b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3

Analysis

max time kernel
151s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 13:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
Size

564KB
MD5

83f33c91469fc991bbc584015ab497c3
SHA1

1f53eb45b325b0868f1ba0bacef2533ea10a7fea
SHA256

b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3
SHA512

065e0133b35dfad3360b6d6bcbc1fc609c38d872c0352d3d40354baf36bc9666e286ec4b5d694f42edb0e112fe39a9b29e788d03abd70c1ee064bd972cf1c8e9
SSDEEP

12288:qmaNhOPnxBnHkapLjTn/rhlUy1WotA7dM9BAYdNUGotp0:qCBnHZpLHrtWotkC/Ubp0

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ixiyjejjshs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	prxegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	prxegm.exe

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	prxegm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	prxegm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	prxegm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	prxegm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	prxegm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	prxegm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	prxegm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	prxegm.exe

Adds policy Run key to start application 2 TTPs 17 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	prxegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vvze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crketmjbrjwtmkdgtbg.exe"	prxegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vvze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfzukecvmftrlkeiwflb.exe"	prxegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfmuxep = "ivmeridthxiduqhit.exe"	prxegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vvze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evqmdyxrjdsrmmhmblsje.exe"	prxegm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ixiyjejjshs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfmuxep = "bndugwqfshrlbwmm.exe"	prxegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfmuxep = "evqmdyxrjdsrmmhmblsje.exe"	prxegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vvze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rfxqewsjypbxpmegsz.exe"	prxegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vvze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bndugwqfshrlbwmm.exe"	prxegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vvze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evqmdyxrjdsrmmhmblsje.exe"	prxegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfmuxep = "pfzukecvmftrlkeiwflb.exe"	ixiyjejjshs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vvze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evqmdyxrjdsrmmhmblsje.exe"	ixiyjejjshs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfmuxep = "ivmeridthxiduqhit.exe"	prxegm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	prxegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfmuxep = "rfxqewsjypbxpmegsz.exe"	prxegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfmuxep = "crketmjbrjwtmkdgtbg.exe"	prxegm.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	prxegm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	prxegm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	prxegm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	prxegm.exe

Executes dropped EXE 3 IoCs

pid	Process
1020	ixiyjejjshs.exe
1980	prxegm.exe
1932	prxegm.exe

Loads dropped DLL 6 IoCs

pid	Process
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1020	ixiyjejjshs.exe
1020	ixiyjejjshs.exe
1020	ixiyjejjshs.exe
1020	ixiyjejjshs.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\prxegm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evqmdyxrjdsrmmhmblsje.exe ."	prxegm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ixiyjejjshs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	prxegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wdoahshrzjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bndugwqfshrlbwmm.exe"	prxegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhrcisgpwf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evqmdyxrjdsrmmhmblsje.exe ."	prxegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\efkqr = "bndugwqfshrlbwmm.exe"	prxegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhrcisgpwf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ivmeridthxiduqhit.exe ."	prxegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wdoahshrzjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bndugwqfshrlbwmm.exe"	prxegm.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	prxegm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\prxegm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfzukecvmftrlkeiwflb.exe ."	prxegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\efkqr = "crketmjbrjwtmkdgtbg.exe"	ixiyjejjshs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\prxegm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rfxqewsjypbxpmegsz.exe ."	ixiyjejjshs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	prxegm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\inwgluhpv = "pfzukecvmftrlkeiwflb.exe ."	prxegm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\efkqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bndugwqfshrlbwmm.exe"	prxegm.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	ixiyjejjshs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\prxegm = "pfzukecvmftrlkeiwflb.exe ."	prxegm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvdmqykr = "bndugwqfshrlbwmm.exe"	prxegm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\efkqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crketmjbrjwtmkdgtbg.exe"	prxegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhrcisgpwf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ivmeridthxiduqhit.exe ."	prxegm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\efkqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bndugwqfshrlbwmm.exe"	prxegm.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	ixiyjejjshs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\inwgluhpv = "crketmjbrjwtmkdgtbg.exe ."	prxegm.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	prxegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhrcisgpwf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rfxqewsjypbxpmegsz.exe ."	prxegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\prxegm = "crketmjbrjwtmkdgtbg.exe ."	prxegm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\prxegm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ivmeridthxiduqhit.exe ."	prxegm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvdmqykr = "rfxqewsjypbxpmegsz.exe"	prxegm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\efkqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ivmeridthxiduqhit.exe"	prxegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\efkqr = "ivmeridthxiduqhit.exe"	prxegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\prxegm = "bndugwqfshrlbwmm.exe ."	prxegm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\prxegm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bndugwqfshrlbwmm.exe ."	prxegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhrcisgpwf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfzukecvmftrlkeiwflb.exe ."	ixiyjejjshs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\inwgluhpv = "rfxqewsjypbxpmegsz.exe ."	prxegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wdoahshrzjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evqmdyxrjdsrmmhmblsje.exe"	ixiyjejjshs.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	prxegm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\efkqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evqmdyxrjdsrmmhmblsje.exe"	prxegm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\inwgluhpv = "evqmdyxrjdsrmmhmblsje.exe ."	prxegm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvdmqykr = "pfzukecvmftrlkeiwflb.exe"	prxegm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\efkqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crketmjbrjwtmkdgtbg.exe"	prxegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhrcisgpwf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rfxqewsjypbxpmegsz.exe ."	prxegm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\efkqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crketmjbrjwtmkdgtbg.exe"	ixiyjejjshs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	prxegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wdoahshrzjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crketmjbrjwtmkdgtbg.exe"	prxegm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvdmqykr = "ivmeridthxiduqhit.exe"	prxegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wdoahshrzjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rfxqewsjypbxpmegsz.exe"	prxegm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\prxegm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crketmjbrjwtmkdgtbg.exe ."	prxegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\efkqr = "pfzukecvmftrlkeiwflb.exe"	prxegm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ixiyjejjshs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\inwgluhpv = "crketmjbrjwtmkdgtbg.exe ."	ixiyjejjshs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\prxegm = "pfzukecvmftrlkeiwflb.exe ."	prxegm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvdmqykr = "ivmeridthxiduqhit.exe"	prxegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\efkqr = "crketmjbrjwtmkdgtbg.exe"	prxegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wdoahshrzjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crketmjbrjwtmkdgtbg.exe"	prxegm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\efkqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rfxqewsjypbxpmegsz.exe"	prxegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\prxegm = "ivmeridthxiduqhit.exe ."	prxegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wdoahshrzjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rfxqewsjypbxpmegsz.exe"	prxegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\prxegm = "evqmdyxrjdsrmmhmblsje.exe ."	ixiyjejjshs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\efkqr = "bndugwqfshrlbwmm.exe"	prxegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhrcisgpwf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfzukecvmftrlkeiwflb.exe ."	prxegm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\prxegm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bndugwqfshrlbwmm.exe ."	prxegm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvdmqykr = "evqmdyxrjdsrmmhmblsje.exe"	ixiyjejjshs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	prxegm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\prxegm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evqmdyxrjdsrmmhmblsje.exe ."	prxegm.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	prxegm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prxegm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ixiyjejjshs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	prxegm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prxegm.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	www.showmyipaddress.com
8	whatismyip.everdot.org
10	whatismyipaddress.com

Drops file in System32 directory 25 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\gdegdejjhhchiopavlyvwyv.bbz	prxegm.exe
File opened for modification	C:\Windows\SysWOW64\ivmeridthxiduqhit.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\SysWOW64\rfxqewsjypbxpmegsz.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\SysWOW64\vnjgyuupidttpqmsitbtpm.exe	prxegm.exe
File opened for modification	C:\Windows\SysWOW64\ivmeridthxiduqhit.exe	prxegm.exe
File opened for modification	C:\Windows\SysWOW64\evqmdyxrjdsrmmhmblsje.exe	prxegm.exe
File opened for modification	C:\Windows\SysWOW64\pfzukecvmftrlkeiwflb.exe	prxegm.exe
File opened for modification	C:\Windows\SysWOW64\rfxqewsjypbxpmegsz.exe	prxegm.exe
File opened for modification	C:\Windows\SysWOW64\pfzukecvmftrlkeiwflb.exe	prxegm.exe
File opened for modification	C:\Windows\SysWOW64\bndugwqfshrlbwmm.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\SysWOW64\crketmjbrjwtmkdgtbg.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\SysWOW64\pfzukecvmftrlkeiwflb.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\SysWOW64\evqmdyxrjdsrmmhmblsje.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\SysWOW64\ivmeridthxiduqhit.exe	prxegm.exe
File opened for modification	C:\Windows\SysWOW64\vnjgyuupidttpqmsitbtpm.exe	prxegm.exe
File opened for modification	C:\Windows\SysWOW64\vnjgyuupidttpqmsitbtpm.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\SysWOW64\crketmjbrjwtmkdgtbg.exe	prxegm.exe
File opened for modification	C:\Windows\SysWOW64\evqmdyxrjdsrmmhmblsje.exe	prxegm.exe
File opened for modification	C:\Windows\SysWOW64\gdegdejjhhchiopavlyvwyv.bbz	prxegm.exe
File opened for modification	C:\Windows\SysWOW64\tbnaiukvepvlxoawcdbjviqcsdmxdtfwie.ljr	prxegm.exe
File opened for modification	C:\Windows\SysWOW64\bndugwqfshrlbwmm.exe	prxegm.exe
File opened for modification	C:\Windows\SysWOW64\rfxqewsjypbxpmegsz.exe	prxegm.exe
File opened for modification	C:\Windows\SysWOW64\bndugwqfshrlbwmm.exe	prxegm.exe
File opened for modification	C:\Windows\SysWOW64\crketmjbrjwtmkdgtbg.exe	prxegm.exe
File created	C:\Windows\SysWOW64\tbnaiukvepvlxoawcdbjviqcsdmxdtfwie.ljr	prxegm.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\gdegdejjhhchiopavlyvwyv.bbz	prxegm.exe
File created	C:\Program Files (x86)\gdegdejjhhchiopavlyvwyv.bbz	prxegm.exe
File opened for modification	C:\Program Files (x86)\tbnaiukvepvlxoawcdbjviqcsdmxdtfwie.ljr	prxegm.exe
File created	C:\Program Files (x86)\tbnaiukvepvlxoawcdbjviqcsdmxdtfwie.ljr	prxegm.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\crketmjbrjwtmkdgtbg.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\crketmjbrjwtmkdgtbg.exe	prxegm.exe
File opened for modification	C:\Windows\vnjgyuupidttpqmsitbtpm.exe	prxegm.exe
File opened for modification	C:\Windows\bndugwqfshrlbwmm.exe	prxegm.exe
File opened for modification	C:\Windows\ivmeridthxiduqhit.exe	prxegm.exe
File opened for modification	C:\Windows\crketmjbrjwtmkdgtbg.exe	prxegm.exe
File opened for modification	C:\Windows\evqmdyxrjdsrmmhmblsje.exe	prxegm.exe
File opened for modification	C:\Windows\vnjgyuupidttpqmsitbtpm.exe	prxegm.exe
File opened for modification	C:\Windows\pfzukecvmftrlkeiwflb.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\pfzukecvmftrlkeiwflb.exe	prxegm.exe
File opened for modification	C:\Windows\evqmdyxrjdsrmmhmblsje.exe	prxegm.exe
File opened for modification	C:\Windows\tbnaiukvepvlxoawcdbjviqcsdmxdtfwie.ljr	prxegm.exe
File opened for modification	C:\Windows\bndugwqfshrlbwmm.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\evqmdyxrjdsrmmhmblsje.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\rfxqewsjypbxpmegsz.exe	prxegm.exe
File opened for modification	C:\Windows\rfxqewsjypbxpmegsz.exe	prxegm.exe
File opened for modification	C:\Windows\pfzukecvmftrlkeiwflb.exe	prxegm.exe
File created	C:\Windows\tbnaiukvepvlxoawcdbjviqcsdmxdtfwie.ljr	prxegm.exe
File opened for modification	C:\Windows\ivmeridthxiduqhit.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\rfxqewsjypbxpmegsz.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\vnjgyuupidttpqmsitbtpm.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\bndugwqfshrlbwmm.exe	prxegm.exe
File opened for modification	C:\Windows\ivmeridthxiduqhit.exe	prxegm.exe
File opened for modification	C:\Windows\gdegdejjhhchiopavlyvwyv.bbz	prxegm.exe
File created	C:\Windows\gdegdejjhhchiopavlyvwyv.bbz	prxegm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1932	prxegm.exe
1932	prxegm.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
1932	prxegm.exe
1932	prxegm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1932	prxegm.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 1020	1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe	27
PID 1824 wrote to memory of 1020	1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe	27
PID 1824 wrote to memory of 1020	1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe	27
PID 1824 wrote to memory of 1020	1824	b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe	27
PID 1020 wrote to memory of 1980	1020	ixiyjejjshs.exe	28
PID 1020 wrote to memory of 1980	1020	ixiyjejjshs.exe	28
PID 1020 wrote to memory of 1980	1020	ixiyjejjshs.exe	28
PID 1020 wrote to memory of 1980	1020	ixiyjejjshs.exe	28
PID 1020 wrote to memory of 1932	1020	ixiyjejjshs.exe	29
PID 1020 wrote to memory of 1932	1020	ixiyjejjshs.exe	29
PID 1020 wrote to memory of 1932	1020	ixiyjejjshs.exe	29
PID 1020 wrote to memory of 1932	1020	ixiyjejjshs.exe	29

System policy modification 1 TTPs 29 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	prxegm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	prxegm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	prxegm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	prxegm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	prxegm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	prxegm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	prxegm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	prxegm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	prxegm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	prxegm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	prxegm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	prxegm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	prxegm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	prxegm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	prxegm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	prxegm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	prxegm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	prxegm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	prxegm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	prxegm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	prxegm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	prxegm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	prxegm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	prxegm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	prxegm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	prxegm.exe

C:\Users\Admin\AppData\Local\Temp\b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe
"C:\Users\Admin\AppData\Local\Temp\b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Users\Admin\AppData\Local\Temp\ixiyjejjshs.exe
  "C:\Users\Admin\AppData\Local\Temp\ixiyjejjshs.exe" "c:\users\admin\appdata\local\temp\b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1020
- - C:\Users\Admin\AppData\Local\Temp\prxegm.exe
    "C:\Users\Admin\AppData\Local\Temp\prxegm.exe" "-C:\Users\Admin\AppData\Local\Temp\bndugwqfshrlbwmm.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1980
- - C:\Users\Admin\AppData\Local\Temp\prxegm.exe
    "C:\Users\Admin\AppData\Local\Temp\prxegm.exe" "-C:\Users\Admin\AppData\Local\Temp\bndugwqfshrlbwmm.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bndugwqfshrlbwmm.exe

Filesize
564KB

MD5
83f33c91469fc991bbc584015ab497c3

SHA1
1f53eb45b325b0868f1ba0bacef2533ea10a7fea

SHA256
b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3

SHA512
065e0133b35dfad3360b6d6bcbc1fc609c38d872c0352d3d40354baf36bc9666e286ec4b5d694f42edb0e112fe39a9b29e788d03abd70c1ee064bd972cf1c8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\crketmjbrjwtmkdgtbg.exe

Filesize
564KB

MD5
83f33c91469fc991bbc584015ab497c3

SHA1
1f53eb45b325b0868f1ba0bacef2533ea10a7fea

SHA256
b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3

SHA512
065e0133b35dfad3360b6d6bcbc1fc609c38d872c0352d3d40354baf36bc9666e286ec4b5d694f42edb0e112fe39a9b29e788d03abd70c1ee064bd972cf1c8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\evqmdyxrjdsrmmhmblsje.exe

Filesize
564KB

MD5
83f33c91469fc991bbc584015ab497c3

SHA1
1f53eb45b325b0868f1ba0bacef2533ea10a7fea

SHA256
b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3

SHA512
065e0133b35dfad3360b6d6bcbc1fc609c38d872c0352d3d40354baf36bc9666e286ec4b5d694f42edb0e112fe39a9b29e788d03abd70c1ee064bd972cf1c8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ivmeridthxiduqhit.exe

Filesize
564KB

MD5
83f33c91469fc991bbc584015ab497c3

SHA1
1f53eb45b325b0868f1ba0bacef2533ea10a7fea

SHA256
b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3

SHA512
065e0133b35dfad3360b6d6bcbc1fc609c38d872c0352d3d40354baf36bc9666e286ec4b5d694f42edb0e112fe39a9b29e788d03abd70c1ee064bd972cf1c8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixiyjejjshs.exe

Filesize
320KB

MD5
2e1b05cc1fd714e13603fdcf7656ac20

SHA1
1499559dc5c50852c4d8aaed9e75f66a20c187a1

SHA256
6442964dba07820c72976100d642c5a3baf8dd33238490faa114836dfcf95e97

SHA512
17e252d7b140d83cd2e28fc874a292d8db3d56d21166bd9126f895a0ddae5a75b2d04cd2b4e1e50fbf7fe59bebf20c70dc0f15da1855d61daece2a6dfa8402b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixiyjejjshs.exe

Filesize
320KB

MD5
2e1b05cc1fd714e13603fdcf7656ac20

SHA1
1499559dc5c50852c4d8aaed9e75f66a20c187a1

SHA256
6442964dba07820c72976100d642c5a3baf8dd33238490faa114836dfcf95e97

SHA512
17e252d7b140d83cd2e28fc874a292d8db3d56d21166bd9126f895a0ddae5a75b2d04cd2b4e1e50fbf7fe59bebf20c70dc0f15da1855d61daece2a6dfa8402b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pfzukecvmftrlkeiwflb.exe

Filesize
564KB

MD5
83f33c91469fc991bbc584015ab497c3

SHA1
1f53eb45b325b0868f1ba0bacef2533ea10a7fea

SHA256
b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3

SHA512
065e0133b35dfad3360b6d6bcbc1fc609c38d872c0352d3d40354baf36bc9666e286ec4b5d694f42edb0e112fe39a9b29e788d03abd70c1ee064bd972cf1c8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\prxegm.exe

Filesize
712KB

MD5
ed77aa47cc51ac077c69f7c36e465824

SHA1
f545e0716d936ee4cc129dbfd0f48a454e358339

SHA256
d9bb6edb5733e9ee75e223a367a4f247bbe71cb173076128761dcc92d6734950

SHA512
360f95706a8a89299d171371be25a68bfd46e9792c9a41e602ce38b7d19c4d5d2a9328c878ce37cc2699fbc23453c8258266be65c8f678bc139e1f9580bf24c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\prxegm.exe

Filesize
712KB

MD5
ed77aa47cc51ac077c69f7c36e465824

SHA1
f545e0716d936ee4cc129dbfd0f48a454e358339

SHA256
d9bb6edb5733e9ee75e223a367a4f247bbe71cb173076128761dcc92d6734950

SHA512
360f95706a8a89299d171371be25a68bfd46e9792c9a41e602ce38b7d19c4d5d2a9328c878ce37cc2699fbc23453c8258266be65c8f678bc139e1f9580bf24c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfxqewsjypbxpmegsz.exe

Filesize
564KB

MD5
83f33c91469fc991bbc584015ab497c3

SHA1
1f53eb45b325b0868f1ba0bacef2533ea10a7fea

SHA256
b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3

SHA512
065e0133b35dfad3360b6d6bcbc1fc609c38d872c0352d3d40354baf36bc9666e286ec4b5d694f42edb0e112fe39a9b29e788d03abd70c1ee064bd972cf1c8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnjgyuupidttpqmsitbtpm.exe

Filesize
564KB

MD5
83f33c91469fc991bbc584015ab497c3

SHA1
1f53eb45b325b0868f1ba0bacef2533ea10a7fea

SHA256
b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3

SHA512
065e0133b35dfad3360b6d6bcbc1fc609c38d872c0352d3d40354baf36bc9666e286ec4b5d694f42edb0e112fe39a9b29e788d03abd70c1ee064bd972cf1c8e9

Download Submit
C:\Windows\SysWOW64\bndugwqfshrlbwmm.exe

Filesize
564KB

MD5
83f33c91469fc991bbc584015ab497c3

SHA1
1f53eb45b325b0868f1ba0bacef2533ea10a7fea

SHA256
b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3

SHA512
065e0133b35dfad3360b6d6bcbc1fc609c38d872c0352d3d40354baf36bc9666e286ec4b5d694f42edb0e112fe39a9b29e788d03abd70c1ee064bd972cf1c8e9

Download Submit
C:\Windows\SysWOW64\crketmjbrjwtmkdgtbg.exe

Filesize
564KB

MD5
83f33c91469fc991bbc584015ab497c3

SHA1
1f53eb45b325b0868f1ba0bacef2533ea10a7fea

SHA256
b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3

SHA512
065e0133b35dfad3360b6d6bcbc1fc609c38d872c0352d3d40354baf36bc9666e286ec4b5d694f42edb0e112fe39a9b29e788d03abd70c1ee064bd972cf1c8e9

Download Submit
C:\Windows\SysWOW64\evqmdyxrjdsrmmhmblsje.exe

Filesize
564KB

MD5
83f33c91469fc991bbc584015ab497c3

SHA1
1f53eb45b325b0868f1ba0bacef2533ea10a7fea

SHA256
b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3

SHA512
065e0133b35dfad3360b6d6bcbc1fc609c38d872c0352d3d40354baf36bc9666e286ec4b5d694f42edb0e112fe39a9b29e788d03abd70c1ee064bd972cf1c8e9

Download Submit
C:\Windows\SysWOW64\ivmeridthxiduqhit.exe

Filesize
564KB

MD5
83f33c91469fc991bbc584015ab497c3

SHA1
1f53eb45b325b0868f1ba0bacef2533ea10a7fea

SHA256
b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3

SHA512
065e0133b35dfad3360b6d6bcbc1fc609c38d872c0352d3d40354baf36bc9666e286ec4b5d694f42edb0e112fe39a9b29e788d03abd70c1ee064bd972cf1c8e9

Download Submit
C:\Windows\SysWOW64\pfzukecvmftrlkeiwflb.exe

Filesize
564KB

MD5
83f33c91469fc991bbc584015ab497c3

SHA1
1f53eb45b325b0868f1ba0bacef2533ea10a7fea

SHA256
b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3

SHA512
065e0133b35dfad3360b6d6bcbc1fc609c38d872c0352d3d40354baf36bc9666e286ec4b5d694f42edb0e112fe39a9b29e788d03abd70c1ee064bd972cf1c8e9

Download Submit
C:\Windows\SysWOW64\rfxqewsjypbxpmegsz.exe

Filesize
564KB

MD5
83f33c91469fc991bbc584015ab497c3

SHA1
1f53eb45b325b0868f1ba0bacef2533ea10a7fea

SHA256
b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3

SHA512
065e0133b35dfad3360b6d6bcbc1fc609c38d872c0352d3d40354baf36bc9666e286ec4b5d694f42edb0e112fe39a9b29e788d03abd70c1ee064bd972cf1c8e9

Download Submit
C:\Windows\SysWOW64\vnjgyuupidttpqmsitbtpm.exe

Filesize
564KB

MD5
83f33c91469fc991bbc584015ab497c3

SHA1
1f53eb45b325b0868f1ba0bacef2533ea10a7fea

SHA256
b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3

SHA512
065e0133b35dfad3360b6d6bcbc1fc609c38d872c0352d3d40354baf36bc9666e286ec4b5d694f42edb0e112fe39a9b29e788d03abd70c1ee064bd972cf1c8e9

Download Submit
C:\Windows\bndugwqfshrlbwmm.exe

Filesize
564KB

MD5
83f33c91469fc991bbc584015ab497c3

SHA1
1f53eb45b325b0868f1ba0bacef2533ea10a7fea

SHA256
b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3

SHA512
065e0133b35dfad3360b6d6bcbc1fc609c38d872c0352d3d40354baf36bc9666e286ec4b5d694f42edb0e112fe39a9b29e788d03abd70c1ee064bd972cf1c8e9

Download Submit
C:\Windows\bndugwqfshrlbwmm.exe

Filesize
564KB

MD5
83f33c91469fc991bbc584015ab497c3

SHA1
1f53eb45b325b0868f1ba0bacef2533ea10a7fea

SHA256
b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3

SHA512
065e0133b35dfad3360b6d6bcbc1fc609c38d872c0352d3d40354baf36bc9666e286ec4b5d694f42edb0e112fe39a9b29e788d03abd70c1ee064bd972cf1c8e9

Download Submit
C:\Windows\crketmjbrjwtmkdgtbg.exe

Filesize
564KB

MD5
83f33c91469fc991bbc584015ab497c3

SHA1
1f53eb45b325b0868f1ba0bacef2533ea10a7fea

SHA256
b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3

SHA512
065e0133b35dfad3360b6d6bcbc1fc609c38d872c0352d3d40354baf36bc9666e286ec4b5d694f42edb0e112fe39a9b29e788d03abd70c1ee064bd972cf1c8e9

Download Submit
C:\Windows\crketmjbrjwtmkdgtbg.exe

Filesize
564KB

MD5
83f33c91469fc991bbc584015ab497c3

SHA1
1f53eb45b325b0868f1ba0bacef2533ea10a7fea

SHA256
b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3

SHA512
065e0133b35dfad3360b6d6bcbc1fc609c38d872c0352d3d40354baf36bc9666e286ec4b5d694f42edb0e112fe39a9b29e788d03abd70c1ee064bd972cf1c8e9

Download Submit
C:\Windows\evqmdyxrjdsrmmhmblsje.exe

Filesize
564KB

MD5
83f33c91469fc991bbc584015ab497c3

SHA1
1f53eb45b325b0868f1ba0bacef2533ea10a7fea

SHA256
b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3

SHA512
065e0133b35dfad3360b6d6bcbc1fc609c38d872c0352d3d40354baf36bc9666e286ec4b5d694f42edb0e112fe39a9b29e788d03abd70c1ee064bd972cf1c8e9

Download Submit
C:\Windows\evqmdyxrjdsrmmhmblsje.exe

Filesize
564KB

MD5
83f33c91469fc991bbc584015ab497c3

SHA1
1f53eb45b325b0868f1ba0bacef2533ea10a7fea

SHA256
b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3

SHA512
065e0133b35dfad3360b6d6bcbc1fc609c38d872c0352d3d40354baf36bc9666e286ec4b5d694f42edb0e112fe39a9b29e788d03abd70c1ee064bd972cf1c8e9

Download Submit
C:\Windows\ivmeridthxiduqhit.exe

Filesize
564KB

MD5
83f33c91469fc991bbc584015ab497c3

SHA1
1f53eb45b325b0868f1ba0bacef2533ea10a7fea

SHA256
b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3

SHA512
065e0133b35dfad3360b6d6bcbc1fc609c38d872c0352d3d40354baf36bc9666e286ec4b5d694f42edb0e112fe39a9b29e788d03abd70c1ee064bd972cf1c8e9

Download Submit
C:\Windows\ivmeridthxiduqhit.exe

Filesize
564KB

MD5
83f33c91469fc991bbc584015ab497c3

SHA1
1f53eb45b325b0868f1ba0bacef2533ea10a7fea

SHA256
b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3

SHA512
065e0133b35dfad3360b6d6bcbc1fc609c38d872c0352d3d40354baf36bc9666e286ec4b5d694f42edb0e112fe39a9b29e788d03abd70c1ee064bd972cf1c8e9

Download Submit
C:\Windows\pfzukecvmftrlkeiwflb.exe

Filesize
564KB

MD5
83f33c91469fc991bbc584015ab497c3

SHA1
1f53eb45b325b0868f1ba0bacef2533ea10a7fea

SHA256
b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3

SHA512
065e0133b35dfad3360b6d6bcbc1fc609c38d872c0352d3d40354baf36bc9666e286ec4b5d694f42edb0e112fe39a9b29e788d03abd70c1ee064bd972cf1c8e9

Download Submit
C:\Windows\pfzukecvmftrlkeiwflb.exe

Filesize
564KB

MD5
83f33c91469fc991bbc584015ab497c3

SHA1
1f53eb45b325b0868f1ba0bacef2533ea10a7fea

SHA256
b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3

SHA512
065e0133b35dfad3360b6d6bcbc1fc609c38d872c0352d3d40354baf36bc9666e286ec4b5d694f42edb0e112fe39a9b29e788d03abd70c1ee064bd972cf1c8e9

Download Submit
C:\Windows\rfxqewsjypbxpmegsz.exe

Filesize
564KB

MD5
83f33c91469fc991bbc584015ab497c3

SHA1
1f53eb45b325b0868f1ba0bacef2533ea10a7fea

SHA256
b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3

SHA512
065e0133b35dfad3360b6d6bcbc1fc609c38d872c0352d3d40354baf36bc9666e286ec4b5d694f42edb0e112fe39a9b29e788d03abd70c1ee064bd972cf1c8e9

Download Submit
C:\Windows\rfxqewsjypbxpmegsz.exe

Filesize
564KB

MD5
83f33c91469fc991bbc584015ab497c3

SHA1
1f53eb45b325b0868f1ba0bacef2533ea10a7fea

SHA256
b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3

SHA512
065e0133b35dfad3360b6d6bcbc1fc609c38d872c0352d3d40354baf36bc9666e286ec4b5d694f42edb0e112fe39a9b29e788d03abd70c1ee064bd972cf1c8e9

Download Submit
C:\Windows\vnjgyuupidttpqmsitbtpm.exe

Filesize
564KB

MD5
83f33c91469fc991bbc584015ab497c3

SHA1
1f53eb45b325b0868f1ba0bacef2533ea10a7fea

SHA256
b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3

SHA512
065e0133b35dfad3360b6d6bcbc1fc609c38d872c0352d3d40354baf36bc9666e286ec4b5d694f42edb0e112fe39a9b29e788d03abd70c1ee064bd972cf1c8e9

Download Submit
C:\Windows\vnjgyuupidttpqmsitbtpm.exe

Filesize
564KB

MD5
83f33c91469fc991bbc584015ab497c3

SHA1
1f53eb45b325b0868f1ba0bacef2533ea10a7fea

SHA256
b7138253b4ebe17bcd38cfd48f8ee20f096588a42ad36922cf8fce4e187088f3

SHA512
065e0133b35dfad3360b6d6bcbc1fc609c38d872c0352d3d40354baf36bc9666e286ec4b5d694f42edb0e112fe39a9b29e788d03abd70c1ee064bd972cf1c8e9

Download Submit
\Users\Admin\AppData\Local\Temp\ixiyjejjshs.exe

Filesize
320KB

MD5
2e1b05cc1fd714e13603fdcf7656ac20

SHA1
1499559dc5c50852c4d8aaed9e75f66a20c187a1

SHA256
6442964dba07820c72976100d642c5a3baf8dd33238490faa114836dfcf95e97

SHA512
17e252d7b140d83cd2e28fc874a292d8db3d56d21166bd9126f895a0ddae5a75b2d04cd2b4e1e50fbf7fe59bebf20c70dc0f15da1855d61daece2a6dfa8402b8

Download Submit
\Users\Admin\AppData\Local\Temp\ixiyjejjshs.exe

Filesize
320KB

MD5
2e1b05cc1fd714e13603fdcf7656ac20

SHA1
1499559dc5c50852c4d8aaed9e75f66a20c187a1

SHA256
6442964dba07820c72976100d642c5a3baf8dd33238490faa114836dfcf95e97

SHA512
17e252d7b140d83cd2e28fc874a292d8db3d56d21166bd9126f895a0ddae5a75b2d04cd2b4e1e50fbf7fe59bebf20c70dc0f15da1855d61daece2a6dfa8402b8

Download Submit
\Users\Admin\AppData\Local\Temp\prxegm.exe

Filesize
712KB

MD5
ed77aa47cc51ac077c69f7c36e465824

SHA1
f545e0716d936ee4cc129dbfd0f48a454e358339

SHA256
d9bb6edb5733e9ee75e223a367a4f247bbe71cb173076128761dcc92d6734950

SHA512
360f95706a8a89299d171371be25a68bfd46e9792c9a41e602ce38b7d19c4d5d2a9328c878ce37cc2699fbc23453c8258266be65c8f678bc139e1f9580bf24c7

Download Submit
\Users\Admin\AppData\Local\Temp\prxegm.exe

Filesize
712KB

MD5
ed77aa47cc51ac077c69f7c36e465824

SHA1
f545e0716d936ee4cc129dbfd0f48a454e358339

SHA256
d9bb6edb5733e9ee75e223a367a4f247bbe71cb173076128761dcc92d6734950

SHA512
360f95706a8a89299d171371be25a68bfd46e9792c9a41e602ce38b7d19c4d5d2a9328c878ce37cc2699fbc23453c8258266be65c8f678bc139e1f9580bf24c7

Download Submit
\Users\Admin\AppData\Local\Temp\prxegm.exe

Filesize
712KB

MD5
ed77aa47cc51ac077c69f7c36e465824

SHA1
f545e0716d936ee4cc129dbfd0f48a454e358339

SHA256
d9bb6edb5733e9ee75e223a367a4f247bbe71cb173076128761dcc92d6734950

SHA512
360f95706a8a89299d171371be25a68bfd46e9792c9a41e602ce38b7d19c4d5d2a9328c878ce37cc2699fbc23453c8258266be65c8f678bc139e1f9580bf24c7

Download Submit
\Users\Admin\AppData\Local\Temp\prxegm.exe

Filesize
712KB

MD5
ed77aa47cc51ac077c69f7c36e465824

SHA1
f545e0716d936ee4cc129dbfd0f48a454e358339

SHA256
d9bb6edb5733e9ee75e223a367a4f247bbe71cb173076128761dcc92d6734950

SHA512
360f95706a8a89299d171371be25a68bfd46e9792c9a41e602ce38b7d19c4d5d2a9328c878ce37cc2699fbc23453c8258266be65c8f678bc139e1f9580bf24c7

Download Submit
memory/1824-54-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download