a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f

Analysis

max time kernel
151s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-10-2022 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
Size

1016KB
MD5

8367208a09c8a297cff6ba776dea5c10
SHA1

67b37fb92f773c2d9d48ec9ed6ea1b93e169c28a
SHA256

a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f
SHA512

027fc07e872e2c429faafeaa12152cf729dd475de49bed6db5aaa40770b338d40b23363a61d78348f01a85b096516a8deb05bb305a94cbfe51c7b80f69a962e4
SSDEEP

6144:DIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUPv:DIXsgtvm1De5YlOx6lzBH46UPv

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	gokvcejrqyu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abkqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	abkqv.exe

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gokvcejrqyu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	abkqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	abkqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	abkqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	abkqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abkqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abkqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	abkqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	abkqv.exe

Adds policy Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdwmbmfqgvammbm = "arqmhyxokfqiojambtofe.exe"	abkqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pxnamuksfrtc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbzuoecsnhrinhxiwnhx.exe"	abkqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pxnamuksfrtc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ynkexmjyslukohwgtjc.exe"	abkqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdwmbmfqgvammbm = "ynkexmjyslukohwgtjc.exe"	abkqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdwmbmfqgvammbm = "ynkexmjyslukohwgtjc.exe"	gokvcejrqyu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pxnamuksfrtc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arqmhyxokfqiojambtofe.exe"	abkqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdwmbmfqgvammbm = "ynkexmjyslukohwgtjc.exe"	abkqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pxnamuksfrtc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nbxqiwsgzrzorjxgsh.exe"	abkqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pxnamuksfrtc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nbxqiwsgzrzorjxgsh.exe"	abkqv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abkqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdwmbmfqgvammbm = "xjdukwqctjpcdtfm.exe"	abkqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdwmbmfqgvammbm = "nbxqiwsgzrzorjxgsh.exe"	abkqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdwmbmfqgvammbm = "nbxqiwsgzrzorjxgsh.exe"	abkqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdwmbmfqgvammbm = "arqmhyxokfqiojambtofe.exe"	abkqv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	gokvcejrqyu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pxnamuksfrtc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbzuoecsnhrinhxiwnhx.exe"	gokvcejrqyu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	abkqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdwmbmfqgvammbm = "lbzuoecsnhrinhxiwnhx.exe"	abkqv.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abkqv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abkqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abkqv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gokvcejrqyu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gokvcejrqyu.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abkqv.exe

Executes dropped EXE 3 IoCs

pid	Process
2036	gokvcejrqyu.exe
1468	abkqv.exe
1544	abkqv.exe

Loads dropped DLL 6 IoCs

pid	Process
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
2036	gokvcejrqyu.exe
2036	gokvcejrqyu.exe
2036	gokvcejrqyu.exe
2036	gokvcejrqyu.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\xjdukwqctjpcdtfm = "xjdukwqctjpcdtfm.exe"	abkqv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	abkqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ynkexmjyslukohwgtjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xjdukwqctjpcdtfm.exe"	gokvcejrqyu.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	abkqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oxocpypymzcmk = "xjdukwqctjpcdtfm.exe"	gokvcejrqyu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oxocpypymzcmk = "ynkexmjyslukohwgtjc.exe"	abkqv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pzrguewgvjnyxl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ermevidqizguwnait.exe ."	abkqv.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	gokvcejrqyu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oxocpypymzcmk = "xjdukwqctjpcdtfm.exe"	abkqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pzrguewgvjnyxl = "arqmhyxokfqiojambtofe.exe ."	abkqv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\xjdukwqctjpcdtfm = "ermevidqizguwnait.exe"	abkqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pzrguewgvjnyxl = "nbxqiwsgzrzorjxgsh.exe ."	abkqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nbxqiwsgzrzorjxgsh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ynkexmjyslukohwgtjc.exe ."	abkqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ynkexmjyslukohwgtjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ermevidqizguwnait.exe"	abkqv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pzrguewgvjnyxl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbzuoecsnhrinhxiwnhx.exe ."	abkqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ynkexmjyslukohwgtjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbzuoecsnhrinhxiwnhx.exe"	abkqv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\oxocpypymzcmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xjdukwqctjpcdtfm.exe"	abkqv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\xjdukwqctjpcdtfm = "lbzuoecsnhrinhxiwnhx.exe"	abkqv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	abkqv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ermevidqizguwnait = "arqmhyxokfqiojambtofe.exe ."	gokvcejrqyu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pzrguewgvjnyxl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ynkexmjyslukohwgtjc.exe ."	abkqv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pzrguewgvjnyxl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arqmhyxokfqiojambtofe.exe ."	abkqv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	gokvcejrqyu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pzrguewgvjnyxl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arqmhyxokfqiojambtofe.exe ."	gokvcejrqyu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	abkqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ynkexmjyslukohwgtjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xjdukwqctjpcdtfm.exe"	abkqv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\xjdukwqctjpcdtfm = "ynkexmjyslukohwgtjc.exe"	abkqv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ermevidqizguwnait = "xjdukwqctjpcdtfm.exe ."	abkqv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\oxocpypymzcmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ermevidqizguwnait.exe"	abkqv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\oxocpypymzcmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbzuoecsnhrinhxiwnhx.exe"	abkqv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	gokvcejrqyu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nbxqiwsgzrzorjxgsh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xjdukwqctjpcdtfm.exe ."	gokvcejrqyu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ermevidqizguwnait = "ynkexmjyslukohwgtjc.exe ."	abkqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pzrguewgvjnyxl = "ermevidqizguwnait.exe ."	abkqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nbxqiwsgzrzorjxgsh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xjdukwqctjpcdtfm.exe ."	abkqv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\xjdukwqctjpcdtfm = "ermevidqizguwnait.exe"	gokvcejrqyu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pzrguewgvjnyxl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nbxqiwsgzrzorjxgsh.exe ."	abkqv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\oxocpypymzcmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nbxqiwsgzrzorjxgsh.exe"	abkqv.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	gokvcejrqyu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oxocpypymzcmk = "lbzuoecsnhrinhxiwnhx.exe"	abkqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nbxqiwsgzrzorjxgsh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbzuoecsnhrinhxiwnhx.exe ."	abkqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ynkexmjyslukohwgtjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nbxqiwsgzrzorjxgsh.exe"	abkqv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pzrguewgvjnyxl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ynkexmjyslukohwgtjc.exe ."	abkqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pzrguewgvjnyxl = "ynkexmjyslukohwgtjc.exe ."	abkqv.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	abkqv.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	abkqv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\oxocpypymzcmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ynkexmjyslukohwgtjc.exe"	abkqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oxocpypymzcmk = "nbxqiwsgzrzorjxgsh.exe"	abkqv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\xjdukwqctjpcdtfm = "ermevidqizguwnait.exe"	abkqv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\oxocpypymzcmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbzuoecsnhrinhxiwnhx.exe"	gokvcejrqyu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\xjdukwqctjpcdtfm = "nbxqiwsgzrzorjxgsh.exe"	abkqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pzrguewgvjnyxl = "ynkexmjyslukohwgtjc.exe ."	abkqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ynkexmjyslukohwgtjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ynkexmjyslukohwgtjc.exe"	abkqv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pzrguewgvjnyxl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nbxqiwsgzrzorjxgsh.exe ."	abkqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pzrguewgvjnyxl = "arqmhyxokfqiojambtofe.exe ."	abkqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pzrguewgvjnyxl = "arqmhyxokfqiojambtofe.exe ."	gokvcejrqyu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oxocpypymzcmk = "arqmhyxokfqiojambtofe.exe"	abkqv.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	abkqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ynkexmjyslukohwgtjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nbxqiwsgzrzorjxgsh.exe"	abkqv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oxocpypymzcmk = "ynkexmjyslukohwgtjc.exe"	abkqv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	abkqv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\xjdukwqctjpcdtfm = "lbzuoecsnhrinhxiwnhx.exe"	abkqv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ermevidqizguwnait = "lbzuoecsnhrinhxiwnhx.exe ."	abkqv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ermevidqizguwnait = "xjdukwqctjpcdtfm.exe ."	abkqv.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abkqv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abkqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abkqv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	abkqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gokvcejrqyu.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gokvcejrqyu.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	www.showmyipaddress.com
6	whatismyip.everdot.org
7	whatismyipaddress.com

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ermevidqizguwnait.exe	abkqv.exe
File opened for modification	C:\Windows\SysWOW64\lbzuoecsnhrinhxiwnhx.exe	abkqv.exe
File opened for modification	C:\Windows\SysWOW64\rjjgcuumjfrkrnfsibxppm.exe	abkqv.exe
File opened for modification	C:\Windows\SysWOW64\ermevidqizguwnait.exe	abkqv.exe
File opened for modification	C:\Windows\SysWOW64\xjdukwqctjpcdtfm.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\SysWOW64\nbxqiwsgzrzorjxgsh.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\SysWOW64\ynkexmjyslukohwgtjc.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\SysWOW64\lbzuoecsnhrinhxiwnhx.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\SysWOW64\xjdukwqctjpcdtfm.exe	abkqv.exe
File opened for modification	C:\Windows\SysWOW64\nbxqiwsgzrzorjxgsh.exe	abkqv.exe
File opened for modification	C:\Windows\SysWOW64\arqmhyxokfqiojambtofe.exe	abkqv.exe
File opened for modification	C:\Windows\SysWOW64\szoalshoalmuqbikpxipeqbixeqbckgry.fny	abkqv.exe
File created	C:\Windows\SysWOW64\szoalshoalmuqbikpxipeqbixeqbckgry.fny	abkqv.exe
File opened for modification	C:\Windows\SysWOW64\rjjgcuumjfrkrnfsibxppm.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\SysWOW64\nbxqiwsgzrzorjxgsh.exe	abkqv.exe
File opened for modification	C:\Windows\SysWOW64\arqmhyxokfqiojambtofe.exe	abkqv.exe
File opened for modification	C:\Windows\SysWOW64\xjdukwqctjpcdtfm.exe	abkqv.exe
File opened for modification	C:\Windows\SysWOW64\rjjgcuumjfrkrnfsibxppm.exe	abkqv.exe
File opened for modification	C:\Windows\SysWOW64\ermevidqizguwnait.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\SysWOW64\arqmhyxokfqiojambtofe.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\SysWOW64\ynkexmjyslukohwgtjc.exe	abkqv.exe
File opened for modification	C:\Windows\SysWOW64\ynkexmjyslukohwgtjc.exe	abkqv.exe
File opened for modification	C:\Windows\SysWOW64\lbzuoecsnhrinhxiwnhx.exe	abkqv.exe
File opened for modification	C:\Windows\SysWOW64\bxbccycyzzpmxxtkebbxbc.ycy	abkqv.exe
File created	C:\Windows\SysWOW64\bxbccycyzzpmxxtkebbxbc.ycy	abkqv.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\szoalshoalmuqbikpxipeqbixeqbckgry.fny	abkqv.exe
File opened for modification	C:\Program Files (x86)\bxbccycyzzpmxxtkebbxbc.ycy	abkqv.exe
File created	C:\Program Files (x86)\bxbccycyzzpmxxtkebbxbc.ycy	abkqv.exe
File opened for modification	C:\Program Files (x86)\szoalshoalmuqbikpxipeqbixeqbckgry.fny	abkqv.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ynkexmjyslukohwgtjc.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\ermevidqizguwnait.exe	abkqv.exe
File opened for modification	C:\Windows\arqmhyxokfqiojambtofe.exe	abkqv.exe
File opened for modification	C:\Windows\rjjgcuumjfrkrnfsibxppm.exe	abkqv.exe
File opened for modification	C:\Windows\xjdukwqctjpcdtfm.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\ermevidqizguwnait.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\nbxqiwsgzrzorjxgsh.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\lbzuoecsnhrinhxiwnhx.exe	abkqv.exe
File opened for modification	C:\Windows\lbzuoecsnhrinhxiwnhx.exe	abkqv.exe
File created	C:\Windows\bxbccycyzzpmxxtkebbxbc.ycy	abkqv.exe
File opened for modification	C:\Windows\szoalshoalmuqbikpxipeqbixeqbckgry.fny	abkqv.exe
File created	C:\Windows\szoalshoalmuqbikpxipeqbixeqbckgry.fny	abkqv.exe
File opened for modification	C:\Windows\rjjgcuumjfrkrnfsibxppm.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\nbxqiwsgzrzorjxgsh.exe	abkqv.exe
File opened for modification	C:\Windows\ynkexmjyslukohwgtjc.exe	abkqv.exe
File opened for modification	C:\Windows\ermevidqizguwnait.exe	abkqv.exe
File opened for modification	C:\Windows\nbxqiwsgzrzorjxgsh.exe	abkqv.exe
File opened for modification	C:\Windows\ynkexmjyslukohwgtjc.exe	abkqv.exe
File opened for modification	C:\Windows\bxbccycyzzpmxxtkebbxbc.ycy	abkqv.exe
File opened for modification	C:\Windows\lbzuoecsnhrinhxiwnhx.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\arqmhyxokfqiojambtofe.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\xjdukwqctjpcdtfm.exe	abkqv.exe
File opened for modification	C:\Windows\rjjgcuumjfrkrnfsibxppm.exe	abkqv.exe
File opened for modification	C:\Windows\xjdukwqctjpcdtfm.exe	abkqv.exe
File opened for modification	C:\Windows\arqmhyxokfqiojambtofe.exe	abkqv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1468	abkqv.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1468	abkqv.exe
1468	abkqv.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1468	abkqv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 2036	1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe	27
PID 1144 wrote to memory of 2036	1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe	27
PID 1144 wrote to memory of 2036	1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe	27
PID 1144 wrote to memory of 2036	1144	a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe	27
PID 2036 wrote to memory of 1468	2036	gokvcejrqyu.exe	28
PID 2036 wrote to memory of 1468	2036	gokvcejrqyu.exe	28
PID 2036 wrote to memory of 1468	2036	gokvcejrqyu.exe	28
PID 2036 wrote to memory of 1468	2036	gokvcejrqyu.exe	28
PID 2036 wrote to memory of 1544	2036	gokvcejrqyu.exe	29
PID 2036 wrote to memory of 1544	2036	gokvcejrqyu.exe	29
PID 2036 wrote to memory of 1544	2036	gokvcejrqyu.exe	29
PID 2036 wrote to memory of 1544	2036	gokvcejrqyu.exe	29

System policy modification 1 TTPs 29 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	abkqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abkqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	abkqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	abkqv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	abkqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	abkqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gokvcejrqyu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	abkqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	abkqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	abkqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gokvcejrqyu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abkqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	abkqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	abkqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	abkqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	abkqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	abkqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	abkqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	abkqv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	abkqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	abkqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	abkqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	abkqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abkqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	abkqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	abkqv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	abkqv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gokvcejrqyu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	abkqv.exe

C:\Users\Admin\AppData\Local\Temp\a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe
"C:\Users\Admin\AppData\Local\Temp\a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Users\Admin\AppData\Local\Temp\gokvcejrqyu.exe
  "C:\Users\Admin\AppData\Local\Temp\gokvcejrqyu.exe" "c:\users\admin\appdata\local\temp\a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2036
- - C:\Users\Admin\AppData\Local\Temp\abkqv.exe
    "C:\Users\Admin\AppData\Local\Temp\abkqv.exe" "-C:\Users\Admin\AppData\Local\Temp\xjdukwqctjpcdtfm.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1468
- - C:\Users\Admin\AppData\Local\Temp\abkqv.exe
    "C:\Users\Admin\AppData\Local\Temp\abkqv.exe" "-C:\Users\Admin\AppData\Local\Temp\xjdukwqctjpcdtfm.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\abkqv.exe

Filesize
708KB

MD5
448da6778ad4bab5f88e71daeb9d8dee

SHA1
4e933bb2bdc3a33d410c25628c02893246d333bd

SHA256
246e0e95cdf1d3516a0dad3054a19220a279ed2eabe922ae91d635f37f795309

SHA512
13bd6815dd84d2628844885808e99f0c7a58acfb71e4f9d213f1381206553b8cd1b5082295021f711ea77ecb4d826a8a547751166d8f412c6590db19691e9f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\abkqv.exe

Filesize
708KB

MD5
448da6778ad4bab5f88e71daeb9d8dee

SHA1
4e933bb2bdc3a33d410c25628c02893246d333bd

SHA256
246e0e95cdf1d3516a0dad3054a19220a279ed2eabe922ae91d635f37f795309

SHA512
13bd6815dd84d2628844885808e99f0c7a58acfb71e4f9d213f1381206553b8cd1b5082295021f711ea77ecb4d826a8a547751166d8f412c6590db19691e9f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\arqmhyxokfqiojambtofe.exe

Filesize
1016KB

MD5
8367208a09c8a297cff6ba776dea5c10

SHA1
67b37fb92f773c2d9d48ec9ed6ea1b93e169c28a

SHA256
a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f

SHA512
027fc07e872e2c429faafeaa12152cf729dd475de49bed6db5aaa40770b338d40b23363a61d78348f01a85b096516a8deb05bb305a94cbfe51c7b80f69a962e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ermevidqizguwnait.exe

Filesize
1016KB

MD5
8367208a09c8a297cff6ba776dea5c10

SHA1
67b37fb92f773c2d9d48ec9ed6ea1b93e169c28a

SHA256
a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f

SHA512
027fc07e872e2c429faafeaa12152cf729dd475de49bed6db5aaa40770b338d40b23363a61d78348f01a85b096516a8deb05bb305a94cbfe51c7b80f69a962e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\gokvcejrqyu.exe

Filesize
320KB

MD5
222ae8fa1872cb7ab5f53cc9fc6b582e

SHA1
5f24ff1f7353f0c0fa63f46b75bd5df4ac4c35eb

SHA256
fdc2029e3acb876ee9021e2d3a0c00b03e9069d5698026e1a6072de17c6e3aff

SHA512
a00c30f4491e5293c31001b5116fc39507397dc8b2136ab6448a37b66915efaf66453d961385803fa4498f800b76be4188a246534239ffe2cb61307c944731ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\gokvcejrqyu.exe

Filesize
320KB

MD5
222ae8fa1872cb7ab5f53cc9fc6b582e

SHA1
5f24ff1f7353f0c0fa63f46b75bd5df4ac4c35eb

SHA256
fdc2029e3acb876ee9021e2d3a0c00b03e9069d5698026e1a6072de17c6e3aff

SHA512
a00c30f4491e5293c31001b5116fc39507397dc8b2136ab6448a37b66915efaf66453d961385803fa4498f800b76be4188a246534239ffe2cb61307c944731ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\lbzuoecsnhrinhxiwnhx.exe

Filesize
1016KB

MD5
8367208a09c8a297cff6ba776dea5c10

SHA1
67b37fb92f773c2d9d48ec9ed6ea1b93e169c28a

SHA256
a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f

SHA512
027fc07e872e2c429faafeaa12152cf729dd475de49bed6db5aaa40770b338d40b23363a61d78348f01a85b096516a8deb05bb305a94cbfe51c7b80f69a962e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbxqiwsgzrzorjxgsh.exe

Filesize
1016KB

MD5
8367208a09c8a297cff6ba776dea5c10

SHA1
67b37fb92f773c2d9d48ec9ed6ea1b93e169c28a

SHA256
a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f

SHA512
027fc07e872e2c429faafeaa12152cf729dd475de49bed6db5aaa40770b338d40b23363a61d78348f01a85b096516a8deb05bb305a94cbfe51c7b80f69a962e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjjgcuumjfrkrnfsibxppm.exe

Filesize
1016KB

MD5
8367208a09c8a297cff6ba776dea5c10

SHA1
67b37fb92f773c2d9d48ec9ed6ea1b93e169c28a

SHA256
a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f

SHA512
027fc07e872e2c429faafeaa12152cf729dd475de49bed6db5aaa40770b338d40b23363a61d78348f01a85b096516a8deb05bb305a94cbfe51c7b80f69a962e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xjdukwqctjpcdtfm.exe

Filesize
1016KB

MD5
8367208a09c8a297cff6ba776dea5c10

SHA1
67b37fb92f773c2d9d48ec9ed6ea1b93e169c28a

SHA256
a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f

SHA512
027fc07e872e2c429faafeaa12152cf729dd475de49bed6db5aaa40770b338d40b23363a61d78348f01a85b096516a8deb05bb305a94cbfe51c7b80f69a962e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ynkexmjyslukohwgtjc.exe

Filesize
1016KB

MD5
8367208a09c8a297cff6ba776dea5c10

SHA1
67b37fb92f773c2d9d48ec9ed6ea1b93e169c28a

SHA256
a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f

SHA512
027fc07e872e2c429faafeaa12152cf729dd475de49bed6db5aaa40770b338d40b23363a61d78348f01a85b096516a8deb05bb305a94cbfe51c7b80f69a962e4

Download Submit
C:\Windows\SysWOW64\arqmhyxokfqiojambtofe.exe

Filesize
1016KB

MD5
8367208a09c8a297cff6ba776dea5c10

SHA1
67b37fb92f773c2d9d48ec9ed6ea1b93e169c28a

SHA256
a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f

SHA512
027fc07e872e2c429faafeaa12152cf729dd475de49bed6db5aaa40770b338d40b23363a61d78348f01a85b096516a8deb05bb305a94cbfe51c7b80f69a962e4

Download Submit
C:\Windows\SysWOW64\ermevidqizguwnait.exe

Filesize
1016KB

MD5
8367208a09c8a297cff6ba776dea5c10

SHA1
67b37fb92f773c2d9d48ec9ed6ea1b93e169c28a

SHA256
a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f

SHA512
027fc07e872e2c429faafeaa12152cf729dd475de49bed6db5aaa40770b338d40b23363a61d78348f01a85b096516a8deb05bb305a94cbfe51c7b80f69a962e4

Download Submit
C:\Windows\SysWOW64\lbzuoecsnhrinhxiwnhx.exe

Filesize
1016KB

MD5
8367208a09c8a297cff6ba776dea5c10

SHA1
67b37fb92f773c2d9d48ec9ed6ea1b93e169c28a

SHA256
a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f

SHA512
027fc07e872e2c429faafeaa12152cf729dd475de49bed6db5aaa40770b338d40b23363a61d78348f01a85b096516a8deb05bb305a94cbfe51c7b80f69a962e4

Download Submit
C:\Windows\SysWOW64\nbxqiwsgzrzorjxgsh.exe

Filesize
1016KB

MD5
8367208a09c8a297cff6ba776dea5c10

SHA1
67b37fb92f773c2d9d48ec9ed6ea1b93e169c28a

SHA256
a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f

SHA512
027fc07e872e2c429faafeaa12152cf729dd475de49bed6db5aaa40770b338d40b23363a61d78348f01a85b096516a8deb05bb305a94cbfe51c7b80f69a962e4

Download Submit
C:\Windows\SysWOW64\rjjgcuumjfrkrnfsibxppm.exe

Filesize
1016KB

MD5
8367208a09c8a297cff6ba776dea5c10

SHA1
67b37fb92f773c2d9d48ec9ed6ea1b93e169c28a

SHA256
a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f

SHA512
027fc07e872e2c429faafeaa12152cf729dd475de49bed6db5aaa40770b338d40b23363a61d78348f01a85b096516a8deb05bb305a94cbfe51c7b80f69a962e4

Download Submit
C:\Windows\SysWOW64\xjdukwqctjpcdtfm.exe

Filesize
1016KB

MD5
8367208a09c8a297cff6ba776dea5c10

SHA1
67b37fb92f773c2d9d48ec9ed6ea1b93e169c28a

SHA256
a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f

SHA512
027fc07e872e2c429faafeaa12152cf729dd475de49bed6db5aaa40770b338d40b23363a61d78348f01a85b096516a8deb05bb305a94cbfe51c7b80f69a962e4

Download Submit
C:\Windows\SysWOW64\ynkexmjyslukohwgtjc.exe

Filesize
1016KB

MD5
8367208a09c8a297cff6ba776dea5c10

SHA1
67b37fb92f773c2d9d48ec9ed6ea1b93e169c28a

SHA256
a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f

SHA512
027fc07e872e2c429faafeaa12152cf729dd475de49bed6db5aaa40770b338d40b23363a61d78348f01a85b096516a8deb05bb305a94cbfe51c7b80f69a962e4

Download Submit
C:\Windows\arqmhyxokfqiojambtofe.exe

Filesize
1016KB

MD5
8367208a09c8a297cff6ba776dea5c10

SHA1
67b37fb92f773c2d9d48ec9ed6ea1b93e169c28a

SHA256
a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f

SHA512
027fc07e872e2c429faafeaa12152cf729dd475de49bed6db5aaa40770b338d40b23363a61d78348f01a85b096516a8deb05bb305a94cbfe51c7b80f69a962e4

Download Submit
C:\Windows\arqmhyxokfqiojambtofe.exe

Filesize
1016KB

MD5
8367208a09c8a297cff6ba776dea5c10

SHA1
67b37fb92f773c2d9d48ec9ed6ea1b93e169c28a

SHA256
a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f

SHA512
027fc07e872e2c429faafeaa12152cf729dd475de49bed6db5aaa40770b338d40b23363a61d78348f01a85b096516a8deb05bb305a94cbfe51c7b80f69a962e4

Download Submit
C:\Windows\ermevidqizguwnait.exe

Filesize
1016KB

MD5
8367208a09c8a297cff6ba776dea5c10

SHA1
67b37fb92f773c2d9d48ec9ed6ea1b93e169c28a

SHA256
a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f

SHA512
027fc07e872e2c429faafeaa12152cf729dd475de49bed6db5aaa40770b338d40b23363a61d78348f01a85b096516a8deb05bb305a94cbfe51c7b80f69a962e4

Download Submit
C:\Windows\ermevidqizguwnait.exe

Filesize
1016KB

MD5
8367208a09c8a297cff6ba776dea5c10

SHA1
67b37fb92f773c2d9d48ec9ed6ea1b93e169c28a

SHA256
a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f

SHA512
027fc07e872e2c429faafeaa12152cf729dd475de49bed6db5aaa40770b338d40b23363a61d78348f01a85b096516a8deb05bb305a94cbfe51c7b80f69a962e4

Download Submit
C:\Windows\lbzuoecsnhrinhxiwnhx.exe

Filesize
1016KB

MD5
8367208a09c8a297cff6ba776dea5c10

SHA1
67b37fb92f773c2d9d48ec9ed6ea1b93e169c28a

SHA256
a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f

SHA512
027fc07e872e2c429faafeaa12152cf729dd475de49bed6db5aaa40770b338d40b23363a61d78348f01a85b096516a8deb05bb305a94cbfe51c7b80f69a962e4

Download Submit
C:\Windows\lbzuoecsnhrinhxiwnhx.exe

Filesize
1016KB

MD5
8367208a09c8a297cff6ba776dea5c10

SHA1
67b37fb92f773c2d9d48ec9ed6ea1b93e169c28a

SHA256
a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f

SHA512
027fc07e872e2c429faafeaa12152cf729dd475de49bed6db5aaa40770b338d40b23363a61d78348f01a85b096516a8deb05bb305a94cbfe51c7b80f69a962e4

Download Submit
C:\Windows\nbxqiwsgzrzorjxgsh.exe

Filesize
1016KB

MD5
8367208a09c8a297cff6ba776dea5c10

SHA1
67b37fb92f773c2d9d48ec9ed6ea1b93e169c28a

SHA256
a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f

SHA512
027fc07e872e2c429faafeaa12152cf729dd475de49bed6db5aaa40770b338d40b23363a61d78348f01a85b096516a8deb05bb305a94cbfe51c7b80f69a962e4

Download Submit
C:\Windows\nbxqiwsgzrzorjxgsh.exe

Filesize
1016KB

MD5
8367208a09c8a297cff6ba776dea5c10

SHA1
67b37fb92f773c2d9d48ec9ed6ea1b93e169c28a

SHA256
a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f

SHA512
027fc07e872e2c429faafeaa12152cf729dd475de49bed6db5aaa40770b338d40b23363a61d78348f01a85b096516a8deb05bb305a94cbfe51c7b80f69a962e4

Download Submit
C:\Windows\rjjgcuumjfrkrnfsibxppm.exe

Filesize
1016KB

MD5
8367208a09c8a297cff6ba776dea5c10

SHA1
67b37fb92f773c2d9d48ec9ed6ea1b93e169c28a

SHA256
a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f

SHA512
027fc07e872e2c429faafeaa12152cf729dd475de49bed6db5aaa40770b338d40b23363a61d78348f01a85b096516a8deb05bb305a94cbfe51c7b80f69a962e4

Download Submit
C:\Windows\rjjgcuumjfrkrnfsibxppm.exe

Filesize
1016KB

MD5
8367208a09c8a297cff6ba776dea5c10

SHA1
67b37fb92f773c2d9d48ec9ed6ea1b93e169c28a

SHA256
a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f

SHA512
027fc07e872e2c429faafeaa12152cf729dd475de49bed6db5aaa40770b338d40b23363a61d78348f01a85b096516a8deb05bb305a94cbfe51c7b80f69a962e4

Download Submit
C:\Windows\xjdukwqctjpcdtfm.exe

Filesize
1016KB

MD5
8367208a09c8a297cff6ba776dea5c10

SHA1
67b37fb92f773c2d9d48ec9ed6ea1b93e169c28a

SHA256
a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f

SHA512
027fc07e872e2c429faafeaa12152cf729dd475de49bed6db5aaa40770b338d40b23363a61d78348f01a85b096516a8deb05bb305a94cbfe51c7b80f69a962e4

Download Submit
C:\Windows\xjdukwqctjpcdtfm.exe

Filesize
1016KB

MD5
8367208a09c8a297cff6ba776dea5c10

SHA1
67b37fb92f773c2d9d48ec9ed6ea1b93e169c28a

SHA256
a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f

SHA512
027fc07e872e2c429faafeaa12152cf729dd475de49bed6db5aaa40770b338d40b23363a61d78348f01a85b096516a8deb05bb305a94cbfe51c7b80f69a962e4

Download Submit
C:\Windows\ynkexmjyslukohwgtjc.exe

Filesize
1016KB

MD5
8367208a09c8a297cff6ba776dea5c10

SHA1
67b37fb92f773c2d9d48ec9ed6ea1b93e169c28a

SHA256
a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f

SHA512
027fc07e872e2c429faafeaa12152cf729dd475de49bed6db5aaa40770b338d40b23363a61d78348f01a85b096516a8deb05bb305a94cbfe51c7b80f69a962e4

Download Submit
C:\Windows\ynkexmjyslukohwgtjc.exe

Filesize
1016KB

MD5
8367208a09c8a297cff6ba776dea5c10

SHA1
67b37fb92f773c2d9d48ec9ed6ea1b93e169c28a

SHA256
a5926eb99efd045f8b2050b665ad826d526fc4a844fae109ec85234c7b26ad7f

SHA512
027fc07e872e2c429faafeaa12152cf729dd475de49bed6db5aaa40770b338d40b23363a61d78348f01a85b096516a8deb05bb305a94cbfe51c7b80f69a962e4

Download Submit
\Users\Admin\AppData\Local\Temp\abkqv.exe

Filesize
708KB

MD5
448da6778ad4bab5f88e71daeb9d8dee

SHA1
4e933bb2bdc3a33d410c25628c02893246d333bd

SHA256
246e0e95cdf1d3516a0dad3054a19220a279ed2eabe922ae91d635f37f795309

SHA512
13bd6815dd84d2628844885808e99f0c7a58acfb71e4f9d213f1381206553b8cd1b5082295021f711ea77ecb4d826a8a547751166d8f412c6590db19691e9f37

Download Submit
\Users\Admin\AppData\Local\Temp\abkqv.exe

Filesize
708KB

MD5
448da6778ad4bab5f88e71daeb9d8dee

SHA1
4e933bb2bdc3a33d410c25628c02893246d333bd

SHA256
246e0e95cdf1d3516a0dad3054a19220a279ed2eabe922ae91d635f37f795309

SHA512
13bd6815dd84d2628844885808e99f0c7a58acfb71e4f9d213f1381206553b8cd1b5082295021f711ea77ecb4d826a8a547751166d8f412c6590db19691e9f37

Download Submit
\Users\Admin\AppData\Local\Temp\abkqv.exe

Filesize
708KB

MD5
448da6778ad4bab5f88e71daeb9d8dee

SHA1
4e933bb2bdc3a33d410c25628c02893246d333bd

SHA256
246e0e95cdf1d3516a0dad3054a19220a279ed2eabe922ae91d635f37f795309

SHA512
13bd6815dd84d2628844885808e99f0c7a58acfb71e4f9d213f1381206553b8cd1b5082295021f711ea77ecb4d826a8a547751166d8f412c6590db19691e9f37

Download Submit
\Users\Admin\AppData\Local\Temp\abkqv.exe

Filesize
708KB

MD5
448da6778ad4bab5f88e71daeb9d8dee

SHA1
4e933bb2bdc3a33d410c25628c02893246d333bd

SHA256
246e0e95cdf1d3516a0dad3054a19220a279ed2eabe922ae91d635f37f795309

SHA512
13bd6815dd84d2628844885808e99f0c7a58acfb71e4f9d213f1381206553b8cd1b5082295021f711ea77ecb4d826a8a547751166d8f412c6590db19691e9f37

Download Submit
\Users\Admin\AppData\Local\Temp\gokvcejrqyu.exe

Filesize
320KB

MD5
222ae8fa1872cb7ab5f53cc9fc6b582e

SHA1
5f24ff1f7353f0c0fa63f46b75bd5df4ac4c35eb

SHA256
fdc2029e3acb876ee9021e2d3a0c00b03e9069d5698026e1a6072de17c6e3aff

SHA512
a00c30f4491e5293c31001b5116fc39507397dc8b2136ab6448a37b66915efaf66453d961385803fa4498f800b76be4188a246534239ffe2cb61307c944731ee

Download Submit
\Users\Admin\AppData\Local\Temp\gokvcejrqyu.exe

Filesize
320KB

MD5
222ae8fa1872cb7ab5f53cc9fc6b582e

SHA1
5f24ff1f7353f0c0fa63f46b75bd5df4ac4c35eb

SHA256
fdc2029e3acb876ee9021e2d3a0c00b03e9069d5698026e1a6072de17c6e3aff

SHA512
a00c30f4491e5293c31001b5116fc39507397dc8b2136ab6448a37b66915efaf66453d961385803fa4498f800b76be4188a246534239ffe2cb61307c944731ee

Download Submit
memory/1144-54-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

Filesize
8KB

Download
memory/1468-63-0x0000000000000000-mapping.dmp

Download
memory/1544-68-0x0000000000000000-mapping.dmp

Download
memory/2036-57-0x0000000000000000-mapping.dmp

Download