7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372

Analysis

max time kernel
186s
max time network
163s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21/10/2022, 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
Size

1016KB
MD5

7b392c5d219968a687bbcd35f46a9840
SHA1

88352c30b47b8791ee0b6269c665f617dd8dd4e2
SHA256

7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372
SHA512

b265c01b82bac0f7131bcdc60815c292e60b2a94a27aea6c67f66dca27c3b8c370258c3f5e6d45a8bf4be1929a1fc1b13541bca703a6ed7b09a7772089f06070
SSDEEP

6144:yIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUKz:yIXsgtvm1De5YlOx6lzBH46Us

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vsmxiywcfcw.exe

UAC bypass 3 TTPs 11 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eikpp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	eikpp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	eikpp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	eikpp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eikpp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	eikpp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	eikpp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	eikpp.exe

Adds policy Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wgozfvkuekb = "iymdplgwmyvyypgcg.exe"	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wgozfvkuekb = "rixpczvmdqostldafs.exe"	eikpp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rydlobnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rixpczvmdqostldafs.exe"	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rydlobnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\piztihfyrggmpjdcjyle.exe"	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wgozfvkuekb = "piztihfyrggmpjdcjyle.exe"	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wgozfvkuekb = "iymdplgwmyvyypgcg.exe"	eikpp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rydlobnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iymdplgwmyvyypgcg.exe"	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wgozfvkuekb = "eyqlbbauoefmqlggoesme.exe"	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rydlobnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iymdplgwmyvyypgcg.exe"	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rydlobnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyqlbbauoefmqlggoesme.exe"	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wgozfvkuekb = "piztihfyrggmpjdcjyle.exe"	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rydlobnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rixpczvmdqostldafs.exe"	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rydlobnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iymdplgwmyvyypgcg.exe"	vsmxiywcfcw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wgozfvkuekb = "cukdrpmewkjoqjcagug.exe"	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rydlobnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqdteztixiegfvlg.exe"	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wgozfvkuekb = "eyqlbbauoefmqlggoesme.exe"	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wgozfvkuekb = "bqdteztixiegfvlg.exe"	eikpp.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	eikpp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	eikpp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	eikpp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	eikpp.exe

Executes dropped EXE 3 IoCs

pid	Process
1724	vsmxiywcfcw.exe
1100	eikpp.exe
1704	eikpp.exe

Loads dropped DLL 6 IoCs

pid	Process
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
1724	vsmxiywcfcw.exe
1724	vsmxiywcfcw.exe
1724	vsmxiywcfcw.exe
1724	vsmxiywcfcw.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\seobjbseqyrqm = "eyqlbbauoefmqlggoesme.exe ."	eikpp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgrfohzmzicczn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqdteztixiegfvlg.exe ."	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iqwfjxksa = "cukdrpmewkjoqjcagug.exe"	eikpp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tenzgxnyjqig = "rixpczvmdqostldafs.exe"	eikpp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bkrbgvjsbg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyqlbbauoefmqlggoesme.exe ."	eikpp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tenzgxnyjqig = "eyqlbbauoefmqlggoesme.exe"	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgrfohzmzicczn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyqlbbauoefmqlggoesme.exe ."	eikpp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\seobjbseqyrqm = "iymdplgwmyvyypgcg.exe ."	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgrfohzmzicczn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iymdplgwmyvyypgcg.exe ."	eikpp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bkrbgvjsbg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rixpczvmdqostldafs.exe ."	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tenzgxnyjqig = "eyqlbbauoefmqlggoesme.exe"	eikpp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bkrbgvjsbg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iymdplgwmyvyypgcg.exe ."	eikpp.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgrfohzmzicczn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqdteztixiegfvlg.exe ."	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iqwfjxksa = "bqdteztixiegfvlg.exe"	vsmxiywcfcw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	eikpp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bkrbgvjsbg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rixpczvmdqostldafs.exe ."	eikpp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tenzgxnyjqig = "piztihfyrggmpjdcjyle.exe"	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iqwfjxksa = "eyqlbbauoefmqlggoesme.exe"	eikpp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\iqwfjxksa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\piztihfyrggmpjdcjyle.exe"	eikpp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\seobjbseqyrqm = "piztihfyrggmpjdcjyle.exe ."	eikpp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\iqwfjxksa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rixpczvmdqostldafs.exe"	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgrfohzmzicczn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cukdrpmewkjoqjcagug.exe ."	eikpp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\iqwfjxksa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rixpczvmdqostldafs.exe"	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bkrbgvjsbg = "iymdplgwmyvyypgcg.exe ."	eikpp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	eikpp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tenzgxnyjqig = "iymdplgwmyvyypgcg.exe"	eikpp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bkrbgvjsbg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\piztihfyrggmpjdcjyle.exe ."	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bkrbgvjsbg = "eyqlbbauoefmqlggoesme.exe ."	eikpp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bkrbgvjsbg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cukdrpmewkjoqjcagug.exe ."	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bkrbgvjsbg = "eyqlbbauoefmqlggoesme.exe ."	eikpp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tenzgxnyjqig = "bqdteztixiegfvlg.exe"	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgrfohzmzicczn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cukdrpmewkjoqjcagug.exe ."	eikpp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\seobjbseqyrqm = "eyqlbbauoefmqlggoesme.exe ."	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wkwlvpiwkupqods = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cukdrpmewkjoqjcagug.exe"	vsmxiywcfcw.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	eikpp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bkrbgvjsbg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\piztihfyrggmpjdcjyle.exe ."	eikpp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\iqwfjxksa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cukdrpmewkjoqjcagug.exe"	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wkwlvpiwkupqods = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqdteztixiegfvlg.exe"	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bkrbgvjsbg = "bqdteztixiegfvlg.exe ."	eikpp.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wkwlvpiwkupqods = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cukdrpmewkjoqjcagug.exe"	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iqwfjxksa = "cukdrpmewkjoqjcagug.exe"	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bkrbgvjsbg = "cukdrpmewkjoqjcagug.exe ."	eikpp.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	eikpp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\seobjbseqyrqm = "bqdteztixiegfvlg.exe ."	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wkwlvpiwkupqods = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rixpczvmdqostldafs.exe"	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgrfohzmzicczn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqdteztixiegfvlg.exe ."	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iqwfjxksa = "iymdplgwmyvyypgcg.exe"	eikpp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iqwfjxksa = "rixpczvmdqostldafs.exe"	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgrfohzmzicczn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\piztihfyrggmpjdcjyle.exe ."	eikpp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\iqwfjxksa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cukdrpmewkjoqjcagug.exe"	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iqwfjxksa = "piztihfyrggmpjdcjyle.exe"	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wkwlvpiwkupqods = "C:\\Users\\Admin\\AppData\\Local\\Temp\\piztihfyrggmpjdcjyle.exe"	eikpp.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	eikpp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\seobjbseqyrqm = "bqdteztixiegfvlg.exe ."	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wkwlvpiwkupqods = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rixpczvmdqostldafs.exe"	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bkrbgvjsbg = "bqdteztixiegfvlg.exe ."	eikpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wkwlvpiwkupqods = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyqlbbauoefmqlggoesme.exe"	eikpp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	vsmxiywcfcw.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wkwlvpiwkupqods = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyqlbbauoefmqlggoesme.exe"	eikpp.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vsmxiywcfcw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eikpp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eikpp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eikpp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eikpp.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	whatismyip.everdot.org
4	www.showmyipaddress.com
9	whatismyipaddress.com

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\cukdrpmewkjoqjcagug.exe	eikpp.exe
File opened for modification	C:\Windows\SysWOW64\tgrfohzmziccznbuvelyjxgzrerauurftmnw.qbp	eikpp.exe
File opened for modification	C:\Windows\SysWOW64\iymdplgwmyvyypgcg.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\SysWOW64\cukdrpmewkjoqjcagug.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\SysWOW64\rixpczvmdqostldafs.exe	eikpp.exe
File opened for modification	C:\Windows\SysWOW64\rixpczvmdqostldafs.exe	eikpp.exe
File opened for modification	C:\Windows\SysWOW64\eyqlbbauoefmqlggoesme.exe	eikpp.exe
File opened for modification	C:\Windows\SysWOW64\vqjfwxxsnegotplmvmbwpl.exe	eikpp.exe
File opened for modification	C:\Windows\SysWOW64\bqdteztixiegfvlg.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\SysWOW64\iymdplgwmyvyypgcg.exe	eikpp.exe
File opened for modification	C:\Windows\SysWOW64\iymdplgwmyvyypgcg.exe	eikpp.exe
File opened for modification	C:\Windows\SysWOW64\piztihfyrggmpjdcjyle.exe	eikpp.exe
File opened for modification	C:\Windows\SysWOW64\piztihfyrggmpjdcjyle.exe	eikpp.exe
File opened for modification	C:\Windows\SysWOW64\oqqtrzgikirgsvygwuqssvtbi.mkt	eikpp.exe
File created	C:\Windows\SysWOW64\oqqtrzgikirgsvygwuqssvtbi.mkt	eikpp.exe
File created	C:\Windows\SysWOW64\tgrfohzmziccznbuvelyjxgzrerauurftmnw.qbp	eikpp.exe
File opened for modification	C:\Windows\SysWOW64\vqjfwxxsnegotplmvmbwpl.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\SysWOW64\bqdteztixiegfvlg.exe	eikpp.exe
File opened for modification	C:\Windows\SysWOW64\bqdteztixiegfvlg.exe	eikpp.exe
File opened for modification	C:\Windows\SysWOW64\cukdrpmewkjoqjcagug.exe	eikpp.exe
File opened for modification	C:\Windows\SysWOW64\vqjfwxxsnegotplmvmbwpl.exe	eikpp.exe
File opened for modification	C:\Windows\SysWOW64\rixpczvmdqostldafs.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\SysWOW64\piztihfyrggmpjdcjyle.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\SysWOW64\eyqlbbauoefmqlggoesme.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\SysWOW64\eyqlbbauoefmqlggoesme.exe	eikpp.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\oqqtrzgikirgsvygwuqssvtbi.mkt	eikpp.exe
File created	C:\Program Files (x86)\oqqtrzgikirgsvygwuqssvtbi.mkt	eikpp.exe
File opened for modification	C:\Program Files (x86)\tgrfohzmziccznbuvelyjxgzrerauurftmnw.qbp	eikpp.exe
File created	C:\Program Files (x86)\tgrfohzmziccznbuvelyjxgzrerauurftmnw.qbp	eikpp.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\cukdrpmewkjoqjcagug.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\eyqlbbauoefmqlggoesme.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\vqjfwxxsnegotplmvmbwpl.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\iymdplgwmyvyypgcg.exe	eikpp.exe
File opened for modification	C:\Windows\cukdrpmewkjoqjcagug.exe	eikpp.exe
File opened for modification	C:\Windows\vqjfwxxsnegotplmvmbwpl.exe	eikpp.exe
File opened for modification	C:\Windows\tgrfohzmziccznbuvelyjxgzrerauurftmnw.qbp	eikpp.exe
File opened for modification	C:\Windows\piztihfyrggmpjdcjyle.exe	eikpp.exe
File opened for modification	C:\Windows\iymdplgwmyvyypgcg.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\piztihfyrggmpjdcjyle.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\bqdteztixiegfvlg.exe	eikpp.exe
File opened for modification	C:\Windows\rixpczvmdqostldafs.exe	eikpp.exe
File opened for modification	C:\Windows\cukdrpmewkjoqjcagug.exe	eikpp.exe
File opened for modification	C:\Windows\iymdplgwmyvyypgcg.exe	eikpp.exe
File opened for modification	C:\Windows\eyqlbbauoefmqlggoesme.exe	eikpp.exe
File opened for modification	C:\Windows\oqqtrzgikirgsvygwuqssvtbi.mkt	eikpp.exe
File created	C:\Windows\tgrfohzmziccznbuvelyjxgzrerauurftmnw.qbp	eikpp.exe
File opened for modification	C:\Windows\eyqlbbauoefmqlggoesme.exe	eikpp.exe
File created	C:\Windows\oqqtrzgikirgsvygwuqssvtbi.mkt	eikpp.exe
File opened for modification	C:\Windows\bqdteztixiegfvlg.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\rixpczvmdqostldafs.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\bqdteztixiegfvlg.exe	eikpp.exe
File opened for modification	C:\Windows\piztihfyrggmpjdcjyle.exe	eikpp.exe
File opened for modification	C:\Windows\rixpczvmdqostldafs.exe	eikpp.exe
File opened for modification	C:\Windows\vqjfwxxsnegotplmvmbwpl.exe	eikpp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
1100	eikpp.exe
1100	eikpp.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1100	eikpp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1724	2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe	28
PID 2008 wrote to memory of 1724	2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe	28
PID 2008 wrote to memory of 1724	2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe	28
PID 2008 wrote to memory of 1724	2008	7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe	28
PID 1724 wrote to memory of 1100	1724	vsmxiywcfcw.exe	29
PID 1724 wrote to memory of 1100	1724	vsmxiywcfcw.exe	29
PID 1724 wrote to memory of 1100	1724	vsmxiywcfcw.exe	29
PID 1724 wrote to memory of 1100	1724	vsmxiywcfcw.exe	29
PID 1724 wrote to memory of 1704	1724	vsmxiywcfcw.exe	30
PID 1724 wrote to memory of 1704	1724	vsmxiywcfcw.exe	30
PID 1724 wrote to memory of 1704	1724	vsmxiywcfcw.exe	30
PID 1724 wrote to memory of 1704	1724	vsmxiywcfcw.exe	30

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	eikpp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	eikpp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	eikpp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	eikpp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	eikpp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eikpp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	eikpp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	eikpp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	eikpp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	eikpp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	eikpp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	eikpp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	eikpp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vsmxiywcfcw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	eikpp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eikpp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	eikpp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	eikpp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	eikpp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	eikpp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	eikpp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	eikpp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	eikpp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	eikpp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	eikpp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	eikpp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	eikpp.exe

C:\Users\Admin\AppData\Local\Temp\7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe
"C:\Users\Admin\AppData\Local\Temp\7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\vsmxiywcfcw.exe
  "C:\Users\Admin\AppData\Local\Temp\vsmxiywcfcw.exe" "c:\users\admin\appdata\local\temp\7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1724
- - C:\Users\Admin\AppData\Local\Temp\eikpp.exe
    "C:\Users\Admin\AppData\Local\Temp\eikpp.exe" "-C:\Users\Admin\AppData\Local\Temp\bqdteztixiegfvlg.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1100
- - C:\Users\Admin\AppData\Local\Temp\eikpp.exe
    "C:\Users\Admin\AppData\Local\Temp\eikpp.exe" "-C:\Users\Admin\AppData\Local\Temp\bqdteztixiegfvlg.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bqdteztixiegfvlg.exe

Filesize
1016KB

MD5
7b392c5d219968a687bbcd35f46a9840

SHA1
88352c30b47b8791ee0b6269c665f617dd8dd4e2

SHA256
7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372

SHA512
b265c01b82bac0f7131bcdc60815c292e60b2a94a27aea6c67f66dca27c3b8c370258c3f5e6d45a8bf4be1929a1fc1b13541bca703a6ed7b09a7772089f06070

Download Submit
C:\Users\Admin\AppData\Local\Temp\cukdrpmewkjoqjcagug.exe

Filesize
1016KB

MD5
7b392c5d219968a687bbcd35f46a9840

SHA1
88352c30b47b8791ee0b6269c665f617dd8dd4e2

SHA256
7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372

SHA512
b265c01b82bac0f7131bcdc60815c292e60b2a94a27aea6c67f66dca27c3b8c370258c3f5e6d45a8bf4be1929a1fc1b13541bca703a6ed7b09a7772089f06070

Download Submit
C:\Users\Admin\AppData\Local\Temp\cukdrpmewkjoqjcagug.exe

Filesize
1016KB

MD5
7b392c5d219968a687bbcd35f46a9840

SHA1
88352c30b47b8791ee0b6269c665f617dd8dd4e2

SHA256
7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372

SHA512
b265c01b82bac0f7131bcdc60815c292e60b2a94a27aea6c67f66dca27c3b8c370258c3f5e6d45a8bf4be1929a1fc1b13541bca703a6ed7b09a7772089f06070

Download Submit
C:\Users\Admin\AppData\Local\Temp\eikpp.exe

Filesize
716KB

MD5
ff49dcd54cfd95c98aa96030b81f5013

SHA1
e68933a58a2fe7673928c7638930e786ac48db3e

SHA256
79c16a2540bfa9110d6e31dc894a4f2c3f630ff4ecfce7e92868c6cbcc7193a8

SHA512
4d4ab32fd8c527b97e136002c89c72ac87eee7813a756d7dc332e77d573863ff1ec398518af818dbaa686ecc7b61045818fdcf07c951e37ed6b4f210285cea2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\eikpp.exe

Filesize
716KB

MD5
ff49dcd54cfd95c98aa96030b81f5013

SHA1
e68933a58a2fe7673928c7638930e786ac48db3e

SHA256
79c16a2540bfa9110d6e31dc894a4f2c3f630ff4ecfce7e92868c6cbcc7193a8

SHA512
4d4ab32fd8c527b97e136002c89c72ac87eee7813a756d7dc332e77d573863ff1ec398518af818dbaa686ecc7b61045818fdcf07c951e37ed6b4f210285cea2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\eyqlbbauoefmqlggoesme.exe

Filesize
1016KB

MD5
7b392c5d219968a687bbcd35f46a9840

SHA1
88352c30b47b8791ee0b6269c665f617dd8dd4e2

SHA256
7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372

SHA512
b265c01b82bac0f7131bcdc60815c292e60b2a94a27aea6c67f66dca27c3b8c370258c3f5e6d45a8bf4be1929a1fc1b13541bca703a6ed7b09a7772089f06070

Download Submit
C:\Users\Admin\AppData\Local\Temp\eyqlbbauoefmqlggoesme.exe

Filesize
1016KB

MD5
7b392c5d219968a687bbcd35f46a9840

SHA1
88352c30b47b8791ee0b6269c665f617dd8dd4e2

SHA256
7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372

SHA512
b265c01b82bac0f7131bcdc60815c292e60b2a94a27aea6c67f66dca27c3b8c370258c3f5e6d45a8bf4be1929a1fc1b13541bca703a6ed7b09a7772089f06070

Download Submit
C:\Users\Admin\AppData\Local\Temp\iymdplgwmyvyypgcg.exe

Filesize
1016KB

MD5
7b392c5d219968a687bbcd35f46a9840

SHA1
88352c30b47b8791ee0b6269c665f617dd8dd4e2

SHA256
7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372

SHA512
b265c01b82bac0f7131bcdc60815c292e60b2a94a27aea6c67f66dca27c3b8c370258c3f5e6d45a8bf4be1929a1fc1b13541bca703a6ed7b09a7772089f06070

Download Submit
C:\Users\Admin\AppData\Local\Temp\piztihfyrggmpjdcjyle.exe

Filesize
1016KB

MD5
7b392c5d219968a687bbcd35f46a9840

SHA1
88352c30b47b8791ee0b6269c665f617dd8dd4e2

SHA256
7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372

SHA512
b265c01b82bac0f7131bcdc60815c292e60b2a94a27aea6c67f66dca27c3b8c370258c3f5e6d45a8bf4be1929a1fc1b13541bca703a6ed7b09a7772089f06070

Download Submit
C:\Users\Admin\AppData\Local\Temp\piztihfyrggmpjdcjyle.exe

Filesize
1016KB

MD5
7b392c5d219968a687bbcd35f46a9840

SHA1
88352c30b47b8791ee0b6269c665f617dd8dd4e2

SHA256
7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372

SHA512
b265c01b82bac0f7131bcdc60815c292e60b2a94a27aea6c67f66dca27c3b8c370258c3f5e6d45a8bf4be1929a1fc1b13541bca703a6ed7b09a7772089f06070

Download Submit
C:\Users\Admin\AppData\Local\Temp\rixpczvmdqostldafs.exe

Filesize
1016KB

MD5
7b392c5d219968a687bbcd35f46a9840

SHA1
88352c30b47b8791ee0b6269c665f617dd8dd4e2

SHA256
7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372

SHA512
b265c01b82bac0f7131bcdc60815c292e60b2a94a27aea6c67f66dca27c3b8c370258c3f5e6d45a8bf4be1929a1fc1b13541bca703a6ed7b09a7772089f06070

Download Submit
C:\Users\Admin\AppData\Local\Temp\vqjfwxxsnegotplmvmbwpl.exe

Filesize
1016KB

MD5
7b392c5d219968a687bbcd35f46a9840

SHA1
88352c30b47b8791ee0b6269c665f617dd8dd4e2

SHA256
7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372

SHA512
b265c01b82bac0f7131bcdc60815c292e60b2a94a27aea6c67f66dca27c3b8c370258c3f5e6d45a8bf4be1929a1fc1b13541bca703a6ed7b09a7772089f06070

Download Submit
C:\Users\Admin\AppData\Local\Temp\vqjfwxxsnegotplmvmbwpl.exe

Filesize
1016KB

MD5
7b392c5d219968a687bbcd35f46a9840

SHA1
88352c30b47b8791ee0b6269c665f617dd8dd4e2

SHA256
7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372

SHA512
b265c01b82bac0f7131bcdc60815c292e60b2a94a27aea6c67f66dca27c3b8c370258c3f5e6d45a8bf4be1929a1fc1b13541bca703a6ed7b09a7772089f06070

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsmxiywcfcw.exe

Filesize
320KB

MD5
01af32e7446cfba0078e53de63518081

SHA1
defdcd2c7d86eb54707f206d4388e89c16976b11

SHA256
ea722fd2ff6bb56055be1c125ddb3199c6aab7bd3296c94e84d30f8e95b1979e

SHA512
a8c88daec0f53d4b21880fe248abd0584f84c433057d2803aa3ec0b0a72555e753d9436d5bca7a356503c579ca74c7f5308bb33bd727a4003101b9dc9d8c4f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsmxiywcfcw.exe

Filesize
320KB

MD5
01af32e7446cfba0078e53de63518081

SHA1
defdcd2c7d86eb54707f206d4388e89c16976b11

SHA256
ea722fd2ff6bb56055be1c125ddb3199c6aab7bd3296c94e84d30f8e95b1979e

SHA512
a8c88daec0f53d4b21880fe248abd0584f84c433057d2803aa3ec0b0a72555e753d9436d5bca7a356503c579ca74c7f5308bb33bd727a4003101b9dc9d8c4f82

Download Submit
C:\Windows\SysWOW64\bqdteztixiegfvlg.exe

Filesize
1016KB

MD5
7b392c5d219968a687bbcd35f46a9840

SHA1
88352c30b47b8791ee0b6269c665f617dd8dd4e2

SHA256
7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372

SHA512
b265c01b82bac0f7131bcdc60815c292e60b2a94a27aea6c67f66dca27c3b8c370258c3f5e6d45a8bf4be1929a1fc1b13541bca703a6ed7b09a7772089f06070

Download Submit
C:\Windows\SysWOW64\cukdrpmewkjoqjcagug.exe

Filesize
1016KB

MD5
7b392c5d219968a687bbcd35f46a9840

SHA1
88352c30b47b8791ee0b6269c665f617dd8dd4e2

SHA256
7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372

SHA512
b265c01b82bac0f7131bcdc60815c292e60b2a94a27aea6c67f66dca27c3b8c370258c3f5e6d45a8bf4be1929a1fc1b13541bca703a6ed7b09a7772089f06070

Download Submit
C:\Windows\SysWOW64\eyqlbbauoefmqlggoesme.exe

Filesize
1016KB

MD5
7b392c5d219968a687bbcd35f46a9840

SHA1
88352c30b47b8791ee0b6269c665f617dd8dd4e2

SHA256
7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372

SHA512
b265c01b82bac0f7131bcdc60815c292e60b2a94a27aea6c67f66dca27c3b8c370258c3f5e6d45a8bf4be1929a1fc1b13541bca703a6ed7b09a7772089f06070

Download Submit
C:\Windows\SysWOW64\iymdplgwmyvyypgcg.exe

Filesize
1016KB

MD5
7b392c5d219968a687bbcd35f46a9840

SHA1
88352c30b47b8791ee0b6269c665f617dd8dd4e2

SHA256
7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372

SHA512
b265c01b82bac0f7131bcdc60815c292e60b2a94a27aea6c67f66dca27c3b8c370258c3f5e6d45a8bf4be1929a1fc1b13541bca703a6ed7b09a7772089f06070

Download Submit
C:\Windows\SysWOW64\piztihfyrggmpjdcjyle.exe

Filesize
1016KB

MD5
7b392c5d219968a687bbcd35f46a9840

SHA1
88352c30b47b8791ee0b6269c665f617dd8dd4e2

SHA256
7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372

SHA512
b265c01b82bac0f7131bcdc60815c292e60b2a94a27aea6c67f66dca27c3b8c370258c3f5e6d45a8bf4be1929a1fc1b13541bca703a6ed7b09a7772089f06070

Download Submit
C:\Windows\SysWOW64\rixpczvmdqostldafs.exe

Filesize
1016KB

MD5
7b392c5d219968a687bbcd35f46a9840

SHA1
88352c30b47b8791ee0b6269c665f617dd8dd4e2

SHA256
7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372

SHA512
b265c01b82bac0f7131bcdc60815c292e60b2a94a27aea6c67f66dca27c3b8c370258c3f5e6d45a8bf4be1929a1fc1b13541bca703a6ed7b09a7772089f06070

Download Submit
C:\Windows\SysWOW64\vqjfwxxsnegotplmvmbwpl.exe

Filesize
1016KB

MD5
7b392c5d219968a687bbcd35f46a9840

SHA1
88352c30b47b8791ee0b6269c665f617dd8dd4e2

SHA256
7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372

SHA512
b265c01b82bac0f7131bcdc60815c292e60b2a94a27aea6c67f66dca27c3b8c370258c3f5e6d45a8bf4be1929a1fc1b13541bca703a6ed7b09a7772089f06070

Download Submit
C:\Windows\bqdteztixiegfvlg.exe

Filesize
1016KB

MD5
7b392c5d219968a687bbcd35f46a9840

SHA1
88352c30b47b8791ee0b6269c665f617dd8dd4e2

SHA256
7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372

SHA512
b265c01b82bac0f7131bcdc60815c292e60b2a94a27aea6c67f66dca27c3b8c370258c3f5e6d45a8bf4be1929a1fc1b13541bca703a6ed7b09a7772089f06070

Download Submit
C:\Windows\bqdteztixiegfvlg.exe

Filesize
1016KB

MD5
7b392c5d219968a687bbcd35f46a9840

SHA1
88352c30b47b8791ee0b6269c665f617dd8dd4e2

SHA256
7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372

SHA512
b265c01b82bac0f7131bcdc60815c292e60b2a94a27aea6c67f66dca27c3b8c370258c3f5e6d45a8bf4be1929a1fc1b13541bca703a6ed7b09a7772089f06070

Download Submit
C:\Windows\cukdrpmewkjoqjcagug.exe

Filesize
1016KB

MD5
7b392c5d219968a687bbcd35f46a9840

SHA1
88352c30b47b8791ee0b6269c665f617dd8dd4e2

SHA256
7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372

SHA512
b265c01b82bac0f7131bcdc60815c292e60b2a94a27aea6c67f66dca27c3b8c370258c3f5e6d45a8bf4be1929a1fc1b13541bca703a6ed7b09a7772089f06070

Download Submit
C:\Windows\cukdrpmewkjoqjcagug.exe

Filesize
1016KB

MD5
7b392c5d219968a687bbcd35f46a9840

SHA1
88352c30b47b8791ee0b6269c665f617dd8dd4e2

SHA256
7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372

SHA512
b265c01b82bac0f7131bcdc60815c292e60b2a94a27aea6c67f66dca27c3b8c370258c3f5e6d45a8bf4be1929a1fc1b13541bca703a6ed7b09a7772089f06070

Download Submit
C:\Windows\eyqlbbauoefmqlggoesme.exe

Filesize
1016KB

MD5
7b392c5d219968a687bbcd35f46a9840

SHA1
88352c30b47b8791ee0b6269c665f617dd8dd4e2

SHA256
7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372

SHA512
b265c01b82bac0f7131bcdc60815c292e60b2a94a27aea6c67f66dca27c3b8c370258c3f5e6d45a8bf4be1929a1fc1b13541bca703a6ed7b09a7772089f06070

Download Submit
C:\Windows\eyqlbbauoefmqlggoesme.exe

Filesize
1016KB

MD5
7b392c5d219968a687bbcd35f46a9840

SHA1
88352c30b47b8791ee0b6269c665f617dd8dd4e2

SHA256
7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372

SHA512
b265c01b82bac0f7131bcdc60815c292e60b2a94a27aea6c67f66dca27c3b8c370258c3f5e6d45a8bf4be1929a1fc1b13541bca703a6ed7b09a7772089f06070

Download Submit
C:\Windows\iymdplgwmyvyypgcg.exe

Filesize
1016KB

MD5
7b392c5d219968a687bbcd35f46a9840

SHA1
88352c30b47b8791ee0b6269c665f617dd8dd4e2

SHA256
7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372

SHA512
b265c01b82bac0f7131bcdc60815c292e60b2a94a27aea6c67f66dca27c3b8c370258c3f5e6d45a8bf4be1929a1fc1b13541bca703a6ed7b09a7772089f06070

Download Submit
C:\Windows\iymdplgwmyvyypgcg.exe

Filesize
1016KB

MD5
7b392c5d219968a687bbcd35f46a9840

SHA1
88352c30b47b8791ee0b6269c665f617dd8dd4e2

SHA256
7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372

SHA512
b265c01b82bac0f7131bcdc60815c292e60b2a94a27aea6c67f66dca27c3b8c370258c3f5e6d45a8bf4be1929a1fc1b13541bca703a6ed7b09a7772089f06070

Download Submit
C:\Windows\piztihfyrggmpjdcjyle.exe

Filesize
1016KB

MD5
7b392c5d219968a687bbcd35f46a9840

SHA1
88352c30b47b8791ee0b6269c665f617dd8dd4e2

SHA256
7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372

SHA512
b265c01b82bac0f7131bcdc60815c292e60b2a94a27aea6c67f66dca27c3b8c370258c3f5e6d45a8bf4be1929a1fc1b13541bca703a6ed7b09a7772089f06070

Download Submit
C:\Windows\piztihfyrggmpjdcjyle.exe

Filesize
1016KB

MD5
7b392c5d219968a687bbcd35f46a9840

SHA1
88352c30b47b8791ee0b6269c665f617dd8dd4e2

SHA256
7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372

SHA512
b265c01b82bac0f7131bcdc60815c292e60b2a94a27aea6c67f66dca27c3b8c370258c3f5e6d45a8bf4be1929a1fc1b13541bca703a6ed7b09a7772089f06070

Download Submit
C:\Windows\rixpczvmdqostldafs.exe

Filesize
1016KB

MD5
7b392c5d219968a687bbcd35f46a9840

SHA1
88352c30b47b8791ee0b6269c665f617dd8dd4e2

SHA256
7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372

SHA512
b265c01b82bac0f7131bcdc60815c292e60b2a94a27aea6c67f66dca27c3b8c370258c3f5e6d45a8bf4be1929a1fc1b13541bca703a6ed7b09a7772089f06070

Download Submit
C:\Windows\rixpczvmdqostldafs.exe

Filesize
1016KB

MD5
7b392c5d219968a687bbcd35f46a9840

SHA1
88352c30b47b8791ee0b6269c665f617dd8dd4e2

SHA256
7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372

SHA512
b265c01b82bac0f7131bcdc60815c292e60b2a94a27aea6c67f66dca27c3b8c370258c3f5e6d45a8bf4be1929a1fc1b13541bca703a6ed7b09a7772089f06070

Download Submit
C:\Windows\vqjfwxxsnegotplmvmbwpl.exe

Filesize
1016KB

MD5
7b392c5d219968a687bbcd35f46a9840

SHA1
88352c30b47b8791ee0b6269c665f617dd8dd4e2

SHA256
7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372

SHA512
b265c01b82bac0f7131bcdc60815c292e60b2a94a27aea6c67f66dca27c3b8c370258c3f5e6d45a8bf4be1929a1fc1b13541bca703a6ed7b09a7772089f06070

Download Submit
C:\Windows\vqjfwxxsnegotplmvmbwpl.exe

Filesize
1016KB

MD5
7b392c5d219968a687bbcd35f46a9840

SHA1
88352c30b47b8791ee0b6269c665f617dd8dd4e2

SHA256
7f54f866cb45a430e2d725b6998b710a6c71472f56e07aa50f043899a2962372

SHA512
b265c01b82bac0f7131bcdc60815c292e60b2a94a27aea6c67f66dca27c3b8c370258c3f5e6d45a8bf4be1929a1fc1b13541bca703a6ed7b09a7772089f06070

Download Submit
\Users\Admin\AppData\Local\Temp\eikpp.exe

Filesize
716KB

MD5
ff49dcd54cfd95c98aa96030b81f5013

SHA1
e68933a58a2fe7673928c7638930e786ac48db3e

SHA256
79c16a2540bfa9110d6e31dc894a4f2c3f630ff4ecfce7e92868c6cbcc7193a8

SHA512
4d4ab32fd8c527b97e136002c89c72ac87eee7813a756d7dc332e77d573863ff1ec398518af818dbaa686ecc7b61045818fdcf07c951e37ed6b4f210285cea2d

Download Submit
\Users\Admin\AppData\Local\Temp\eikpp.exe

Filesize
716KB

MD5
ff49dcd54cfd95c98aa96030b81f5013

SHA1
e68933a58a2fe7673928c7638930e786ac48db3e

SHA256
79c16a2540bfa9110d6e31dc894a4f2c3f630ff4ecfce7e92868c6cbcc7193a8

SHA512
4d4ab32fd8c527b97e136002c89c72ac87eee7813a756d7dc332e77d573863ff1ec398518af818dbaa686ecc7b61045818fdcf07c951e37ed6b4f210285cea2d

Download Submit
\Users\Admin\AppData\Local\Temp\eikpp.exe

Filesize
716KB

MD5
ff49dcd54cfd95c98aa96030b81f5013

SHA1
e68933a58a2fe7673928c7638930e786ac48db3e

SHA256
79c16a2540bfa9110d6e31dc894a4f2c3f630ff4ecfce7e92868c6cbcc7193a8

SHA512
4d4ab32fd8c527b97e136002c89c72ac87eee7813a756d7dc332e77d573863ff1ec398518af818dbaa686ecc7b61045818fdcf07c951e37ed6b4f210285cea2d

Download Submit
\Users\Admin\AppData\Local\Temp\eikpp.exe

Filesize
716KB

MD5
ff49dcd54cfd95c98aa96030b81f5013

SHA1
e68933a58a2fe7673928c7638930e786ac48db3e

SHA256
79c16a2540bfa9110d6e31dc894a4f2c3f630ff4ecfce7e92868c6cbcc7193a8

SHA512
4d4ab32fd8c527b97e136002c89c72ac87eee7813a756d7dc332e77d573863ff1ec398518af818dbaa686ecc7b61045818fdcf07c951e37ed6b4f210285cea2d

Download Submit
\Users\Admin\AppData\Local\Temp\vsmxiywcfcw.exe

Filesize
320KB

MD5
01af32e7446cfba0078e53de63518081

SHA1
defdcd2c7d86eb54707f206d4388e89c16976b11

SHA256
ea722fd2ff6bb56055be1c125ddb3199c6aab7bd3296c94e84d30f8e95b1979e

SHA512
a8c88daec0f53d4b21880fe248abd0584f84c433057d2803aa3ec0b0a72555e753d9436d5bca7a356503c579ca74c7f5308bb33bd727a4003101b9dc9d8c4f82

Download Submit
\Users\Admin\AppData\Local\Temp\vsmxiywcfcw.exe

Filesize
320KB

MD5
01af32e7446cfba0078e53de63518081

SHA1
defdcd2c7d86eb54707f206d4388e89c16976b11

SHA256
ea722fd2ff6bb56055be1c125ddb3199c6aab7bd3296c94e84d30f8e95b1979e

SHA512
a8c88daec0f53d4b21880fe248abd0584f84c433057d2803aa3ec0b0a72555e753d9436d5bca7a356503c579ca74c7f5308bb33bd727a4003101b9dc9d8c4f82

Download Submit
memory/2008-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download