9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8

Analysis

max time kernel
179s
max time network
184s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-09-2022 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
Size

452KB
MD5

ededb0ae35ba9e887a481452d1aa88fb
SHA1

30489ed50d658c5e86828f3b7d2e2b7434eae1f8
SHA256

9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8
SHA512

d2f26a810b41b52468a62217a2d7c617de1b0abde4211a27e80912fd1e291e36071858b051ea89f7e0c039e9cf3c72bde1d895f44233727bfca2fa2e86328b77
SSDEEP

6144:EIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUh:EIXsgtvm1De5YlOx6lzBH46Uh

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	eiips.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	eiips.exe

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	eiips.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	eiips.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	eiips.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eiips.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	eiips.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	eiips.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eiips.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	eiips.exe

Adds policy Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkpbjvdmym = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyolebuolkrvqlltjxrhe.exe"	eiips.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	eiips.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkpbjvdmym = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyolebuolkrvqlltjxrhe.exe"	eiips.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkpbjvdmym = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqbthzncuoqpfvqt.exe"	eiips.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkpbjvdmym = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rivpfzpgawabtlinal.exe"	eiips.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sembmbmynedzm = "iykdslaqjehhyplpb.exe"	eiips.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkpbjvdmym = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rivpfzpgawabtlinal.exe"	eiips.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sembmbmynedzm = "iykdslaqjehhyplpb.exe"	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sembmbmynedzm = "cuidupgytqvxqjhnbnf.exe"	eiips.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sembmbmynedzm = "iykdslaqjehhyplpb.exe"	eiips.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sembmbmynedzm = "pixtlhzsomsvpjiperkz.exe"	eiips.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sembmbmynedzm = "pixtlhzsomsvpjiperkz.exe"	eiips.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkpbjvdmym = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iykdslaqjehhyplpb.exe"	eiips.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkpbjvdmym = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuidupgytqvxqjhnbnf.exe"	eiips.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sembmbmynedzm = "cuidupgytqvxqjhnbnf.exe"	eiips.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkpbjvdmym = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pixtlhzsomsvpjiperkz.exe"	vsmxiywcfcw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	eiips.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	eiips.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	eiips.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	eiips.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	eiips.exe

Executes dropped EXE 3 IoCs

pid	Process
1304	vsmxiywcfcw.exe
2036	eiips.exe
2020	eiips.exe

Loads dropped DLL 6 IoCs

pid	Process
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1304	vsmxiywcfcw.exe
1304	vsmxiywcfcw.exe
1304	vsmxiywcfcw.exe
1304	vsmxiywcfcw.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wgmziveobqn = "bqbthzncuoqpfvqt.exe"	eiips.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgmziveobqn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iykdslaqjehhyplpb.exe"	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wgmziveobqn = "eyolebuolkrvqlltjxrhe.exe"	eiips.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tgpfrhtgwoolzn = "eyolebuolkrvqlltjxrhe.exe"	eiips.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wgmziveobqn = "cuidupgytqvxqjhnbnf.exe"	eiips.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tgpfrhtgwoolzn = "bqbthzncuoqpfvqt.exe"	eiips.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iykdslaqjehhyplpb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyolebuolkrvqlltjxrhe.exe"	eiips.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgmziveobqn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rivpfzpgawabtlinal.exe"	eiips.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iykdslaqjehhyplpb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pixtlhzsomsvpjiperkz.exe"	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\telzjxhsgwup = "pixtlhzsomsvpjiperkz.exe ."	eiips.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\telzjxhsgwup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iykdslaqjehhyplpb.exe ."	eiips.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bqbthzncuoqpfvqt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rivpfzpgawabtlinal.exe ."	eiips.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\telzjxhsgwup = "eyolebuolkrvqlltjxrhe.exe ."	eiips.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wgmziveobqn = "rivpfzpgawabtlinal.exe"	eiips.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wkulypcqhabzodx = "eyolebuolkrvqlltjxrhe.exe ."	eiips.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wkulypcqhabzodx = "iykdslaqjehhyplpb.exe ."	eiips.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wgmziveobqn = "rivpfzpgawabtlinal.exe"	eiips.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bqbthzncuoqpfvqt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iykdslaqjehhyplpb.exe ."	eiips.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\telzjxhsgwup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuidupgytqvxqjhnbnf.exe ."	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iykdslaqjehhyplpb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pixtlhzsomsvpjiperkz.exe"	eiips.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wkulypcqhabzodx = "cuidupgytqvxqjhnbnf.exe ."	eiips.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgmziveobqn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuidupgytqvxqjhnbnf.exe"	eiips.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	vsmxiywcfcw.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	eiips.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgmziveobqn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqbthzncuoqpfvqt.exe"	eiips.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\telzjxhsgwup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqbthzncuoqpfvqt.exe ."	eiips.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\telzjxhsgwup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyolebuolkrvqlltjxrhe.exe ."	eiips.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wgmziveobqn = "rivpfzpgawabtlinal.exe"	vsmxiywcfcw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	eiips.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wkulypcqhabzodx = "bqbthzncuoqpfvqt.exe ."	eiips.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tgpfrhtgwoolzn = "pixtlhzsomsvpjiperkz.exe"	eiips.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\telzjxhsgwup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iykdslaqjehhyplpb.exe ."	eiips.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tgpfrhtgwoolzn = "pixtlhzsomsvpjiperkz.exe"	eiips.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wgmziveobqn = "iykdslaqjehhyplpb.exe"	eiips.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iykdslaqjehhyplpb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuidupgytqvxqjhnbnf.exe"	eiips.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgmziveobqn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqbthzncuoqpfvqt.exe"	eiips.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\telzjxhsgwup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqbthzncuoqpfvqt.exe ."	eiips.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgmziveobqn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iykdslaqjehhyplpb.exe"	eiips.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bqbthzncuoqpfvqt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rivpfzpgawabtlinal.exe ."	vsmxiywcfcw.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	eiips.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bqbthzncuoqpfvqt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqbthzncuoqpfvqt.exe ."	eiips.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgmziveobqn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyolebuolkrvqlltjxrhe.exe"	eiips.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iykdslaqjehhyplpb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyolebuolkrvqlltjxrhe.exe"	eiips.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	eiips.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\telzjxhsgwup = "rivpfzpgawabtlinal.exe ."	eiips.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wkulypcqhabzodx = "eyolebuolkrvqlltjxrhe.exe ."	vsmxiywcfcw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	eiips.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	eiips.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iykdslaqjehhyplpb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iykdslaqjehhyplpb.exe"	eiips.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgmziveobqn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pixtlhzsomsvpjiperkz.exe"	eiips.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\telzjxhsgwup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rivpfzpgawabtlinal.exe ."	eiips.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\telzjxhsgwup = "pixtlhzsomsvpjiperkz.exe ."	eiips.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wgmziveobqn = "eyolebuolkrvqlltjxrhe.exe"	eiips.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgmziveobqn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iykdslaqjehhyplpb.exe"	eiips.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wkulypcqhabzodx = "eyolebuolkrvqlltjxrhe.exe ."	eiips.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tgpfrhtgwoolzn = "rivpfzpgawabtlinal.exe"	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wgmziveobqn = "bqbthzncuoqpfvqt.exe"	eiips.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\telzjxhsgwup = "iykdslaqjehhyplpb.exe ."	eiips.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\telzjxhsgwup = "pixtlhzsomsvpjiperkz.exe ."	vsmxiywcfcw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	eiips.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bqbthzncuoqpfvqt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pixtlhzsomsvpjiperkz.exe ."	eiips.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tgpfrhtgwoolzn = "rivpfzpgawabtlinal.exe"	eiips.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vsmxiywcfcw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eiips.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eiips.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eiips.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eiips.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	whatismyipaddress.com
7	whatismyip.everdot.org
11	www.showmyipaddress.com

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\pixtlhzsomsvpjiperkz.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\SysWOW64\vqhfzxrmkksxtpqzqfarpj.exe	eiips.exe
File opened for modification	C:\Windows\SysWOW64\rivpfzpgawabtlinal.exe	eiips.exe
File opened for modification	C:\Windows\SysWOW64\eyolebuolkrvqlltjxrhe.exe	eiips.exe
File opened for modification	C:\Windows\SysWOW64\jkhllppquaozbdkzwrspttxx.ciw	eiips.exe
File created	C:\Windows\SysWOW64\sembmbmynedzmzrrzfrzozozlarqmzmeems.mbm	eiips.exe
File opened for modification	C:\Windows\SysWOW64\bqbthzncuoqpfvqt.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\SysWOW64\rivpfzpgawabtlinal.exe	vsmxiywcfcw.exe
File created	C:\Windows\SysWOW64\jkhllppquaozbdkzwrspttxx.ciw	eiips.exe
File opened for modification	C:\Windows\SysWOW64\sembmbmynedzmzrrzfrzozozlarqmzmeems.mbm	eiips.exe
File opened for modification	C:\Windows\SysWOW64\pixtlhzsomsvpjiperkz.exe	eiips.exe
File opened for modification	C:\Windows\SysWOW64\pixtlhzsomsvpjiperkz.exe	eiips.exe
File opened for modification	C:\Windows\SysWOW64\bqbthzncuoqpfvqt.exe	eiips.exe
File opened for modification	C:\Windows\SysWOW64\eyolebuolkrvqlltjxrhe.exe	eiips.exe
File opened for modification	C:\Windows\SysWOW64\bqbthzncuoqpfvqt.exe	eiips.exe
File opened for modification	C:\Windows\SysWOW64\cuidupgytqvxqjhnbnf.exe	eiips.exe
File opened for modification	C:\Windows\SysWOW64\eyolebuolkrvqlltjxrhe.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\SysWOW64\vqhfzxrmkksxtpqzqfarpj.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\SysWOW64\iykdslaqjehhyplpb.exe	eiips.exe
File opened for modification	C:\Windows\SysWOW64\rivpfzpgawabtlinal.exe	eiips.exe
File opened for modification	C:\Windows\SysWOW64\cuidupgytqvxqjhnbnf.exe	eiips.exe
File opened for modification	C:\Windows\SysWOW64\iykdslaqjehhyplpb.exe	eiips.exe
File opened for modification	C:\Windows\SysWOW64\vqhfzxrmkksxtpqzqfarpj.exe	eiips.exe
File opened for modification	C:\Windows\SysWOW64\iykdslaqjehhyplpb.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\SysWOW64\cuidupgytqvxqjhnbnf.exe	vsmxiywcfcw.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\jkhllppquaozbdkzwrspttxx.ciw	eiips.exe
File created	C:\Program Files (x86)\jkhllppquaozbdkzwrspttxx.ciw	eiips.exe
File opened for modification	C:\Program Files (x86)\sembmbmynedzmzrrzfrzozozlarqmzmeems.mbm	eiips.exe
File created	C:\Program Files (x86)\sembmbmynedzmzrrzfrzozozlarqmzmeems.mbm	eiips.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\iykdslaqjehhyplpb.exe	eiips.exe
File opened for modification	C:\Windows\bqbthzncuoqpfvqt.exe	eiips.exe
File opened for modification	C:\Windows\cuidupgytqvxqjhnbnf.exe	eiips.exe
File opened for modification	C:\Windows\pixtlhzsomsvpjiperkz.exe	eiips.exe
File opened for modification	C:\Windows\iykdslaqjehhyplpb.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\eyolebuolkrvqlltjxrhe.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\pixtlhzsomsvpjiperkz.exe	eiips.exe
File opened for modification	C:\Windows\vqhfzxrmkksxtpqzqfarpj.exe	eiips.exe
File opened for modification	C:\Windows\iykdslaqjehhyplpb.exe	eiips.exe
File opened for modification	C:\Windows\vqhfzxrmkksxtpqzqfarpj.exe	eiips.exe
File opened for modification	C:\Windows\jkhllppquaozbdkzwrspttxx.ciw	eiips.exe
File opened for modification	C:\Windows\vqhfzxrmkksxtpqzqfarpj.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\bqbthzncuoqpfvqt.exe	eiips.exe
File opened for modification	C:\Windows\pixtlhzsomsvpjiperkz.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\eyolebuolkrvqlltjxrhe.exe	eiips.exe
File created	C:\Windows\jkhllppquaozbdkzwrspttxx.ciw	eiips.exe
File opened for modification	C:\Windows\sembmbmynedzmzrrzfrzozozlarqmzmeems.mbm	eiips.exe
File opened for modification	C:\Windows\rivpfzpgawabtlinal.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\cuidupgytqvxqjhnbnf.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\cuidupgytqvxqjhnbnf.exe	eiips.exe
File opened for modification	C:\Windows\eyolebuolkrvqlltjxrhe.exe	eiips.exe
File opened for modification	C:\Windows\rivpfzpgawabtlinal.exe	eiips.exe
File created	C:\Windows\sembmbmynedzmzrrzfrzozozlarqmzmeems.mbm	eiips.exe
File opened for modification	C:\Windows\bqbthzncuoqpfvqt.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\rivpfzpgawabtlinal.exe	eiips.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
2036	eiips.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	eiips.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 1304	1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe	27
PID 1352 wrote to memory of 1304	1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe	27
PID 1352 wrote to memory of 1304	1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe	27
PID 1352 wrote to memory of 1304	1352	9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe	27
PID 1304 wrote to memory of 2036	1304	vsmxiywcfcw.exe	28
PID 1304 wrote to memory of 2036	1304	vsmxiywcfcw.exe	28
PID 1304 wrote to memory of 2036	1304	vsmxiywcfcw.exe	28
PID 1304 wrote to memory of 2036	1304	vsmxiywcfcw.exe	28
PID 1304 wrote to memory of 2020	1304	vsmxiywcfcw.exe	29
PID 1304 wrote to memory of 2020	1304	vsmxiywcfcw.exe	29
PID 1304 wrote to memory of 2020	1304	vsmxiywcfcw.exe	29
PID 1304 wrote to memory of 2020	1304	vsmxiywcfcw.exe	29

System policy modification 1 TTPs 29 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	eiips.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	eiips.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	eiips.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	eiips.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	eiips.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vsmxiywcfcw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	eiips.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	eiips.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	eiips.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	eiips.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	eiips.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eiips.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	eiips.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	eiips.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	eiips.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	eiips.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	eiips.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	eiips.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	eiips.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	eiips.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	eiips.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	eiips.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	eiips.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	eiips.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eiips.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	eiips.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	eiips.exe

C:\Users\Admin\AppData\Local\Temp\9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe
"C:\Users\Admin\AppData\Local\Temp\9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Users\Admin\AppData\Local\Temp\vsmxiywcfcw.exe
  "C:\Users\Admin\AppData\Local\Temp\vsmxiywcfcw.exe" "c:\users\admin\appdata\local\temp\9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1304
- - C:\Users\Admin\AppData\Local\Temp\eiips.exe
    "C:\Users\Admin\AppData\Local\Temp\eiips.exe" "-C:\Users\Admin\AppData\Local\Temp\bqbthzncuoqpfvqt.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2036
- - C:\Users\Admin\AppData\Local\Temp\eiips.exe
    "C:\Users\Admin\AppData\Local\Temp\eiips.exe" "-C:\Users\Admin\AppData\Local\Temp\bqbthzncuoqpfvqt.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bqbthzncuoqpfvqt.exe

Filesize
452KB

MD5
ededb0ae35ba9e887a481452d1aa88fb

SHA1
30489ed50d658c5e86828f3b7d2e2b7434eae1f8

SHA256
9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8

SHA512
d2f26a810b41b52468a62217a2d7c617de1b0abde4211a27e80912fd1e291e36071858b051ea89f7e0c039e9cf3c72bde1d895f44233727bfca2fa2e86328b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\cuidupgytqvxqjhnbnf.exe

Filesize
452KB

MD5
ededb0ae35ba9e887a481452d1aa88fb

SHA1
30489ed50d658c5e86828f3b7d2e2b7434eae1f8

SHA256
9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8

SHA512
d2f26a810b41b52468a62217a2d7c617de1b0abde4211a27e80912fd1e291e36071858b051ea89f7e0c039e9cf3c72bde1d895f44233727bfca2fa2e86328b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\eiips.exe

Filesize
704KB

MD5
1ca62cb15977537607cf175b2e86ffe3

SHA1
5c4748e7e1baac5e6d2c0913b75bfe3eee193978

SHA256
88075a751e7f2b5777b8967729b9f1ec1b86685b465e0629dc92606586d5ae68

SHA512
5b2f61e7b0c75bbfaf53a35cf5fbc04babb258f6e347132a94eeac53ea5f4a4535ba1b140597e25269875c4f1775fa9686c75056aa4bf4f50b6bb990a3e12837

Download Submit
C:\Users\Admin\AppData\Local\Temp\eiips.exe

Filesize
704KB

MD5
1ca62cb15977537607cf175b2e86ffe3

SHA1
5c4748e7e1baac5e6d2c0913b75bfe3eee193978

SHA256
88075a751e7f2b5777b8967729b9f1ec1b86685b465e0629dc92606586d5ae68

SHA512
5b2f61e7b0c75bbfaf53a35cf5fbc04babb258f6e347132a94eeac53ea5f4a4535ba1b140597e25269875c4f1775fa9686c75056aa4bf4f50b6bb990a3e12837

Download Submit
C:\Users\Admin\AppData\Local\Temp\eyolebuolkrvqlltjxrhe.exe

Filesize
452KB

MD5
ededb0ae35ba9e887a481452d1aa88fb

SHA1
30489ed50d658c5e86828f3b7d2e2b7434eae1f8

SHA256
9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8

SHA512
d2f26a810b41b52468a62217a2d7c617de1b0abde4211a27e80912fd1e291e36071858b051ea89f7e0c039e9cf3c72bde1d895f44233727bfca2fa2e86328b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\iykdslaqjehhyplpb.exe

Filesize
452KB

MD5
ededb0ae35ba9e887a481452d1aa88fb

SHA1
30489ed50d658c5e86828f3b7d2e2b7434eae1f8

SHA256
9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8

SHA512
d2f26a810b41b52468a62217a2d7c617de1b0abde4211a27e80912fd1e291e36071858b051ea89f7e0c039e9cf3c72bde1d895f44233727bfca2fa2e86328b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\pixtlhzsomsvpjiperkz.exe

Filesize
452KB

MD5
ededb0ae35ba9e887a481452d1aa88fb

SHA1
30489ed50d658c5e86828f3b7d2e2b7434eae1f8

SHA256
9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8

SHA512
d2f26a810b41b52468a62217a2d7c617de1b0abde4211a27e80912fd1e291e36071858b051ea89f7e0c039e9cf3c72bde1d895f44233727bfca2fa2e86328b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\rivpfzpgawabtlinal.exe

Filesize
452KB

MD5
ededb0ae35ba9e887a481452d1aa88fb

SHA1
30489ed50d658c5e86828f3b7d2e2b7434eae1f8

SHA256
9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8

SHA512
d2f26a810b41b52468a62217a2d7c617de1b0abde4211a27e80912fd1e291e36071858b051ea89f7e0c039e9cf3c72bde1d895f44233727bfca2fa2e86328b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\vqhfzxrmkksxtpqzqfarpj.exe

Filesize
452KB

MD5
ededb0ae35ba9e887a481452d1aa88fb

SHA1
30489ed50d658c5e86828f3b7d2e2b7434eae1f8

SHA256
9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8

SHA512
d2f26a810b41b52468a62217a2d7c617de1b0abde4211a27e80912fd1e291e36071858b051ea89f7e0c039e9cf3c72bde1d895f44233727bfca2fa2e86328b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsmxiywcfcw.exe

Filesize
320KB

MD5
6891a0eb15e72cf34c7074e710731d00

SHA1
0f58ed097bc64913cb3e46d2f69e61dd705e19a2

SHA256
eaff67dd1c2e4c9ceaa8bcc4e026a54b2a1606fcb3a897889567b3939a9149c4

SHA512
8c26fc96e746455c809f8b0c579b6cf846ebc6bff0a2254555b902d65cdf8e9592a040ea3c99a40d2cf25a812459e2f5fee758ff2663cb3b96da1901fa411c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsmxiywcfcw.exe

Filesize
320KB

MD5
6891a0eb15e72cf34c7074e710731d00

SHA1
0f58ed097bc64913cb3e46d2f69e61dd705e19a2

SHA256
eaff67dd1c2e4c9ceaa8bcc4e026a54b2a1606fcb3a897889567b3939a9149c4

SHA512
8c26fc96e746455c809f8b0c579b6cf846ebc6bff0a2254555b902d65cdf8e9592a040ea3c99a40d2cf25a812459e2f5fee758ff2663cb3b96da1901fa411c39

Download Submit
C:\Windows\SysWOW64\bqbthzncuoqpfvqt.exe

Filesize
452KB

MD5
ededb0ae35ba9e887a481452d1aa88fb

SHA1
30489ed50d658c5e86828f3b7d2e2b7434eae1f8

SHA256
9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8

SHA512
d2f26a810b41b52468a62217a2d7c617de1b0abde4211a27e80912fd1e291e36071858b051ea89f7e0c039e9cf3c72bde1d895f44233727bfca2fa2e86328b77

Download Submit
C:\Windows\SysWOW64\cuidupgytqvxqjhnbnf.exe

Filesize
452KB

MD5
ededb0ae35ba9e887a481452d1aa88fb

SHA1
30489ed50d658c5e86828f3b7d2e2b7434eae1f8

SHA256
9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8

SHA512
d2f26a810b41b52468a62217a2d7c617de1b0abde4211a27e80912fd1e291e36071858b051ea89f7e0c039e9cf3c72bde1d895f44233727bfca2fa2e86328b77

Download Submit
C:\Windows\SysWOW64\eyolebuolkrvqlltjxrhe.exe

Filesize
452KB

MD5
ededb0ae35ba9e887a481452d1aa88fb

SHA1
30489ed50d658c5e86828f3b7d2e2b7434eae1f8

SHA256
9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8

SHA512
d2f26a810b41b52468a62217a2d7c617de1b0abde4211a27e80912fd1e291e36071858b051ea89f7e0c039e9cf3c72bde1d895f44233727bfca2fa2e86328b77

Download Submit
C:\Windows\SysWOW64\iykdslaqjehhyplpb.exe

Filesize
452KB

MD5
ededb0ae35ba9e887a481452d1aa88fb

SHA1
30489ed50d658c5e86828f3b7d2e2b7434eae1f8

SHA256
9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8

SHA512
d2f26a810b41b52468a62217a2d7c617de1b0abde4211a27e80912fd1e291e36071858b051ea89f7e0c039e9cf3c72bde1d895f44233727bfca2fa2e86328b77

Download Submit
C:\Windows\SysWOW64\pixtlhzsomsvpjiperkz.exe

Filesize
452KB

MD5
ededb0ae35ba9e887a481452d1aa88fb

SHA1
30489ed50d658c5e86828f3b7d2e2b7434eae1f8

SHA256
9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8

SHA512
d2f26a810b41b52468a62217a2d7c617de1b0abde4211a27e80912fd1e291e36071858b051ea89f7e0c039e9cf3c72bde1d895f44233727bfca2fa2e86328b77

Download Submit
C:\Windows\SysWOW64\rivpfzpgawabtlinal.exe

Filesize
452KB

MD5
ededb0ae35ba9e887a481452d1aa88fb

SHA1
30489ed50d658c5e86828f3b7d2e2b7434eae1f8

SHA256
9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8

SHA512
d2f26a810b41b52468a62217a2d7c617de1b0abde4211a27e80912fd1e291e36071858b051ea89f7e0c039e9cf3c72bde1d895f44233727bfca2fa2e86328b77

Download Submit
C:\Windows\SysWOW64\vqhfzxrmkksxtpqzqfarpj.exe

Filesize
452KB

MD5
ededb0ae35ba9e887a481452d1aa88fb

SHA1
30489ed50d658c5e86828f3b7d2e2b7434eae1f8

SHA256
9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8

SHA512
d2f26a810b41b52468a62217a2d7c617de1b0abde4211a27e80912fd1e291e36071858b051ea89f7e0c039e9cf3c72bde1d895f44233727bfca2fa2e86328b77

Download Submit
C:\Windows\bqbthzncuoqpfvqt.exe

Filesize
452KB

MD5
ededb0ae35ba9e887a481452d1aa88fb

SHA1
30489ed50d658c5e86828f3b7d2e2b7434eae1f8

SHA256
9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8

SHA512
d2f26a810b41b52468a62217a2d7c617de1b0abde4211a27e80912fd1e291e36071858b051ea89f7e0c039e9cf3c72bde1d895f44233727bfca2fa2e86328b77

Download Submit
C:\Windows\bqbthzncuoqpfvqt.exe

Filesize
452KB

MD5
ededb0ae35ba9e887a481452d1aa88fb

SHA1
30489ed50d658c5e86828f3b7d2e2b7434eae1f8

SHA256
9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8

SHA512
d2f26a810b41b52468a62217a2d7c617de1b0abde4211a27e80912fd1e291e36071858b051ea89f7e0c039e9cf3c72bde1d895f44233727bfca2fa2e86328b77

Download Submit
C:\Windows\cuidupgytqvxqjhnbnf.exe

Filesize
452KB

MD5
ededb0ae35ba9e887a481452d1aa88fb

SHA1
30489ed50d658c5e86828f3b7d2e2b7434eae1f8

SHA256
9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8

SHA512
d2f26a810b41b52468a62217a2d7c617de1b0abde4211a27e80912fd1e291e36071858b051ea89f7e0c039e9cf3c72bde1d895f44233727bfca2fa2e86328b77

Download Submit
C:\Windows\cuidupgytqvxqjhnbnf.exe

Filesize
452KB

MD5
ededb0ae35ba9e887a481452d1aa88fb

SHA1
30489ed50d658c5e86828f3b7d2e2b7434eae1f8

SHA256
9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8

SHA512
d2f26a810b41b52468a62217a2d7c617de1b0abde4211a27e80912fd1e291e36071858b051ea89f7e0c039e9cf3c72bde1d895f44233727bfca2fa2e86328b77

Download Submit
C:\Windows\eyolebuolkrvqlltjxrhe.exe

Filesize
452KB

MD5
ededb0ae35ba9e887a481452d1aa88fb

SHA1
30489ed50d658c5e86828f3b7d2e2b7434eae1f8

SHA256
9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8

SHA512
d2f26a810b41b52468a62217a2d7c617de1b0abde4211a27e80912fd1e291e36071858b051ea89f7e0c039e9cf3c72bde1d895f44233727bfca2fa2e86328b77

Download Submit
C:\Windows\eyolebuolkrvqlltjxrhe.exe

Filesize
452KB

MD5
ededb0ae35ba9e887a481452d1aa88fb

SHA1
30489ed50d658c5e86828f3b7d2e2b7434eae1f8

SHA256
9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8

SHA512
d2f26a810b41b52468a62217a2d7c617de1b0abde4211a27e80912fd1e291e36071858b051ea89f7e0c039e9cf3c72bde1d895f44233727bfca2fa2e86328b77

Download Submit
C:\Windows\iykdslaqjehhyplpb.exe

Filesize
452KB

MD5
ededb0ae35ba9e887a481452d1aa88fb

SHA1
30489ed50d658c5e86828f3b7d2e2b7434eae1f8

SHA256
9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8

SHA512
d2f26a810b41b52468a62217a2d7c617de1b0abde4211a27e80912fd1e291e36071858b051ea89f7e0c039e9cf3c72bde1d895f44233727bfca2fa2e86328b77

Download Submit
C:\Windows\iykdslaqjehhyplpb.exe

Filesize
452KB

MD5
ededb0ae35ba9e887a481452d1aa88fb

SHA1
30489ed50d658c5e86828f3b7d2e2b7434eae1f8

SHA256
9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8

SHA512
d2f26a810b41b52468a62217a2d7c617de1b0abde4211a27e80912fd1e291e36071858b051ea89f7e0c039e9cf3c72bde1d895f44233727bfca2fa2e86328b77

Download Submit
C:\Windows\pixtlhzsomsvpjiperkz.exe

Filesize
452KB

MD5
ededb0ae35ba9e887a481452d1aa88fb

SHA1
30489ed50d658c5e86828f3b7d2e2b7434eae1f8

SHA256
9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8

SHA512
d2f26a810b41b52468a62217a2d7c617de1b0abde4211a27e80912fd1e291e36071858b051ea89f7e0c039e9cf3c72bde1d895f44233727bfca2fa2e86328b77

Download Submit
C:\Windows\pixtlhzsomsvpjiperkz.exe

Filesize
452KB

MD5
ededb0ae35ba9e887a481452d1aa88fb

SHA1
30489ed50d658c5e86828f3b7d2e2b7434eae1f8

SHA256
9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8

SHA512
d2f26a810b41b52468a62217a2d7c617de1b0abde4211a27e80912fd1e291e36071858b051ea89f7e0c039e9cf3c72bde1d895f44233727bfca2fa2e86328b77

Download Submit
C:\Windows\rivpfzpgawabtlinal.exe

Filesize
452KB

MD5
ededb0ae35ba9e887a481452d1aa88fb

SHA1
30489ed50d658c5e86828f3b7d2e2b7434eae1f8

SHA256
9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8

SHA512
d2f26a810b41b52468a62217a2d7c617de1b0abde4211a27e80912fd1e291e36071858b051ea89f7e0c039e9cf3c72bde1d895f44233727bfca2fa2e86328b77

Download Submit
C:\Windows\rivpfzpgawabtlinal.exe

Filesize
452KB

MD5
ededb0ae35ba9e887a481452d1aa88fb

SHA1
30489ed50d658c5e86828f3b7d2e2b7434eae1f8

SHA256
9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8

SHA512
d2f26a810b41b52468a62217a2d7c617de1b0abde4211a27e80912fd1e291e36071858b051ea89f7e0c039e9cf3c72bde1d895f44233727bfca2fa2e86328b77

Download Submit
C:\Windows\vqhfzxrmkksxtpqzqfarpj.exe

Filesize
452KB

MD5
ededb0ae35ba9e887a481452d1aa88fb

SHA1
30489ed50d658c5e86828f3b7d2e2b7434eae1f8

SHA256
9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8

SHA512
d2f26a810b41b52468a62217a2d7c617de1b0abde4211a27e80912fd1e291e36071858b051ea89f7e0c039e9cf3c72bde1d895f44233727bfca2fa2e86328b77

Download Submit
C:\Windows\vqhfzxrmkksxtpqzqfarpj.exe

Filesize
452KB

MD5
ededb0ae35ba9e887a481452d1aa88fb

SHA1
30489ed50d658c5e86828f3b7d2e2b7434eae1f8

SHA256
9354bba77ae87718da5777e07839199a225bb3eab122c8b5ab5398c5f8126ad8

SHA512
d2f26a810b41b52468a62217a2d7c617de1b0abde4211a27e80912fd1e291e36071858b051ea89f7e0c039e9cf3c72bde1d895f44233727bfca2fa2e86328b77

Download Submit
\Users\Admin\AppData\Local\Temp\eiips.exe

Filesize
704KB

MD5
1ca62cb15977537607cf175b2e86ffe3

SHA1
5c4748e7e1baac5e6d2c0913b75bfe3eee193978

SHA256
88075a751e7f2b5777b8967729b9f1ec1b86685b465e0629dc92606586d5ae68

SHA512
5b2f61e7b0c75bbfaf53a35cf5fbc04babb258f6e347132a94eeac53ea5f4a4535ba1b140597e25269875c4f1775fa9686c75056aa4bf4f50b6bb990a3e12837

Download Submit
\Users\Admin\AppData\Local\Temp\eiips.exe

Filesize
704KB

MD5
1ca62cb15977537607cf175b2e86ffe3

SHA1
5c4748e7e1baac5e6d2c0913b75bfe3eee193978

SHA256
88075a751e7f2b5777b8967729b9f1ec1b86685b465e0629dc92606586d5ae68

SHA512
5b2f61e7b0c75bbfaf53a35cf5fbc04babb258f6e347132a94eeac53ea5f4a4535ba1b140597e25269875c4f1775fa9686c75056aa4bf4f50b6bb990a3e12837

Download Submit
\Users\Admin\AppData\Local\Temp\eiips.exe

Filesize
704KB

MD5
1ca62cb15977537607cf175b2e86ffe3

SHA1
5c4748e7e1baac5e6d2c0913b75bfe3eee193978

SHA256
88075a751e7f2b5777b8967729b9f1ec1b86685b465e0629dc92606586d5ae68

SHA512
5b2f61e7b0c75bbfaf53a35cf5fbc04babb258f6e347132a94eeac53ea5f4a4535ba1b140597e25269875c4f1775fa9686c75056aa4bf4f50b6bb990a3e12837

Download Submit
\Users\Admin\AppData\Local\Temp\eiips.exe

Filesize
704KB

MD5
1ca62cb15977537607cf175b2e86ffe3

SHA1
5c4748e7e1baac5e6d2c0913b75bfe3eee193978

SHA256
88075a751e7f2b5777b8967729b9f1ec1b86685b465e0629dc92606586d5ae68

SHA512
5b2f61e7b0c75bbfaf53a35cf5fbc04babb258f6e347132a94eeac53ea5f4a4535ba1b140597e25269875c4f1775fa9686c75056aa4bf4f50b6bb990a3e12837

Download Submit
\Users\Admin\AppData\Local\Temp\vsmxiywcfcw.exe

Filesize
320KB

MD5
6891a0eb15e72cf34c7074e710731d00

SHA1
0f58ed097bc64913cb3e46d2f69e61dd705e19a2

SHA256
eaff67dd1c2e4c9ceaa8bcc4e026a54b2a1606fcb3a897889567b3939a9149c4

SHA512
8c26fc96e746455c809f8b0c579b6cf846ebc6bff0a2254555b902d65cdf8e9592a040ea3c99a40d2cf25a812459e2f5fee758ff2663cb3b96da1901fa411c39

Download Submit
\Users\Admin\AppData\Local\Temp\vsmxiywcfcw.exe

Filesize
320KB

MD5
6891a0eb15e72cf34c7074e710731d00

SHA1
0f58ed097bc64913cb3e46d2f69e61dd705e19a2

SHA256
eaff67dd1c2e4c9ceaa8bcc4e026a54b2a1606fcb3a897889567b3939a9149c4

SHA512
8c26fc96e746455c809f8b0c579b6cf846ebc6bff0a2254555b902d65cdf8e9592a040ea3c99a40d2cf25a812459e2f5fee758ff2663cb3b96da1901fa411c39

Download Submit
memory/1304-57-0x0000000000000000-mapping.dmp

Download
memory/1352-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/2020-67-0x0000000000000000-mapping.dmp

Download
memory/2036-63-0x0000000000000000-mapping.dmp

Download