE.bat
C:\Users\Virtual\AppData\Local\Temp\uqEIccsI.bat
C:\Users\Virtual\AppData\Local\Temp\vOgAwwQA.bat
C:\Users\Virtual\AppData\Local\Temp\vgoooscY.bat
C:\Users\Virtual\AppData\Local\Temp\vsccgIoA.bat
C:\Users\Virtual\AppData\Local\Temp\wMQEwUMA.bat
C:\Users\Virtual\AppData\Local\Temp\wOIYYEcQ.bat
C:\Users\Virtual\AppData\Local\Temp\wQYIUsEk.bat
C:\Users\Virtual\AppData\Local\Temp\wcIkQUMA.bat
C:\Users\Virtual\AppData\Local\Temp\wmsIwAIE.bat
C:\Users\Virtual\AppData\Local\Temp\wyYwwkkw.bat
C:\Users\Virtual\AppData\Local\Temp\xEkMAwMM.bat
C:\Users\Virtual\AppData\Local\Temp\xIoMQokI.bat
C:\Users\Virtual\AppData\Local\Temp\xSUgYsEc.bat
C:\Users\Virtual\AppData\Local\Temp\xSocEkoI.bat
C:\Users\Virtual\AppData\Local\Temp\xawMQgUw.bat
C:\Users\Virtual\AppData\Local\Temp\xiokkAMk.bat
C:\Users\Virtual\AppData\Local\Temp\yOEEwgcs.bat
C:\Users\Virtual\AppData\Local\Temp\yQkwAMoM.bat
C:\Users\Virtual\AppData\Local\Temp\yUgQkMwY.bat
C:\Users\Virtual\AppData\Local\Temp\yaEgcQcM.bat
C:\Users\Virtual\AppData\Local\Temp\yeAQQwso.bat
C:\Users\Virtual\AppData\Local\Temp\yewcEsgk.bat
C:\Users\Virtual\AppData\Local\Temp\ywEkUkMw.bat
C:\Users\Virtual\AppData\Local\Temp\zAcosMUo.bat
C:\Users\Virtual\AppData\Local\Temp\zGQQAcQw.bat
C:\Users\Virtual\AppData\Local\Temp\zSocMsIQ.bat
C:\Users\Virtual\AppData\Local\Temp\zoYwkIwE.bat
C:\Users\Virtual\AppData\Local\Temp\zyAUggMY.bat
C:\Users\Virtual\qOUwQcUU\DUckIoEY.exe
C:\Users\Virtual\qOUwQcUU\DUckIoEY.inf

File-Deleted

C:\Users\Virtual\AppData\Local\Temp\1176637004956c3cde0de41c5dde29ad7be714d07d6426174d89b56b85669f9b.exe
C:\Users\Virtual\AppData\Local\Temp\AGcMQgAc.bat
C:\Users\Virtual\AppData\Local\Temp\ASQUEMAg.bat
C:\Users\Virtual\AppData\Local\Temp\AWAokYQc.bat
C:\Users\Virtual\AppData\Local\Temp\BEMkUgYk.bat
C:\Users\Virtual\AppData\Local\Temp\BgsswsQM.bat
C:\Users\Virtual\AppData\Local\Temp\CQsIMoAA.bat
C:\Users\Virtual\AppData\Local\Temp\CaMAEEQo.bat
C:\Users\Virtual\AppData\Local\Temp\CygcAEYM.bat
C:\Users\Virtual\AppData\Local\Temp\DQMsYoUQ.bat
C:\Users\Virtual\AppData\Local\Temp\DwMYQIcU.bat
C:\Users\Virtual\AppData\Local\Temp\EggUQUcY.bat
C:\Users\Virtual\AppData\Local\Temp\FQEswIUU.bat
C:\Users\Virtual\AppData\Local\Temp\FWwYAUsI.bat
C:\Users\Virtual\AppData\Local\Temp\FYAsMIkY.bat
C:\Users\Virtual\AppData\Local\Temp\FiEkUggA.bat
C:\Users\Virtual\AppData\Local\Temp\FoUcMYoc.bat
C:\Users\Virtual\AppData\Local\Temp\FqkYYAYQ.bat
C:\Users\Virtual\AppData\Local\Temp\GcEggoYs.bat
C:\Users\Virtual\AppData\Local\Temp\HCEkAgkE.bat
C:\Users\Virtual\AppData\Local\Temp\IGwQEwIE.bat
C:\Users\Virtual\AppData\Local\Temp\IIYooIIk.bat
C:\Users\Virtual\AppData\Local\Temp\IIgkkcMs.bat
C:\Users\Virtual\AppData\Local\Temp\IOQwIUAM.bat
C:\Users\Virtual\AppData\Local\Temp\JAkQMUgo.bat
C:\Users\Virtual\AppData\Local\Temp\JiUQowAY.bat
C:\Users\Virtual\AppData\Local\Temp\KUoMwgww.bat
C:\Users\Virtual\AppData\Local\Temp\KWgIoIAI.bat
C:\Users\Virtual\AppData\Local\Temp\KmkEkwAE.bat
C:\Users\Virtual\AppData\Local\Temp\KmkkwUoo.bat
C:\Users\Virtual\AppData\Local\Temp\LEcQIIcw.bat
C:\Users\Virtual\AppData\Local\Temp\LIQEMYcs.bat
C:\Users\Virtual\AppData\Local\Temp\LUcYoQYo.bat
C:\Users\Virtual\AppData\Local\Temp\LmEUoQoc.bat
C:\Users\Virtual\AppData\Local\Temp\MAMMUwUM.bat
C:\Users\Virtual\AppData\Local\Temp\MMcAYQwE.bat
C:\Users\Virtual\AppData\Local\Temp\MOAAYwwM.bat
C:\Users\Virtual\AppData\Local\Temp\MgksIgYE.bat
C:\Users\Virtual\AppData\Local\Temp\MsQYQcMY.bat
C:\Users\Virtual\AppData\Local\Temp\NGsQAsYY.bat
C:\Users\Virtual\AppData\Local\Temp\NewQUcYo.bat
C:\Users\Virtual\AppData\Local\Temp\NgUsQkMI.bat
C:\Users\Virtual\AppData\Local\Temp\NkAkQsAw.bat
C:\Users\Virtual\AppData\Local\Temp\PKcAMYIQ.bat
C:\Users\Virtual\AppData\Local\Temp\QCEUQQAA.bat
C:\Users\Virtual\AppData\Local\Temp\QGkQAsQk.bat
C:\Users\Virtual\AppData\Local\Temp\QMwcUkgQ.bat
C:\Users\Virtual\AppData\Local\Temp\QOQEMoIQ.bat
C:\Users\Virtual\AppData\Local\Temp\RAUoAMMA.bat
C:\Users\Virtual\AppData\Local\Temp\RIsIkwIo.bat
C:\Users\Virtual\AppData\Local\Temp\RSccUksU.bat
C:\Users\Virtual\AppData\Local\Temp\RewIsIkA.bat
C:\Users\Virtual\AppData\Local\Temp\RkUIgEQg.bat
C:\Users\Virtual\AppData\Local\Temp\RugkoksE.bat
C:\Users\Virtual\AppData\Local\Temp\ScwcgQMQ.bat
C:\Users\Virtual\AppData\Local\Temp\SksYkAIY.bat
C:\Users\Virtual\AppData\Local\Temp\SqEwoUcw.bat
C:\Users\Virtual\AppData\Local\Temp\SyMscUkk.bat
C:\Users\Virtual\AppData\Local\Temp\TEIAAMok.bat
C:\Users\Virtual\AppData\Local\Temp\TGYAQUAU.bat
C:\Users\Virtual\AppData\Local\Temp\TMcgQsAE.bat
C:\Users\Virtual\AppData\Local\Temp\TSoAgogM.bat
C:\Users\Virtual\AppData\Local\Temp\TWgcAkUg.bat
C:\Users\Virtual\AppData\Local\Temp\ToUoUkcU.bat
C:\Users\Virtual\AppData\Local\Temp\TqskMAQI.bat
C:\Users\Virtual\AppData\Local\Temp\UKMgwEMI.bat
C:\Users\Virtual\AppData\Local\Temp\UWQIIQsA.bat
C:\Users\Virtual\AppData\Local\Temp\UaIAYIQc.bat
C:\Users\Virtual\AppData\Local\Temp\UgwMQQUk.bat
C:\Users\Virtual\AppData\Local\Temp\UskcscwQ.bat
C:\Users\Virtual\AppData\Local\Temp\VCAMEsco.bat
C:\Users\Virtual\AppData\Local\Temp\VOAgEMIM.bat
C:\Users\Virtual\AppData\Local\Temp\ViskwcQI.bat
C:\Users\Virtual\AppData\Local\Temp\VkwoIsoE.bat
C:\Users\Virtual\AppData\Local\Temp\WYkUQUQA.bat
C:\Users\Virtual\AppData\Local\Temp\WeUwcwEQ.bat
C:\Users\Virtual\AppData\Local\Temp\WsEMQYAI.bat
C:\Users\Virtual\AppData\Local\Temp\XEcooocQ.bat
C:\Users\Virtual\AppData\Local\Temp\XKgoIkoU.bat
C:\Users\Virtual\AppData\Local\Temp\XOUUwMMc.bat
C:\Users\Virtual\AppData\Local\Temp\XQccoEkY.bat
C:\Users\Virtual\AppData\Local\Temp\XUUwIocY.bat
C:\Users\Virtual\AppData\Local\Temp\XicwIwYk.bat
C:\Users\Virtual\AppData\Local\Temp\XikQckgI.bat
C:\Users\Virtual\AppData\Local\Temp\XikYkYQQ.bat
C:\Users\Virtual\AppData\Local\Temp\YEkIcQUc.bat
C:\Users\Virtual\AppData\Local\Temp\YUQEsgAA.bat
C:\Users\Virtual\AppData\Local\Temp\YeUowccA.bat
C:\Users\Virtual\AppData\Local\Temp\YoYAsAQw.bat
C:\Users\Virtual\AppData\Local\Temp\ZGEskowQ.bat
C:\Users\Virtual\AppData\Local\Temp\ZOoIoEUg.bat
C:\Users\Virtual\AppData\Local\Temp\aEAwogIY.bat
C:\Users\Virtual\AppData\Local\Temp\aSkccUEc.bat
C:\Users\Virtual\AppData\Local\Temp\aYwgYYww.bat
C:\Users\Virtual\AppData\Local\Temp\aqMAgcMc.bat
C:\Users\Virtual\AppData\Local\Temp\aqssAgUg.bat
C:\Users\Virtual\AppData\Local\Temp\bIYMEIoc.bat
C:\Users\Virtual\AppData\Local\Temp\bMwUcsks.bat
C:\Users\Virtual\AppData\Local\Temp\bQEsUsYQ.bat
C:\Users\Virtual\AppData\Local\Temp\bQkEcQcU.bat
C:\Users\Virtual\AppData\Local\Temp\bYUwMkQU.bat
C:\Users\Virtual\AppData\Local\Temp\bkgcQUUc.bat
C:\Users\Virtual\AppData\Local\Temp\bycoYAAA.bat
C:\Users\Virtual\AppData\Local\Temp\cGEswwsQ.bat
C:\Users\Virtual\AppData\Local\Temp\cOcIgQsY.bat
C:\Users\Virtual\AppData\Local\Temp\cgAQosAU.bat
C:\Users\Virtual\AppData\Local\Temp\dCoUAwco.bat
C:\Users\Virtual\AppData\Local\Temp\dMksgcYI.bat
C:\Users\Virtual\AppData\Local\Temp\dMswkwAo.bat
C:\Users\Virtual\AppData\Local\Temp\dQAUAgUg.bat
C:\Users\Virtual\AppData\Local\Temp\dSkkYsAA.bat
C:\Users\Virtual\AppData\Local\Temp\dgokIYoQ.bat
C:\Users\Virtual\AppData\Local\Temp\dwcUsUYs.bat
C:\Users\Virtual\AppData\Local\Temp\eAosgMAU.bat
C:\Users\Virtual\AppData\Local\Temp\eIgoIwUs.bat
C:\Users\Virtual\AppData\Local\Temp\eOUskUkg.bat
C:\Users\Virtual\AppData\Local\Temp\eYAEYIgI.bat
C:\Users\Virtual\AppData\Local\Temp\egMYAkoo.bat
C:\Users\Virtual\AppData\Local\Temp\fIoMYoMI.bat
C:\Users\Virtual\AppData\Local\Temp\fUQAwgIg.bat
C:\Users\Virtual\AppData\Local\Temp\feIMUcEo.bat
C:\Users\Virtual\AppData\Local\Temp\gAQgcUwc.bat
C:\Users\Virtual\AppData\Local\Temp\hCAEIsgk.bat
C:\Users\Virtual\AppData\Local\Temp\hcIkQsUQ.bat
C:\Users\Virtual\AppData\Local\Temp\hkQYcsMs.bat
C:\Users\Virtual\AppData\Local\Temp\iIcYsQoQ.bat
C:\Users\Virtual\AppData\Local\Temp\iOMsgcIA.bat
C:\Users\Virtual\AppData\Local\Temp\iYUMQIkQ.bat
C:\Users\Virtual\AppData\Local\Temp\iwckMAEA.bat
C:\Users\Virtual\AppData\Local\Temp\jMogQUkA.bat
C:\Users\Virtual\AppData\Local\Temp\jOQMgckk.bat
C:\Users\Virtual\AppData\Local\Temp\jQwQMIwc.bat
C:\Users\Virtual\AppData\Local\Temp\jggsQAwo.bat
C:\Users\Virtual\AppData\Local\Temp\jmQEEkkY.bat
C:\Users\Virtual\AppData\Local\Temp\jsgwkcss.bat
C:\Users\Virtual\AppData\Local\Temp\kaUoYAIo.bat
C:\Users\Virtual\AppData\Local\Temp\kkcgwwgs.bat
C:\Users\Virtual\AppData\Local\Temp\kyQooYIM.bat
C:\Users\Virtual\AppData\Local\Temp\lMIEMMQI.bat
C:\Users\Virtual\AppData\Local\Temp\lowkIwAk.bat
C:\Users\Virtual\AppData\Local\Temp\luokcMME.bat
C:\Users\Virtual\AppData\Local\Temp\mGYwAckI.bat
C:\Users\Virtual\AppData\Local\Temp\mUgMUAAE.bat
C:\Users\Virtual\AppData\Local\Temp\mWMMEckU.bat
C:\Users\Virtual\AppData\Local\Temp\mWgMUcQc.bat
C:\Users\Virtual\AppData\Local\Temp\mWskMgoo.bat
C:\Users\Virtual\AppData\Local\Temp\mcUgcIEI.bat
C:\Users\Virtual\AppData\Local\Temp\moooUIIo.bat
C:\Users\Virtual\AppData\Local\Temp\mukkoowY.bat
C:\Users\Virtual\AppData\Local\Temp\mwUwIkIg.bat
C:\Users\Virtual\AppData\Local\Temp\nKcgQcIY.bat
C:\Users\Virtual\AppData\Local\Temp\nYAgAAUc.bat
C:\Users\Virtual\AppData\Local\Temp\nuocskkU.bat
C:\Users\Virtual\AppData\Local\Temp\nwwsIUsw.bat
C:\Users\Virtual\AppData\Local\Temp\oCQEwscs.bat
C:\Users\Virtual\AppData\Local\Temp\oEYkMgco.bat
C:\Users\Virtual\AppData\Local\Temp\oMUQgwsc.bat
C:\Users\Virtual\AppData\Local\Temp\oWQccoYc.bat
C:\Users\Virtual\AppData\Local\Temp\oYIkAwks.bat
C:\Users\Virtual\AppData\Local\Temp\omAsMEAg.bat
C:\Users\Virtual\AppData\Local\Temp\oyccAwos.bat
C:\Users\Virtual\AppData\Local\Temp\pOIMkkYI.bat
C:\Users\Virtual\AppData\Local\Temp\paIQkYQo.bat
C:\Users\Virtual\AppData\Local\Temp\paUogIEg.bat
C:\Users\Virtual\AppData\Local\Temp\pcskMoIs.bat
C:\Users\Virtual\AppData\Local\Temp\pkgwkYQo.bat
C:\Users\Virtual\AppData\Local\Temp\qKkQIAwg.bat
C:\Users\Virtual\AppData\Local\Temp\qOMwgswk.bat
C:\Users\Virtual\AppData\Local\Temp\qQQIsUYU.bat
C:\Users\Virtual\AppData\Local\Temp\rCkMEgAQ.bat
C:\Users\Virtual\AppData\Local\Temp\riIMwccE.bat
C:\Users\Virtual\AppData\Local\Temp\sEUoYQwQ.bat
C:\Users\Virtual\AppData\Local\Temp\sUYEYgsI.bat
C:\Users\Virtual\AppData\Local\Temp\skcQgMsE.bat
C:\Users\Virtual\AppData\Local\Temp\soAQsUUU.bat
C:\Users\Virtual\AppData\Local\Temp\ssAAsQMU.bat
C:\Users\Virtual\AppData\Local\Temp\swQEEYIE.bat
C:\Users\Virtual\AppData\Local\Temp\tAYsAcIQ.bat
C:\Users\Virtual\AppData\Local\Temp\tCAkgQcw.bat
C:\Users\Virtual\AppData\Local\Temp\tCQkgQoQ.bat
C:\Users\Virtual\AppData\Local\Temp\tEocEgco.bat
C:\Users\Virtual\AppData\Local\Temp\tIUkYEIE.bat
C:\Users\Virtual\AppData\Local\Temp\tIcQQMgg.bat
C:\Users\Virtual\AppData\Local\Temp\tQMIMQsw.bat
C:\Users\Virtual\AppData\Local\Temp\tWwgMcco.bat
C:\Users\Virtual\AppData\Local\Temp\tiUosMME.bat
C:\Users\Virtual\AppData\Local\Temp\toQAoUkw.bat
C:\Users\Virtual\AppData\Local\Temp\uCAgEAIQ.bat
C:\Users\Virtual\AppData\Local\Temp\uMUAQUgk.bat
C:\Users\Virtual\AppData\Local\Temp\uaQwIkoU.bat
C:\Users\Virtual\AppData\Local\Temp\uoAgogIY.bat
C:\Users\Virtual\AppData\Local\Temp\uowEAsgE.bat
C:\Users\Virtual\AppData\Local\Temp\uqEIccsI.bat
C:\Users\Virtual\AppData\Local\Temp\vOgAwwQA.bat
C:\Users\Virtual\AppData\Local\Temp\vgoooscY.bat
C:\Users\Virtual\AppData\Local\Temp\vsccgIoA.bat
C:\Users\Virtual\AppData\Local\Temp\wMQEwUMA.bat
C:\Users\Virtual\AppData\Local\Temp\wOIYYEcQ.bat
C:\Users\Virtual\AppData\Local\Temp\wQYIUsEk.bat
C:\Users\Virtual\AppData\Local\Temp\wcIkQUMA.bat
C:\Users\Virtual\AppData\Local\Temp\wmsIwAIE.bat
C:\Users\Virtual\AppData\Local\Temp\wyYwwkkw.bat
C:\Users\Virtual\AppData\Local\Temp\xEkMAwMM.bat
C:\Users\Virtual\AppData\Local\Temp\xIoMQokI.bat
C:\Users\Virtual\AppData\Local\Temp\xSUgYsEc.bat
C:\Users\Virtual\AppData\Local\Temp\xSocEkoI.bat
C:\Users\Virtual\AppData\Local\Temp\xawMQgUw.bat
C:\Users\Virtual\AppData\Local\Temp\xiokkAMk.bat
C:\Users\Virtual\AppData\Local\Temp\yOEEwgcs.bat
C:\Users\Virtual\AppData\Local\Temp\yQkwAMoM.bat
C:\Users\Virtual\AppData\Local\Temp\yUgQkMwY.bat
C:\Users\Virtual\AppData\Local\Temp\yaEgcQcM.bat
C:\Users\Virtual\AppData\Local\Temp\yeAQQwso.bat
C:\Users\Virtual\AppData\Local\Temp\yewcEsgk.bat
C:\Users\Virtual\AppData\Local\Temp\ywEkUkMw.bat
C:\Users\Virtual\AppData\Local\Temp\zAcosMUo.bat
C:\Users\Virtual\AppData\Local\Temp\zGQQAcQw.bat
C:\Users\Virtual\AppData\Local\Temp\zSocMsIQ.bat
C:\Users\Virtual\AppData\Local\Temp\zoYwkIwE.bat
C:\Users\Virtual\AppData\Local\Temp\zyAUggMY.bat

File-Opened

C:\
C:\ProgramData\FeUgYgUs\geoswEAk
C:\ProgramData\FeUgYgUs\geoswEAk.inf
C:\Users\Virtual\AppData\Local\Temp\AGcMQgAc.bat
C:\Users\Virtual\AppData\Local\Temp\AWAokYQc.bat
C:\Users\Virtual\AppData\Local\Temp\BgsswsQM.bat
C:\Users\Virtual\AppData\Local\Temp\CygcAEYM.bat
C:\Users\Virtual\AppData\Local\Temp\DQMsYoUQ.bat
C:\Users\Virtual\AppData\Local\Temp\FYAsMIkY.bat
C:\Users\Virtual\AppData\Local\Temp\GcEggoYs.bat
C:\Users\Virtual\AppData\Local\Temp\IGwQEwIE.bat
C:\Users\Virtual\AppData\Local\Temp\IIYooIIk.bat
C:\Users\Virtual\AppData\Local\Temp\IIgkkcMs.bat
C:\Users\Virtual\AppData\Local\Temp\JAkQMUgo.bat
C:\Users\Virtual\AppData\Local\Temp\KUoMwgww.bat
C:\Users\Virtual\AppData\Local\Temp\LEcQIIcw.bat
C:\Users\Virtual\AppData\Local\Temp\LIQEMYcs.bat
C:\Users\Virtual\AppData\Local\Temp\LmEUoQoc.bat
C:\Users\Virtual\AppData\Local\Temp\MAMMUwUM.bat
C:\Users\Virtual\AppData\Local\Temp\MOAAYwwM.bat
C:\Users\Virtual\AppData\Local\Temp\MgksIgYE.bat
C:\Users\Virtual\AppData\Local\Temp\NGsQAsYY.bat
C:\Users\Virtual\AppData\Local\Temp\NewQUcYo.bat
C:\Users\Virtual\AppData\Local\Temp\PKcAMYIQ.bat
C:\Users\Virtual\AppData\Local\Temp\QCEUQQAA.bat
C:\Users\Virtual\AppData\Local\Temp\QGkQAsQk.bat
C:\Users\Virtual\AppData\Local\Temp\QOQEMoIQ.bat
C:\Users\Virtual\AppData\Local\Temp\RAUoAMMA.bat
C:\Users\Virtual\AppData\Local\Temp\RewIsIkA.bat
C:\Users\Virtual\AppData\Local\Temp\RkUIgEQg.bat
C:\Users\Virtual\AppData\Local\Temp\RugkoksE.bat
C:\Users\Virtual\AppData\Local\Temp\ScwcgQMQ.bat
C:\Users\Virtual\AppData\Local\Temp\SksYkAIY.bat
C:\Users\Virtual\AppData\Local\Temp\SqEwoUcw.bat
C:\Users\Virtual\AppData\Local\Temp\TEIAAMok.bat
C:\Users\Virtual\AppData\Local\Temp\TSoAgogM.bat
C:\Users\Virtual\AppData\Local\Temp\TWgcAkUg.bat
C:\Users\Virtual\AppData\Local\Temp\TqskMAQI.bat
C:\Users\Virtual\AppData\Local\Temp\UKMgwEMI.bat
C:\Users\Virtual\AppData\Local\Temp\VOAgEMIM.bat
C:\Users\Virtual\AppData\Local\Temp\VkwoIsoE.bat
C:\Users\Virtual\AppData\Local\Temp\WYkUQUQA.bat
C:\Users\Virtual\AppData\Local\Temp\WsEMQYAI.bat
C:\Users\Virtual\AppData\Local\Temp\XEcooocQ.bat
C:\Users\Virtual\AppData\Local\Temp\XKgoIkoU.bat
C:\Users\Virtual\AppData\Local\Temp\XQccoEkY.bat
C:\Users\Virtual\AppData\Local\Temp\XUUwIocY.bat
C:\Users\Virtual\AppData\Local\Temp\XicwIwYk.bat
C:\Users\Virtual\AppData\Local\Temp\XikQckgI.bat
C:\Users\Virtual\AppData\Local\Temp\XikYkYQQ.bat
C:\Users\Virtual\AppData\Local\Temp\YUQEsgAA.bat
C:\Users\Virtual\AppData\Local\Temp\YoYAsAQw.bat
C:\Users\Virtual\AppData\Local\Temp\aYwgYYww.bat
C:\Users\Virtual\AppData\Local\Temp\bMwUcsks.bat
C:\Users\Virtual\AppData\Local\Temp\bQEsUsYQ.bat
C:\Users\Virtual\AppData\Local\Temp\bYUwMkQU.bat
C:\Users\Virtual\AppData\Local\Temp\cGEswwsQ.bat
C:\Users\Virtual\AppData\Local\Temp\cOcIgQsY.bat
C:\Users\Virtual\AppData\Local\Temp\cgAQosAU.bat
C:\Users\Virtual\AppData\Local\Temp\dCoUAwco.bat
C:\Users\Virtual\AppData\Local\Temp\dSkkYsAA.bat
C:\Users\Virtual\AppData\Local\Temp\eAosgMAU.bat
C:\Users\Virtual\AppData\Local\Temp\eIgoIwUs.bat
C:\Users\Virtual\AppData\Local\Temp\eOUskUkg.bat
C:\Users\Virtual\AppData\Local\Temp\fIoMYoMI.bat
C:\Users\Virtual\AppData\Local\Temp\fUQAwgIg.bat
C:\Users\Virtual\AppData\Local\Temp\file.vbs
C:\Users\Virtual\AppData\Local\Temp\gAQgcUwc.bat
C:\Users\Virtual\AppData\Local\Temp\hMwsgwEM.bat
C:\Users\Virtual\AppData\Local\Temp\hcIkQsUQ.bat
C:\Users\Virtual\AppData\Local\Temp\hkQYcsMs.bat
C:\Users\Virtual\AppData\Local\Temp\iYUMQIkQ.bat
C:\Users\Virtual\AppData\Local\Temp\iwckMAEA.bat
C:\Users\Virtual\AppData\Local\Temp\jMogQUkA.bat
C:\Users\Virtual\AppData\Local\Temp\jQwQMIwc.bat
C:\Users\Virtual\AppData\Local\Temp\lowkIwAk.bat
C:\Users\Virtual\AppData\Local\Temp\mUgMUAAE.bat
C:\Users\Virtual\AppData\Local\Temp\mWgMUcQc.bat
C:\Users\Virtual\AppData\Local\Temp\nKcgQcIY.bat
C:\Users\Virtual\AppData\Local\Temp\nuocskkU.bat
C:\Users\Virtual\AppData\Local\Temp\nwwsIUsw.bat
C:\Users\Virtual\AppData\Local\Temp\oCQEwscs.bat
C:\Users\Virtual\AppData\Local\Temp\oMUQgwsc.bat
C:\Users\Virtual\AppData\Local\Temp\oYIkAwks.bat
C:\Users\Virtual\AppData\Local\Temp\pcskMoIs.bat
C:\Users\Virtual\AppData\Local\Temp\pkgwkYQo.bat
C:\Users\Virtual\AppData\Local\Temp\qOMwgswk.bat
C:\Users\Virtual\AppData\Local\Temp\rCkMEgAQ.bat
C:\Users\Virtual\AppData\Local\Temp\riIMwccE.bat
C:\Users\Virtual\AppData\Local\Temp\skcQgMsE.bat
C:\Users\Virtual\AppData\Local\Temp\ssAAsQMU.bat
C:\Users\Virtual\AppData\Local\Temp\tAYsAcIQ.bat
C:\Users\Virtual\AppData\Local\Temp\toQAoUkw.bat
C:\Users\Virtual\AppData\Local\Temp\uCAgEAIQ.bat
C:\Users\Virtual\AppData\Local\Temp\uaQwIkoU.bat
C:\Users\Virtual\AppData\Local\Temp\uoYYMYkQ.bat
C:\Users\Virtual\AppData\Local\Temp\uowEAsgE.bat
C:\Users\Virtual\AppData\Local\Temp\uqEIccsI.bat
C:\Users\Virtual\AppData\Local\Temp\vsccgIoA.bat
C:\Users\Virtual\AppData\Local\Temp\wOIYYEcQ.bat
C:\Users\Virtual\AppData\Local\Temp\wcIkQUMA.bat
C:\Users\Virtual\AppData\Local\Temp\xEkMAwMM.bat
C:\Users\Virtual\AppData\Local\Temp\xIoMQokI.bat
C:\Users\Virtual\AppData\Local\Temp\xSUgYsEc.bat
C:\Users\Virtual\AppData\Local\Temp\xSocEkoI.bat
C:\Users\Virtual\AppData\Local\Temp\xawMQgUw.bat
C:\Users\Virtual\AppData\Local\Temp\xiokkAMk.bat
C:\Users\Virtual\AppData\Local\Temp\yOEEwgcs.bat
C:\Users\Virtual\AppData\Local\Temp\yewcEsgk.bat
C:\Users\Virtual\AppData\Local\Temp\ywEkUkMw.bat
C:\Users\Virtual\AppData\Local\Temp\zAcosMUo.bat
C:\Users\Virtual\AppData\Local\Temp\zGQQAcQw.bat
C:\Users\Virtual\AppData\Local\Temp\zSocMsIQ.bat
C:\Users\Virtual\AppData\Local\Temp\zyAUggMY.bat
C:\Users\Virtual\qOUwQcUU\DUckIoEY
C:\Users\Virtual\qOUwQcUU\DUckIoEY.inf
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\SysWOW64\cscript.exe
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui

Network-Connects IP

172.217.22.206
190.186.45.170
200.119.204.12
200.87.164.69

Network-Resolves URL

google.com

Directory-Created

C:\ProgramData\BaYccoIY
C:\ProgramData\FeUgYgUs
C:\Users\Virtual\qOUwQcUU

Directory-Enumerated

C:\Python27\Scripts\cscript
C:\Python27\Scripts\cscript.*
C:\Python27\cscript
C:\Python27\cscript.*
C:\Users
C:\Users\Virtual
C:\Users\Virtual\AppData
C:\Users\Virtual\AppData\Local
C:\Users\Virtual\AppData\Local\Temp
C:\Users\Virtual\AppData\Local\Temp\1176637004956c3cde0de41c5dde29ad7be714d07d6426174d89b56b85669f9b.*
C:\Users\Virtual\AppData\Local\Temp\1176637004956c3cde0de41c5dde29ad7be714d07d6426174d89b56b85669f9b.COM
C:\Users\Virtual\AppData\Local\Temp\1176637004956c3cde0de41c5dde29ad7be714d07d6426174d89b56b85669f9b.EXE
C:\Users\Virtual\AppData\Local\Temp\1176637004956c3cde0de41c5dde29ad7be714d07d6426174d89b56b85669f9b.exe
C:\Users\Virtual\AppData\Local\Temp\AGcMQgAc.bat
C:\Users\Virtual\AppData\Local\Temp\AWAokYQc.bat
C:\Users\Virtual\AppData\Local\Temp\BgsswsQM.bat
C:\Users\Virtual\AppData\Local\Temp\CygcAEYM.bat
C:\Users\Virtual\AppData\Local\Temp\DQMsYoUQ.bat
C:\Users\Virtual\AppData\Local\Temp\FYAsMIkY.bat
C:\Users\Virtual\AppData\Local\Temp\GcEggoYs.bat
C:\Users\Virtual\AppData\Local\Temp\IGwQEwIE.bat
C:\Users\Virtual\AppData\Local\Temp\IIYooIIk.bat
C:\Users\Virtual\AppData\Local\Temp\IIgkkcMs.bat
C:\Users\Virtual\AppData\Local\Temp\JAkQMUgo.bat
C:\Users\Virtual\AppData\Local\Temp\KUoMwgww.bat
C:\Users\Virtual\AppData\Local\Temp\LEcQIIcw.bat
C:\Users\Virtual\AppData\Local\Temp\LIQEMYcs.bat
C:\Users\Virtual\AppData\Local\Temp\LmEUoQoc.bat
C:\Users\Virtual\AppData\Local\Temp\MAMMUwUM.bat
C:\Users\Virtual\AppData\Local\Temp\MOAAYwwM.bat
C:\Users\Virtual\AppData\Local\Temp\MgksIgYE.bat
C:\Users\Virtual\AppData\Local\Temp\NGsQAsYY.bat
C:\Users\Virtual\AppData\Local\Temp\NewQUcYo.bat
C:\Users\Virtual\AppData\Local\Temp\PKcAMYIQ.bat
C:\Users\Virtual\AppData\Local\Temp\QCEUQQAA.bat
C:\Users\Virtual\AppData\Local\Temp\QGkQAsQk.bat
C:\Users\Virtual\AppData\Local\Temp\QOQEMoIQ.bat
C:\Users\Virtual\AppData\Local\Temp\RAUoAMMA.bat
C:\Users\Virtual\AppData\Local\Temp\RewIsIkA.bat
C:\Users\Virtual\AppData\Local\Temp\RkUIgEQg.bat
C:\Users\Virtual\AppData\Local\Temp\RugkoksE.bat
C:\Users\Virtual\AppData\Local\Temp\ScwcgQMQ.bat
C:\Users\Virtual\AppData\Local\Temp\SksYkAIY.bat
C:\Users\Virtual\AppData\Local\Temp\SqEwoUcw.bat
C:\Users\Virtual\AppData\Local\Temp\TEIAAMok.bat
C:\Users\Virtual\AppData\Local\Temp\TSoAgogM.bat
C:\Users\Virtual\AppData\Local\Temp\TWgcAkUg.bat
C:\Users\Virtual\AppData\Local\Temp\TqskMAQI.bat
C:\Users\Virtual\AppData\Local\Temp\UKMgwEMI.bat
C:\Users\Virtual\AppData\Local\Temp\VOAgEMIM.bat
C:\Users\Virtual\AppData\Local\Temp\VkwoIsoE.bat
C:\Users\Virtual\AppData\Local\Temp\WYkUQUQA.bat
C:\Users\Virtual\AppData\Local\Temp\WsEMQYAI.bat
C:\Users\Virtual\AppData\Local\Temp\XEcooocQ.bat
C:\Users\Virtual\AppData\Local\Temp\XKgoIkoU.bat
C:\Users\Virtual\AppData\Local\Temp\XQccoEkY.bat
C:\Users\Virtual\AppData\Local\Temp\XUUwIocY.bat
C:\Users\Virtual\AppData\Local\Temp\XicwIwYk.bat
C:\Users\Virtual\AppData\Local\Temp\XikQckgI.bat
C:\Users\Virtual\AppData\Local\Temp\XikYkYQQ.bat
C:\Users\Virtual\AppData\Local\Temp\YUQEsgAA.bat
C:\Users\Virtual\AppData\Local\Temp\YoYAsAQw.bat
C:\Users\Virtual\AppData\Local\Temp\aYwgYYww.bat
C:\Users\Virtual\AppData\Local\Temp\bMwUcsks.bat
C:\Users\Virtual\AppData\Local\Temp\bQEsUsYQ.bat
C:\Users\Virtual\AppData\Local\Temp\bYUwMkQU.bat
C:\Users\Virtual\AppData\Local\Temp\cGEswwsQ.bat
C:\Users\Virtual\AppData\Local\Temp\cOcIgQsY.bat
C:\Users\Virtual\AppData\Local\Temp\cgAQosAU.bat
C:\Users\Virtual\AppData\Local\Temp\cscript
C:\Users\Virtual\AppData\Local\Temp\cscript.*
C:\Users\Virtual\AppData\Local\Temp\dCoUAwco.bat
C:\Users\Virtual\AppData\Local\Temp\dSkkYsAA.bat
C:\Users\Virtual\AppData\Local\Temp\eAosgMAU.bat
C:\Users\Virtual\AppData\Local\Temp\eIgoIwUs.bat
C:\Users\Virtual\AppData\Local\Temp\eOUskUkg.bat
C:\Users\Virtual\AppData\Local\Temp\fIoMYoMI.bat
C:\Users\Virtual\AppData\Local\Temp\fUQAwgIg.bat
C:\Users\Virtual\AppData\Local\Temp\file.js
C:\Users\Virtual\AppData\Local\Temp\file.vbs
C:\Users\Virtual\AppData\Local\Temp\gAQgcUwc.bat
C:\Users\Virtual\AppData\Local\Temp\hMwsgwEM.bat
C:\Users\Virtual\AppData\Local\Temp\hcIkQsUQ.bat
C:\Users\Virtual\AppData\Local\Temp\hkQYcsMs.bat
C:\Users\Virtual\AppData\Local\Temp\iYUMQIkQ.bat
C:\Users\Virtual\AppData\Local\Temp\iwckMAEA.bat
C:\Users\Virtual\AppData\Local\Temp\jMogQUkA.bat
C:\Users\Virtual\AppData\Local\Temp\jQwQMIwc.bat
C:\Users\Virtual\AppData\Local\Temp\lowkIwAk.bat
C:\Users\Virtual\AppData\Local\Temp\mUgMUAAE.bat
C:\Users\Virtual\AppData\Local\Temp\mWgMUcQc.bat
C:\Users\Virtual\AppData\Local\Temp\nKcgQcIY.bat
C:\Users\Virtual\AppData\Local\Temp\nuocskkU.bat
C:\Users\Virtual\AppData\Local\Temp\nwwsIUsw.bat
C:\Users\Virtual\AppData\Local\Temp\oCQEwscs.bat
C:\Users\Virtual\AppData\Local\Temp\oMUQgwsc.bat
C:\Users\Virtual\AppData\Local\Temp\oYIkAwks.bat
C:\Users\Virtual\AppData\Local\Temp\pcskMoIs.bat
C:\Users\Virtual\AppData\Local\Temp\pkgwkYQo.bat
C:\Users\Virtual\AppData\Local\Temp\qOMwgswk.bat
C:\Users\Virtual\AppData\Local\Temp\rCkMEgAQ.bat
C:\Users\Virtual\AppData\Local\Temp\riIMwccE.bat
C:\Users\Virtual\AppData\Local\Temp\skcQgMsE.bat
C:\Users\Virtual\AppData\Local\Temp\ssAAsQMU.bat
C:\Users\Virtual\AppData\Local\Temp\tAYsAcIQ.bat
C:\Users\Virtual\AppData\Local\Temp\toQAoUkw.bat
C:\Users\Virtual\AppData\Local\Temp\uCAgEAIQ.bat
C:\Users\Virtual\AppData\Local\Temp\uaQwIkoU.bat
C:\Users\Virtual\AppData\Local\Temp\uoYYMYkQ.bat
C:\Users\Virtual\AppData\Local\Temp\uowEAsgE.bat
C:\Users\Virtual\AppData\Local\Temp\uqEIccsI.bat
C:\Users\Virtual\AppData\Local\Temp\vsccgIoA.bat
C:\Users\Virtual\AppData\Local\Temp\wOIYYEcQ.bat
C:\Users\Virtual\AppData\Local\Temp\wcIkQUMA.bat
C:\Users\Virtual\AppData\Local\Temp\xEkMAwMM.bat
C:\Users\Virtual\AppData\Local\Temp\xIoMQokI.bat
C:\Users\Virtual\AppData\Local\Temp\xSUgYsEc.bat
C:\Users\Virtual\AppData\Local\Temp\xSocEkoI.bat
C:\Users\Virtual\AppData\Local\Temp\xawMQgUw.bat
C:\Users\Virtual\AppData\Local\Temp\xiokkAMk.bat
C:\Users\Virtual\AppData\Local\Temp\yOEEwgcs.bat
C:\Users\Virtual\AppData\Local\Temp\yewcEsgk.bat
C:\Users\Virtual\AppData\Local\Temp\ywEkUkMw.bat
C:\Users\Virtual\AppData\Local\Temp\zAcosMUo.bat
C:\Users\Virtual\AppData\Local\Temp\zGQQAcQw.bat
C:\Users\Virtual\AppData\Local\Temp\zSocMsIQ.bat
C:\Users\Virtual\AppData\Local\Temp\zyAUggMY.bat
C:\Windows\System32\cscript.*
C:\Windows\System32\cscript.COM
C:\Windows\System32\cscript.exe

Registry Key-Opened

HKEY_CLASSES_ROOT\.vbs
HKEY_CLASSES_ROOT\VBSFile\ScriptEngine
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_CURRENT_USER\VBScript
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBScript\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\msasn1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{000C10F1-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{06C9E010-38CE-11D4-A2A3-00104BD35090}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{1A610570-38CE-11D4-A2A3-00104BD35090}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{AB13F5B1-F718-11D0-82AA-00AA00C065E1}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{000C10F1-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{06C9E010-38CE-11D4-A2A3-00104BD35090}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{1A610570-38CE-11D4-A2A3-00104BD35090}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{000C10F1-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{06C9E010-38CE-11D4-A2A3-00104BD35090}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{1A610570-38CE-11D4-A2A3-00104BD35090}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{AB13F5B1-F718-11D0-82AA-00AA00C065E1}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptSIPDllGetSignedDataMsg
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptSIPDllIsMyFileType2
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptSIPDllPutSignedDataMsg
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run

Registry Key-Read

HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\Safety Warning Level
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\DisplayLogo
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Enabled
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\LogSecuritySuccesses
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Timeout
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\TrustPolicy
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\UseWINSAFER
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.vbs\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\ScriptEngine\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBScript\CLSID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\DefaultLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\Levels
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\LogFileName
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\PolicyScope
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\SaferFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\DisplayLogo
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\IgnoreUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\LogSecuritySuccesses
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\Timeout
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\TrustPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\UseWINSAFER
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SQMServiceList\SQMServiceList
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Srp\GP\RuleCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\TSAppCompat
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\TSUserEnabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask

Registry Key-Written

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\DUckIoEY.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\geoswEAk.exe

Mutex-Accessed

*@
*@
*@
JIsYQIME
gEQAMQss
õ)@
ý)@

Classification

Indicators

Yara

MITRE ATT&CK®

Enterprise Matrix (Tactics and Techniques)

Static Analysis

Sections

Resources

Strings

Dropped Files

004d4411daf46126_BwES.exe

0c1a9ade9fbeea9f_Ysoc.exe

1176637004956c3c_1176637004956c3cde0de41c5dde29ad7be714d07d6426174d89b56b85669f9b.exe

199bbf15a1b0d52b_Yoky.exe

398dd9b8096a4345_rYUw.exe

411e693d8e3ba2de_ksEW.exe

48197d54bcf88cca_CcAW.exe

5693b6a3f8c89525_gMQs.exe

8f78b8a201a573e3_nkse.exe

a7a08900f05f0174_cQUi.exe

bd123f7874d232f7_ZYMm.exe

c2bb589f62cd071a_rAge.exe

cacceb5eef6758ed_sAoE.exe

ccc392602101b005_OoQS.exe

df2645e89fb7b0dd_MQse.exe

e3a255c2d30a7738_EAoe.exe

e69ef0d8d45b2c53_gQgi.exe

ea9779ffa0b2952f_FgsI.exe

f9338c07ae291282_hwoa.exe

fc87c70bbaf9154b_NUIa.exe

Network

DNS Requests

HTTP Requests

http://google.com/

http://google.com/

Hosts Involved

Geolocation

Destination Country

File

Screenshots

Behavior Summary

File-Read

File-Written

File-Deleted

File-Opened

Network-Connects IP

Network-Resolves URL

Directory-Created

Directory-Enumerated

Registry Key-Opened

Registry Key-Read

Registry Key-Written

Mutex-Accessed

MITRE ATT&CK^®