67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/11/2022, 23:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
Size

492KB
MD5

2b3ce24e444d93996e1f1da00e37816d
SHA1

b5c2525f9ecba5e3542ea54633f5fdc794c87448
SHA256

67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed
SHA512

0d09cd5417d66f1092f1964d56dc7f10a9fff17221b10ac67b176b2d9c3fb50c3c26a10d9e28a7a132e0cce3f614420964b05847ba5899540c551044e7ca3ae8
SSDEEP

12288:J2iwn/ND7S3xI66S/H3UyKxWn2hJ+MRmhhhQoW:J213Sed0XjhG

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	gokvcejrqyu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vajop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vajop.exe

UAC bypass 3 TTPs 10 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vajop.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gokvcejrqyu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vajop.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vajop.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vajop.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vajop.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gokvcejrqyu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vajop.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vajop.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vajop.exe

Adds policy Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kwmygslthrtc = "zqlcpgerkzguwnait.exe"	vajop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zivejsiny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqlcpgerkzguwnait.exe"	vajop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zivejsiny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqpkbwypmfqiojambtjed.exe"	vajop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kwmygslthrtc = "vqpkbwypmfqiojambtjed.exe"	gokvcejrqyu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zivejsiny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iawocuthbrzorjxgsh.exe"	gokvcejrqyu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kwmygslthrtc = "vqpkbwypmfqiojambtjed.exe"	vajop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vajop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kwmygslthrtc = "iawocuthbrzorjxgsh.exe"	vajop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kwmygslthrtc = "sicseurdvjpcdtfm.exe"	vajop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zivejsiny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmjcrkkzulukohwgtjx.exe"	vajop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	gokvcejrqyu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zivejsiny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sicseurdvjpcdtfm.exe"	vajop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zivejsiny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmjcrkkzulukohwgtjx.exe"	vajop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vajop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zivejsiny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iawocuthbrzorjxgsh.exe"	vajop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kwmygslthrtc = "gaysicdtphrinhxiwncw.exe"	vajop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zivejsiny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqpkbwypmfqiojambtjed.exe"	vajop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kwmygslthrtc = "zqlcpgerkzguwnait.exe"	vajop.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vajop.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vajop.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vajop.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vajop.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gokvcejrqyu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gokvcejrqyu.exe

Executes dropped EXE 3 IoCs

pid	Process
604	gokvcejrqyu.exe
1680	vajop.exe
1636	vajop.exe

Loads dropped DLL 6 IoCs

pid	Process
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
604	gokvcejrqyu.exe
604	gokvcejrqyu.exe
604	gokvcejrqyu.exe
604	gokvcejrqyu.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nynyfqipclm = "zqlcpgerkzguwnait.exe ."	vajop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\scqagqhnzh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iawocuthbrzorjxgsh.exe"	vajop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scqagqhnzh = "iawocuthbrzorjxgsh.exe"	vajop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scqagqhnzh = "vqpkbwypmfqiojambtjed.exe"	vajop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sicseurdvjpcdtfm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iawocuthbrzorjxgsh.exe"	vajop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scqagqhnzh = "tmjcrkkzulukohwgtjx.exe"	vajop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scqagqhnzh = "sicseurdvjpcdtfm.exe"	gokvcejrqyu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	vajop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nynyfqipclm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gaysicdtphrinhxiwncw.exe ."	vajop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\jwnajwqzozcmk = "sicseurdvjpcdtfm.exe"	vajop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncvkvkgrivammbm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmjcrkkzulukohwgtjx.exe ."	vajop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\scqagqhnzh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmjcrkkzulukohwgtjx.exe"	vajop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\jwnajwqzozcmk = "sicseurdvjpcdtfm.exe"	vajop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncvkvkgrivammbm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqlcpgerkzguwnait.exe ."	vajop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nynyfqipclm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sicseurdvjpcdtfm.exe ."	vajop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nynyfqipclm = "vqpkbwypmfqiojambtjed.exe ."	vajop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	vajop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\scqagqhnzh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqlcpgerkzguwnait.exe"	vajop.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	vajop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kyqeocxhxjnyxl = "sicseurdvjpcdtfm.exe ."	vajop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\jwnajwqzozcmk = "zqlcpgerkzguwnait.exe"	gokvcejrqyu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scqagqhnzh = "tmjcrkkzulukohwgtjx.exe"	vajop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\jwnajwqzozcmk = "gaysicdtphrinhxiwncw.exe"	vajop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kyqeocxhxjnyxl = "sicseurdvjpcdtfm.exe ."	vajop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\scqagqhnzh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqlcpgerkzguwnait.exe"	vajop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scqagqhnzh = "sicseurdvjpcdtfm.exe"	vajop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	vajop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\scqagqhnzh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqpkbwypmfqiojambtjed.exe"	gokvcejrqyu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nynyfqipclm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sicseurdvjpcdtfm.exe ."	vajop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	gokvcejrqyu.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	vajop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nynyfqipclm = "vqpkbwypmfqiojambtjed.exe ."	vajop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nynyfqipclm = "gaysicdtphrinhxiwncw.exe ."	vajop.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	vajop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncvkvkgrivammbm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sicseurdvjpcdtfm.exe ."	vajop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\scqagqhnzh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmjcrkkzulukohwgtjx.exe"	vajop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncvkvkgrivammbm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sicseurdvjpcdtfm.exe ."	vajop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncvkvkgrivammbm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqpkbwypmfqiojambtjed.exe ."	vajop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sicseurdvjpcdtfm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gaysicdtphrinhxiwncw.exe"	gokvcejrqyu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sicseurdvjpcdtfm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gaysicdtphrinhxiwncw.exe"	vajop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\jwnajwqzozcmk = "vqpkbwypmfqiojambtjed.exe"	vajop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nynyfqipclm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqpkbwypmfqiojambtjed.exe ."	vajop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scqagqhnzh = "vqpkbwypmfqiojambtjed.exe"	vajop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nynyfqipclm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gaysicdtphrinhxiwncw.exe ."	vajop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	gokvcejrqyu.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	gokvcejrqyu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kyqeocxhxjnyxl = "gaysicdtphrinhxiwncw.exe ."	vajop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\scqagqhnzh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gaysicdtphrinhxiwncw.exe"	vajop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nynyfqipclm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmjcrkkzulukohwgtjx.exe ."	vajop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kyqeocxhxjnyxl = "zqlcpgerkzguwnait.exe ."	gokvcejrqyu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nynyfqipclm = "tmjcrkkzulukohwgtjx.exe ."	vajop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scqagqhnzh = "gaysicdtphrinhxiwncw.exe"	vajop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\jwnajwqzozcmk = "vqpkbwypmfqiojambtjed.exe"	vajop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sicseurdvjpcdtfm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmjcrkkzulukohwgtjx.exe"	vajop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	vajop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kyqeocxhxjnyxl = "tmjcrkkzulukohwgtjx.exe ."	vajop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nynyfqipclm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iawocuthbrzorjxgsh.exe ."	vajop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nynyfqipclm = "iawocuthbrzorjxgsh.exe ."	gokvcejrqyu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nynyfqipclm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmjcrkkzulukohwgtjx.exe ."	gokvcejrqyu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sicseurdvjpcdtfm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gaysicdtphrinhxiwncw.exe"	vajop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sicseurdvjpcdtfm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iawocuthbrzorjxgsh.exe"	vajop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\scqagqhnzh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqpkbwypmfqiojambtjed.exe"	vajop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nynyfqipclm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqlcpgerkzguwnait.exe ."	vajop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sicseurdvjpcdtfm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqpkbwypmfqiojambtjed.exe"	vajop.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gokvcejrqyu.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gokvcejrqyu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vajop.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vajop.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vajop.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vajop.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	www.showmyipaddress.com
6	whatismyipaddress.com
8	whatismyip.everdot.org

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\zqlcpgerkzguwnait.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\SysWOW64\iawocuthbrzorjxgsh.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\SysWOW64\gaysicdtphrinhxiwncw.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\SysWOW64\tmjcrkkzulukohwgtjx.exe	vajop.exe
File opened for modification	C:\Windows\SysWOW64\gaysicdtphrinhxiwncw.exe	vajop.exe
File opened for modification	C:\Windows\SysWOW64\sicseurdvjpcdtfm.exe	vajop.exe
File opened for modification	C:\Windows\SysWOW64\iawocuthbrzorjxgsh.exe	vajop.exe
File opened for modification	C:\Windows\SysWOW64\tmjcrkkzulukohwgtjx.exe	vajop.exe
File opened for modification	C:\Windows\SysWOW64\sicseurdvjpcdtfm.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\SysWOW64\tmjcrkkzulukohwgtjx.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\SysWOW64\zqlcpgerkzguwnait.exe	vajop.exe
File opened for modification	C:\Windows\SysWOW64\iawocuthbrzorjxgsh.exe	vajop.exe
File opened for modification	C:\Windows\SysWOW64\zqlcpgerkzguwnait.exe	vajop.exe
File opened for modification	C:\Windows\SysWOW64\miiewsvnlfrkrnfsibsook.exe	vajop.exe
File opened for modification	C:\Windows\SysWOW64\xydebckhkjaykliavtpqvwt.czc	vajop.exe
File created	C:\Windows\SysWOW64\kwmygslthrtczltwclseugoatbpzbkhtbe.tam	vajop.exe
File opened for modification	C:\Windows\SysWOW64\vqpkbwypmfqiojambtjed.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\SysWOW64\miiewsvnlfrkrnfsibsook.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\SysWOW64\sicseurdvjpcdtfm.exe	vajop.exe
File opened for modification	C:\Windows\SysWOW64\vqpkbwypmfqiojambtjed.exe	vajop.exe
File opened for modification	C:\Windows\SysWOW64\miiewsvnlfrkrnfsibsook.exe	vajop.exe
File opened for modification	C:\Windows\SysWOW64\gaysicdtphrinhxiwncw.exe	vajop.exe
File opened for modification	C:\Windows\SysWOW64\vqpkbwypmfqiojambtjed.exe	vajop.exe
File created	C:\Windows\SysWOW64\xydebckhkjaykliavtpqvwt.czc	vajop.exe
File opened for modification	C:\Windows\SysWOW64\kwmygslthrtczltwclseugoatbpzbkhtbe.tam	vajop.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\kwmygslthrtczltwclseugoatbpzbkhtbe.tam	vajop.exe
File created	C:\Program Files (x86)\kwmygslthrtczltwclseugoatbpzbkhtbe.tam	vajop.exe
File opened for modification	C:\Program Files (x86)\xydebckhkjaykliavtpqvwt.czc	vajop.exe
File created	C:\Program Files (x86)\xydebckhkjaykliavtpqvwt.czc	vajop.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\tmjcrkkzulukohwgtjx.exe	vajop.exe
File opened for modification	C:\Windows\sicseurdvjpcdtfm.exe	vajop.exe
File opened for modification	C:\Windows\gaysicdtphrinhxiwncw.exe	vajop.exe
File opened for modification	C:\Windows\vqpkbwypmfqiojambtjed.exe	vajop.exe
File created	C:\Windows\xydebckhkjaykliavtpqvwt.czc	vajop.exe
File created	C:\Windows\kwmygslthrtczltwclseugoatbpzbkhtbe.tam	vajop.exe
File opened for modification	C:\Windows\iawocuthbrzorjxgsh.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\vqpkbwypmfqiojambtjed.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\zqlcpgerkzguwnait.exe	vajop.exe
File opened for modification	C:\Windows\zqlcpgerkzguwnait.exe	vajop.exe
File opened for modification	C:\Windows\tmjcrkkzulukohwgtjx.exe	vajop.exe
File opened for modification	C:\Windows\miiewsvnlfrkrnfsibsook.exe	vajop.exe
File opened for modification	C:\Windows\xydebckhkjaykliavtpqvwt.czc	vajop.exe
File opened for modification	C:\Windows\sicseurdvjpcdtfm.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\zqlcpgerkzguwnait.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\tmjcrkkzulukohwgtjx.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\iawocuthbrzorjxgsh.exe	vajop.exe
File opened for modification	C:\Windows\kwmygslthrtczltwclseugoatbpzbkhtbe.tam	vajop.exe
File opened for modification	C:\Windows\gaysicdtphrinhxiwncw.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\miiewsvnlfrkrnfsibsook.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\sicseurdvjpcdtfm.exe	vajop.exe
File opened for modification	C:\Windows\gaysicdtphrinhxiwncw.exe	vajop.exe
File opened for modification	C:\Windows\vqpkbwypmfqiojambtjed.exe	vajop.exe
File opened for modification	C:\Windows\miiewsvnlfrkrnfsibsook.exe	vajop.exe
File opened for modification	C:\Windows\iawocuthbrzorjxgsh.exe	vajop.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
1680	vajop.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
1680	vajop.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1680	vajop.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 604	2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe	26
PID 2020 wrote to memory of 604	2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe	26
PID 2020 wrote to memory of 604	2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe	26
PID 2020 wrote to memory of 604	2020	67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe	26
PID 604 wrote to memory of 1680	604	gokvcejrqyu.exe	27
PID 604 wrote to memory of 1680	604	gokvcejrqyu.exe	27
PID 604 wrote to memory of 1680	604	gokvcejrqyu.exe	27
PID 604 wrote to memory of 1680	604	gokvcejrqyu.exe	27
PID 604 wrote to memory of 1636	604	gokvcejrqyu.exe	28
PID 604 wrote to memory of 1636	604	gokvcejrqyu.exe	28
PID 604 wrote to memory of 1636	604	gokvcejrqyu.exe	28
PID 604 wrote to memory of 1636	604	gokvcejrqyu.exe	28

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vajop.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vajop.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vajop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	vajop.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vajop.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vajop.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	vajop.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vajop.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	vajop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gokvcejrqyu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gokvcejrqyu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	vajop.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	vajop.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vajop.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	vajop.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gokvcejrqyu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vajop.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vajop.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	vajop.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	vajop.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	vajop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vajop.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	vajop.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	vajop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	vajop.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gokvcejrqyu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vajop.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vajop.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	vajop.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	vajop.exe

C:\Users\Admin\AppData\Local\Temp\67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe
"C:\Users\Admin\AppData\Local\Temp\67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\gokvcejrqyu.exe
  "C:\Users\Admin\AppData\Local\Temp\gokvcejrqyu.exe" "c:\users\admin\appdata\local\temp\67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:604
- - C:\Users\Admin\AppData\Local\Temp\vajop.exe
    "C:\Users\Admin\AppData\Local\Temp\vajop.exe" "-C:\Users\Admin\AppData\Local\Temp\sicseurdvjpcdtfm.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1680
- - C:\Users\Admin\AppData\Local\Temp\vajop.exe
    "C:\Users\Admin\AppData\Local\Temp\vajop.exe" "-C:\Users\Admin\AppData\Local\Temp\sicseurdvjpcdtfm.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gaysicdtphrinhxiwncw.exe

Filesize
492KB

MD5
2b3ce24e444d93996e1f1da00e37816d

SHA1
b5c2525f9ecba5e3542ea54633f5fdc794c87448

SHA256
67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed

SHA512
0d09cd5417d66f1092f1964d56dc7f10a9fff17221b10ac67b176b2d9c3fb50c3c26a10d9e28a7a132e0cce3f614420964b05847ba5899540c551044e7ca3ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\gokvcejrqyu.exe

Filesize
320KB

MD5
9a3bd7945d6017a2f068bce0ee07f7b0

SHA1
151c5f1544656013309b4736f6960416d841e2ff

SHA256
720f8a6b23a8fa47cacac196d063d31693d7570aaadea9279ca5296d668b7c9c

SHA512
57ab27559f11beb0c6137cd172ce78407bbe89f4cda1ad4cc5dfc350b514572cf78cc9eae785fc3ff8e1e368b9c0b71e9ffd9d89325bd48067adf531d77d95c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\gokvcejrqyu.exe

Filesize
320KB

MD5
9a3bd7945d6017a2f068bce0ee07f7b0

SHA1
151c5f1544656013309b4736f6960416d841e2ff

SHA256
720f8a6b23a8fa47cacac196d063d31693d7570aaadea9279ca5296d668b7c9c

SHA512
57ab27559f11beb0c6137cd172ce78407bbe89f4cda1ad4cc5dfc350b514572cf78cc9eae785fc3ff8e1e368b9c0b71e9ffd9d89325bd48067adf531d77d95c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\iawocuthbrzorjxgsh.exe

Filesize
492KB

MD5
2b3ce24e444d93996e1f1da00e37816d

SHA1
b5c2525f9ecba5e3542ea54633f5fdc794c87448

SHA256
67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed

SHA512
0d09cd5417d66f1092f1964d56dc7f10a9fff17221b10ac67b176b2d9c3fb50c3c26a10d9e28a7a132e0cce3f614420964b05847ba5899540c551044e7ca3ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\miiewsvnlfrkrnfsibsook.exe

Filesize
492KB

MD5
2b3ce24e444d93996e1f1da00e37816d

SHA1
b5c2525f9ecba5e3542ea54633f5fdc794c87448

SHA256
67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed

SHA512
0d09cd5417d66f1092f1964d56dc7f10a9fff17221b10ac67b176b2d9c3fb50c3c26a10d9e28a7a132e0cce3f614420964b05847ba5899540c551044e7ca3ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sicseurdvjpcdtfm.exe

Filesize
492KB

MD5
2b3ce24e444d93996e1f1da00e37816d

SHA1
b5c2525f9ecba5e3542ea54633f5fdc794c87448

SHA256
67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed

SHA512
0d09cd5417d66f1092f1964d56dc7f10a9fff17221b10ac67b176b2d9c3fb50c3c26a10d9e28a7a132e0cce3f614420964b05847ba5899540c551044e7ca3ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmjcrkkzulukohwgtjx.exe

Filesize
492KB

MD5
2b3ce24e444d93996e1f1da00e37816d

SHA1
b5c2525f9ecba5e3542ea54633f5fdc794c87448

SHA256
67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed

SHA512
0d09cd5417d66f1092f1964d56dc7f10a9fff17221b10ac67b176b2d9c3fb50c3c26a10d9e28a7a132e0cce3f614420964b05847ba5899540c551044e7ca3ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vajop.exe

Filesize
708KB

MD5
64a1fe92a641ae9479fb51ee0e15d412

SHA1
80633da1d3f6a1c9a90dab4ba74642c3e5f77785

SHA256
a4a0fd250195e9ea64ba2d6cbedec63fb0ed7d509ae9258e42ba21ccce46ef43

SHA512
251e73113b3ee4777c07db3e4f7c64f9080d4f63408dde39e5ac1939f3e93e8a85e02963d0b56bd0fc8446f4b7d997ea21af70ccaf471bc6670b521a0c63f2c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vajop.exe

Filesize
708KB

MD5
64a1fe92a641ae9479fb51ee0e15d412

SHA1
80633da1d3f6a1c9a90dab4ba74642c3e5f77785

SHA256
a4a0fd250195e9ea64ba2d6cbedec63fb0ed7d509ae9258e42ba21ccce46ef43

SHA512
251e73113b3ee4777c07db3e4f7c64f9080d4f63408dde39e5ac1939f3e93e8a85e02963d0b56bd0fc8446f4b7d997ea21af70ccaf471bc6670b521a0c63f2c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vqpkbwypmfqiojambtjed.exe

Filesize
492KB

MD5
2b3ce24e444d93996e1f1da00e37816d

SHA1
b5c2525f9ecba5e3542ea54633f5fdc794c87448

SHA256
67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed

SHA512
0d09cd5417d66f1092f1964d56dc7f10a9fff17221b10ac67b176b2d9c3fb50c3c26a10d9e28a7a132e0cce3f614420964b05847ba5899540c551044e7ca3ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zqlcpgerkzguwnait.exe

Filesize
492KB

MD5
2b3ce24e444d93996e1f1da00e37816d

SHA1
b5c2525f9ecba5e3542ea54633f5fdc794c87448

SHA256
67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed

SHA512
0d09cd5417d66f1092f1964d56dc7f10a9fff17221b10ac67b176b2d9c3fb50c3c26a10d9e28a7a132e0cce3f614420964b05847ba5899540c551044e7ca3ae8

Download Submit
C:\Windows\SysWOW64\gaysicdtphrinhxiwncw.exe

Filesize
492KB

MD5
2b3ce24e444d93996e1f1da00e37816d

SHA1
b5c2525f9ecba5e3542ea54633f5fdc794c87448

SHA256
67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed

SHA512
0d09cd5417d66f1092f1964d56dc7f10a9fff17221b10ac67b176b2d9c3fb50c3c26a10d9e28a7a132e0cce3f614420964b05847ba5899540c551044e7ca3ae8

Download Submit
C:\Windows\SysWOW64\iawocuthbrzorjxgsh.exe

Filesize
492KB

MD5
2b3ce24e444d93996e1f1da00e37816d

SHA1
b5c2525f9ecba5e3542ea54633f5fdc794c87448

SHA256
67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed

SHA512
0d09cd5417d66f1092f1964d56dc7f10a9fff17221b10ac67b176b2d9c3fb50c3c26a10d9e28a7a132e0cce3f614420964b05847ba5899540c551044e7ca3ae8

Download Submit
C:\Windows\SysWOW64\miiewsvnlfrkrnfsibsook.exe

Filesize
492KB

MD5
2b3ce24e444d93996e1f1da00e37816d

SHA1
b5c2525f9ecba5e3542ea54633f5fdc794c87448

SHA256
67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed

SHA512
0d09cd5417d66f1092f1964d56dc7f10a9fff17221b10ac67b176b2d9c3fb50c3c26a10d9e28a7a132e0cce3f614420964b05847ba5899540c551044e7ca3ae8

Download Submit
C:\Windows\SysWOW64\sicseurdvjpcdtfm.exe

Filesize
492KB

MD5
2b3ce24e444d93996e1f1da00e37816d

SHA1
b5c2525f9ecba5e3542ea54633f5fdc794c87448

SHA256
67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed

SHA512
0d09cd5417d66f1092f1964d56dc7f10a9fff17221b10ac67b176b2d9c3fb50c3c26a10d9e28a7a132e0cce3f614420964b05847ba5899540c551044e7ca3ae8

Download Submit
C:\Windows\SysWOW64\tmjcrkkzulukohwgtjx.exe

Filesize
492KB

MD5
2b3ce24e444d93996e1f1da00e37816d

SHA1
b5c2525f9ecba5e3542ea54633f5fdc794c87448

SHA256
67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed

SHA512
0d09cd5417d66f1092f1964d56dc7f10a9fff17221b10ac67b176b2d9c3fb50c3c26a10d9e28a7a132e0cce3f614420964b05847ba5899540c551044e7ca3ae8

Download Submit
C:\Windows\SysWOW64\vqpkbwypmfqiojambtjed.exe

Filesize
492KB

MD5
2b3ce24e444d93996e1f1da00e37816d

SHA1
b5c2525f9ecba5e3542ea54633f5fdc794c87448

SHA256
67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed

SHA512
0d09cd5417d66f1092f1964d56dc7f10a9fff17221b10ac67b176b2d9c3fb50c3c26a10d9e28a7a132e0cce3f614420964b05847ba5899540c551044e7ca3ae8

Download Submit
C:\Windows\SysWOW64\zqlcpgerkzguwnait.exe

Filesize
492KB

MD5
2b3ce24e444d93996e1f1da00e37816d

SHA1
b5c2525f9ecba5e3542ea54633f5fdc794c87448

SHA256
67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed

SHA512
0d09cd5417d66f1092f1964d56dc7f10a9fff17221b10ac67b176b2d9c3fb50c3c26a10d9e28a7a132e0cce3f614420964b05847ba5899540c551044e7ca3ae8

Download Submit
C:\Windows\gaysicdtphrinhxiwncw.exe

Filesize
492KB

MD5
2b3ce24e444d93996e1f1da00e37816d

SHA1
b5c2525f9ecba5e3542ea54633f5fdc794c87448

SHA256
67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed

SHA512
0d09cd5417d66f1092f1964d56dc7f10a9fff17221b10ac67b176b2d9c3fb50c3c26a10d9e28a7a132e0cce3f614420964b05847ba5899540c551044e7ca3ae8

Download Submit
C:\Windows\gaysicdtphrinhxiwncw.exe

Filesize
492KB

MD5
2b3ce24e444d93996e1f1da00e37816d

SHA1
b5c2525f9ecba5e3542ea54633f5fdc794c87448

SHA256
67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed

SHA512
0d09cd5417d66f1092f1964d56dc7f10a9fff17221b10ac67b176b2d9c3fb50c3c26a10d9e28a7a132e0cce3f614420964b05847ba5899540c551044e7ca3ae8

Download Submit
C:\Windows\iawocuthbrzorjxgsh.exe

Filesize
492KB

MD5
2b3ce24e444d93996e1f1da00e37816d

SHA1
b5c2525f9ecba5e3542ea54633f5fdc794c87448

SHA256
67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed

SHA512
0d09cd5417d66f1092f1964d56dc7f10a9fff17221b10ac67b176b2d9c3fb50c3c26a10d9e28a7a132e0cce3f614420964b05847ba5899540c551044e7ca3ae8

Download Submit
C:\Windows\iawocuthbrzorjxgsh.exe

Filesize
492KB

MD5
2b3ce24e444d93996e1f1da00e37816d

SHA1
b5c2525f9ecba5e3542ea54633f5fdc794c87448

SHA256
67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed

SHA512
0d09cd5417d66f1092f1964d56dc7f10a9fff17221b10ac67b176b2d9c3fb50c3c26a10d9e28a7a132e0cce3f614420964b05847ba5899540c551044e7ca3ae8

Download Submit
C:\Windows\miiewsvnlfrkrnfsibsook.exe

Filesize
492KB

MD5
2b3ce24e444d93996e1f1da00e37816d

SHA1
b5c2525f9ecba5e3542ea54633f5fdc794c87448

SHA256
67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed

SHA512
0d09cd5417d66f1092f1964d56dc7f10a9fff17221b10ac67b176b2d9c3fb50c3c26a10d9e28a7a132e0cce3f614420964b05847ba5899540c551044e7ca3ae8

Download Submit
C:\Windows\miiewsvnlfrkrnfsibsook.exe

Filesize
492KB

MD5
2b3ce24e444d93996e1f1da00e37816d

SHA1
b5c2525f9ecba5e3542ea54633f5fdc794c87448

SHA256
67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed

SHA512
0d09cd5417d66f1092f1964d56dc7f10a9fff17221b10ac67b176b2d9c3fb50c3c26a10d9e28a7a132e0cce3f614420964b05847ba5899540c551044e7ca3ae8

Download Submit
C:\Windows\sicseurdvjpcdtfm.exe

Filesize
492KB

MD5
2b3ce24e444d93996e1f1da00e37816d

SHA1
b5c2525f9ecba5e3542ea54633f5fdc794c87448

SHA256
67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed

SHA512
0d09cd5417d66f1092f1964d56dc7f10a9fff17221b10ac67b176b2d9c3fb50c3c26a10d9e28a7a132e0cce3f614420964b05847ba5899540c551044e7ca3ae8

Download Submit
C:\Windows\sicseurdvjpcdtfm.exe

Filesize
492KB

MD5
2b3ce24e444d93996e1f1da00e37816d

SHA1
b5c2525f9ecba5e3542ea54633f5fdc794c87448

SHA256
67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed

SHA512
0d09cd5417d66f1092f1964d56dc7f10a9fff17221b10ac67b176b2d9c3fb50c3c26a10d9e28a7a132e0cce3f614420964b05847ba5899540c551044e7ca3ae8

Download Submit
C:\Windows\tmjcrkkzulukohwgtjx.exe

Filesize
492KB

MD5
2b3ce24e444d93996e1f1da00e37816d

SHA1
b5c2525f9ecba5e3542ea54633f5fdc794c87448

SHA256
67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed

SHA512
0d09cd5417d66f1092f1964d56dc7f10a9fff17221b10ac67b176b2d9c3fb50c3c26a10d9e28a7a132e0cce3f614420964b05847ba5899540c551044e7ca3ae8

Download Submit
C:\Windows\tmjcrkkzulukohwgtjx.exe

Filesize
492KB

MD5
2b3ce24e444d93996e1f1da00e37816d

SHA1
b5c2525f9ecba5e3542ea54633f5fdc794c87448

SHA256
67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed

SHA512
0d09cd5417d66f1092f1964d56dc7f10a9fff17221b10ac67b176b2d9c3fb50c3c26a10d9e28a7a132e0cce3f614420964b05847ba5899540c551044e7ca3ae8

Download Submit
C:\Windows\vqpkbwypmfqiojambtjed.exe

Filesize
492KB

MD5
2b3ce24e444d93996e1f1da00e37816d

SHA1
b5c2525f9ecba5e3542ea54633f5fdc794c87448

SHA256
67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed

SHA512
0d09cd5417d66f1092f1964d56dc7f10a9fff17221b10ac67b176b2d9c3fb50c3c26a10d9e28a7a132e0cce3f614420964b05847ba5899540c551044e7ca3ae8

Download Submit
C:\Windows\vqpkbwypmfqiojambtjed.exe

Filesize
492KB

MD5
2b3ce24e444d93996e1f1da00e37816d

SHA1
b5c2525f9ecba5e3542ea54633f5fdc794c87448

SHA256
67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed

SHA512
0d09cd5417d66f1092f1964d56dc7f10a9fff17221b10ac67b176b2d9c3fb50c3c26a10d9e28a7a132e0cce3f614420964b05847ba5899540c551044e7ca3ae8

Download Submit
C:\Windows\zqlcpgerkzguwnait.exe

Filesize
492KB

MD5
2b3ce24e444d93996e1f1da00e37816d

SHA1
b5c2525f9ecba5e3542ea54633f5fdc794c87448

SHA256
67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed

SHA512
0d09cd5417d66f1092f1964d56dc7f10a9fff17221b10ac67b176b2d9c3fb50c3c26a10d9e28a7a132e0cce3f614420964b05847ba5899540c551044e7ca3ae8

Download Submit
C:\Windows\zqlcpgerkzguwnait.exe

Filesize
492KB

MD5
2b3ce24e444d93996e1f1da00e37816d

SHA1
b5c2525f9ecba5e3542ea54633f5fdc794c87448

SHA256
67387611c614dff5cd7b6fc938ae38a88520c7fa3e16be72c0b84414de84b6ed

SHA512
0d09cd5417d66f1092f1964d56dc7f10a9fff17221b10ac67b176b2d9c3fb50c3c26a10d9e28a7a132e0cce3f614420964b05847ba5899540c551044e7ca3ae8

Download Submit
\Users\Admin\AppData\Local\Temp\gokvcejrqyu.exe

Filesize
320KB

MD5
9a3bd7945d6017a2f068bce0ee07f7b0

SHA1
151c5f1544656013309b4736f6960416d841e2ff

SHA256
720f8a6b23a8fa47cacac196d063d31693d7570aaadea9279ca5296d668b7c9c

SHA512
57ab27559f11beb0c6137cd172ce78407bbe89f4cda1ad4cc5dfc350b514572cf78cc9eae785fc3ff8e1e368b9c0b71e9ffd9d89325bd48067adf531d77d95c8

Download Submit
\Users\Admin\AppData\Local\Temp\gokvcejrqyu.exe

Filesize
320KB

MD5
9a3bd7945d6017a2f068bce0ee07f7b0

SHA1
151c5f1544656013309b4736f6960416d841e2ff

SHA256
720f8a6b23a8fa47cacac196d063d31693d7570aaadea9279ca5296d668b7c9c

SHA512
57ab27559f11beb0c6137cd172ce78407bbe89f4cda1ad4cc5dfc350b514572cf78cc9eae785fc3ff8e1e368b9c0b71e9ffd9d89325bd48067adf531d77d95c8

Download Submit
\Users\Admin\AppData\Local\Temp\vajop.exe

Filesize
708KB

MD5
64a1fe92a641ae9479fb51ee0e15d412

SHA1
80633da1d3f6a1c9a90dab4ba74642c3e5f77785

SHA256
a4a0fd250195e9ea64ba2d6cbedec63fb0ed7d509ae9258e42ba21ccce46ef43

SHA512
251e73113b3ee4777c07db3e4f7c64f9080d4f63408dde39e5ac1939f3e93e8a85e02963d0b56bd0fc8446f4b7d997ea21af70ccaf471bc6670b521a0c63f2c6

Download Submit
\Users\Admin\AppData\Local\Temp\vajop.exe

Filesize
708KB

MD5
64a1fe92a641ae9479fb51ee0e15d412

SHA1
80633da1d3f6a1c9a90dab4ba74642c3e5f77785

SHA256
a4a0fd250195e9ea64ba2d6cbedec63fb0ed7d509ae9258e42ba21ccce46ef43

SHA512
251e73113b3ee4777c07db3e4f7c64f9080d4f63408dde39e5ac1939f3e93e8a85e02963d0b56bd0fc8446f4b7d997ea21af70ccaf471bc6670b521a0c63f2c6

Download Submit
\Users\Admin\AppData\Local\Temp\vajop.exe

Filesize
708KB

MD5
64a1fe92a641ae9479fb51ee0e15d412

SHA1
80633da1d3f6a1c9a90dab4ba74642c3e5f77785

SHA256
a4a0fd250195e9ea64ba2d6cbedec63fb0ed7d509ae9258e42ba21ccce46ef43

SHA512
251e73113b3ee4777c07db3e4f7c64f9080d4f63408dde39e5ac1939f3e93e8a85e02963d0b56bd0fc8446f4b7d997ea21af70ccaf471bc6670b521a0c63f2c6

Download Submit
\Users\Admin\AppData\Local\Temp\vajop.exe

Filesize
708KB

MD5
64a1fe92a641ae9479fb51ee0e15d412

SHA1
80633da1d3f6a1c9a90dab4ba74642c3e5f77785

SHA256
a4a0fd250195e9ea64ba2d6cbedec63fb0ed7d509ae9258e42ba21ccce46ef43

SHA512
251e73113b3ee4777c07db3e4f7c64f9080d4f63408dde39e5ac1939f3e93e8a85e02963d0b56bd0fc8446f4b7d997ea21af70ccaf471bc6670b521a0c63f2c6

Download Submit
memory/2020-54-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download