72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hkaqkpraruk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	yfnps.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	yfnps.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	hkaqkpraruk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	hkaqkpraruk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	yfnps.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	yfnps.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	yfnps.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hkaqkpraruk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	hkaqkpraruk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yfnps.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yfnps.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	yfnps.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	yfnps.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	yfnps.exe

Adds policy Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	hkaqkpraruk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfnps = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrnduqjywcnljlyizhc.exe"	hkaqkpraruk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	yfnps.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lvglrcko = "lfapfasgdispmnziyf.exe"	yfnps.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfnps = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jfctlicsrykjilzkclhe.exe"	yfnps.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lvglrcko = "lfapfasgdispmnziyf.exe"	hkaqkpraruk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lvglrcko = "vngthaqcxaidyxho.exe"	yfnps.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lvglrcko = "cvpdsmdqmqzvrrckz.exe"	yfnps.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfnps = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvtlecxoowjjjncohrome.exe"	yfnps.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lvglrcko = "wrnduqjywcnljlyizhc.exe"	yfnps.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfnps = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfapfasgdispmnziyf.exe"	yfnps.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfnps = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrnduqjywcnljlyizhc.exe"	yfnps.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lvglrcko = "wrnduqjywcnljlyizhc.exe"	yfnps.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lvglrcko = "yvtlecxoowjjjncohrome.exe"	hkaqkpraruk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	yfnps.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfnps = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvpdsmdqmqzvrrckz.exe"	yfnps.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lvglrcko = "cvpdsmdqmqzvrrckz.exe"	yfnps.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfnps = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvpdsmdqmqzvrrckz.exe"	yfnps.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yfnps.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yfnps.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yfnps.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hkaqkpraruk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hkaqkpraruk.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yfnps.exe

Executes dropped EXE 3 IoCs

pid	Process
4756	hkaqkpraruk.exe
1936	yfnps.exe
4348	yfnps.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	hkaqkpraruk.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jradhq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrnduqjywcnljlyizhc.exe"	hkaqkpraruk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qdrziwhoecf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfapfasgdispmnziyf.exe ."	yfnps.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfptyip = "lfapfasgdispmnziyf.exe ."	yfnps.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qdrziwhoecf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrnduqjywcnljlyizhc.exe ."	yfnps.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	hkaqkpraruk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nbqzjyksjimd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrnduqjywcnljlyizhc.exe"	yfnps.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jradhq = "jfctlicsrykjilzkclhe.exe"	yfnps.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jradhq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvtlecxoowjjjncohrome.exe"	yfnps.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfptyip = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvpdsmdqmqzvrrckz.exe ."	yfnps.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jradhq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvtlecxoowjjjncohrome.exe"	yfnps.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	hkaqkpraruk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cnzfmyhma = "cvpdsmdqmqzvrrckz.exe"	yfnps.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vhubjwgmby = "jfctlicsrykjilzkclhe.exe ."	yfnps.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	hkaqkpraruk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cnzfmyhma = "vngthaqcxaidyxho.exe"	hkaqkpraruk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vhubjwgmby = "wrnduqjywcnljlyizhc.exe ."	hkaqkpraruk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vhubjwgmby = "wrnduqjywcnljlyizhc.exe ."	yfnps.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vhubjwgmby = "lfapfasgdispmnziyf.exe ."	yfnps.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vhubjwgmby = "lfapfasgdispmnziyf.exe ."	hkaqkpraruk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	yfnps.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cnzfmyhma = "jfctlicsrykjilzkclhe.exe"	yfnps.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qdrziwhoecf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vngthaqcxaidyxho.exe ."	hkaqkpraruk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfptyip = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfapfasgdispmnziyf.exe ."	hkaqkpraruk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfptyip = "lfapfasgdispmnziyf.exe ."	hkaqkpraruk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qdrziwhoecf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jfctlicsrykjilzkclhe.exe ."	yfnps.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jradhq = "vngthaqcxaidyxho.exe"	yfnps.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qdrziwhoecf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvpdsmdqmqzvrrckz.exe ."	yfnps.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nbqzjyksjimd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfapfasgdispmnziyf.exe"	yfnps.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfptyip = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrnduqjywcnljlyizhc.exe ."	yfnps.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qdrziwhoecf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jfctlicsrykjilzkclhe.exe ."	yfnps.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfptyip = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvtlecxoowjjjncohrome.exe ."	yfnps.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jradhq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vngthaqcxaidyxho.exe"	yfnps.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nbqzjyksjimd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfapfasgdispmnziyf.exe"	hkaqkpraruk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jradhq = "jfctlicsrykjilzkclhe.exe"	hkaqkpraruk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	yfnps.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	yfnps.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qdrziwhoecf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvpdsmdqmqzvrrckz.exe ."	yfnps.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cnzfmyhma = "lfapfasgdispmnziyf.exe"	yfnps.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jradhq = "lfapfasgdispmnziyf.exe"	hkaqkpraruk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cnzfmyhma = "vngthaqcxaidyxho.exe"	yfnps.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	yfnps.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfptyip = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvtlecxoowjjjncohrome.exe ."	yfnps.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfptyip = "wrnduqjywcnljlyizhc.exe ."	yfnps.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nbqzjyksjimd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvtlecxoowjjjncohrome.exe"	yfnps.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qdrziwhoecf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vngthaqcxaidyxho.exe ."	yfnps.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jradhq = "cvpdsmdqmqzvrrckz.exe"	yfnps.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nbqzjyksjimd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvpdsmdqmqzvrrckz.exe"	yfnps.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cnzfmyhma = "cvpdsmdqmqzvrrckz.exe"	yfnps.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vhubjwgmby = "vngthaqcxaidyxho.exe ."	yfnps.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	yfnps.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	yfnps.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vhubjwgmby = "wrnduqjywcnljlyizhc.exe ."	yfnps.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jradhq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrnduqjywcnljlyizhc.exe"	yfnps.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cnzfmyhma = "wrnduqjywcnljlyizhc.exe"	yfnps.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cnzfmyhma = "lfapfasgdispmnziyf.exe"	yfnps.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfptyip = "lfapfasgdispmnziyf.exe ."	yfnps.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nbqzjyksjimd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfapfasgdispmnziyf.exe"	yfnps.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfptyip = "wrnduqjywcnljlyizhc.exe ."	hkaqkpraruk.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	yfnps.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	yfnps.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vhubjwgmby = "vngthaqcxaidyxho.exe ."	yfnps.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfptyip = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfapfasgdispmnziyf.exe ."	yfnps.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jradhq = "jfctlicsrykjilzkclhe.exe"	yfnps.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfptyip = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvpdsmdqmqzvrrckz.exe ."	yfnps.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hkaqkpraruk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hkaqkpraruk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yfnps.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	yfnps.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yfnps.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	yfnps.exe

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	www.showmyipaddress.com
4	whatismyipaddress.com
6	whatismyip.everdot.org
11	whatismyip.everdot.org
13	whatismyip.everdot.org

Drops file in System32 directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\nbqzjyksjimdupvyijxmvfugofeizqlrue.tir	yfnps.exe
File created	C:\Windows\SysWOW64\nbqzjyksjimdupvyijxmvfugofeizqlrue.tir	yfnps.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{EB1E2384-DC6E-42C3-BDAF-181161CB7B9B}.catalogItem	svchost.exe
File opened for modification	C:\Windows\SysWOW64\yvtlecxoowjjjncohrome.exe	hkaqkpraruk.exe
File opened for modification	C:\Windows\SysWOW64\vngthaqcxaidyxho.exe	yfnps.exe
File opened for modification	C:\Windows\SysWOW64\wrnduqjywcnljlyizhc.exe	yfnps.exe
File opened for modification	C:\Windows\SysWOW64\vngthaqcxaidyxho.exe	yfnps.exe
File opened for modification	C:\Windows\SysWOW64\vngthaqcxaidyxho.exe	hkaqkpraruk.exe
File opened for modification	C:\Windows\SysWOW64\cvpdsmdqmqzvrrckz.exe	hkaqkpraruk.exe
File opened for modification	C:\Windows\SysWOW64\lfapfasgdispmnziyf.exe	hkaqkpraruk.exe
File opened for modification	C:\Windows\SysWOW64\wrnduqjywcnljlyizhc.exe	hkaqkpraruk.exe
File opened for modification	C:\Windows\SysWOW64\lfapfasgdispmnziyf.exe	yfnps.exe
File created	C:\Windows\SysWOW64\adhfeijgmatzfpkcbruywvz.xdr	yfnps.exe
File opened for modification	C:\Windows\SysWOW64\pnmfzyumnwklmrhuozxwpj.exe	yfnps.exe
File opened for modification	C:\Windows\SysWOW64\jfctlicsrykjilzkclhe.exe	hkaqkpraruk.exe
File opened for modification	C:\Windows\SysWOW64\pnmfzyumnwklmrhuozxwpj.exe	hkaqkpraruk.exe
File opened for modification	C:\Windows\SysWOW64\jfctlicsrykjilzkclhe.exe	yfnps.exe
File opened for modification	C:\Windows\SysWOW64\yvtlecxoowjjjncohrome.exe	yfnps.exe
File opened for modification	C:\Windows\SysWOW64\jfctlicsrykjilzkclhe.exe	yfnps.exe
File opened for modification	C:\Windows\SysWOW64\wrnduqjywcnljlyizhc.exe	yfnps.exe
File opened for modification	C:\Windows\SysWOW64\adhfeijgmatzfpkcbruywvz.xdr	yfnps.exe
File opened for modification	C:\Windows\SysWOW64\lfapfasgdispmnziyf.exe	yfnps.exe
File opened for modification	C:\Windows\SysWOW64\pnmfzyumnwklmrhuozxwpj.exe	yfnps.exe
File opened for modification	C:\Windows\SysWOW64\cvpdsmdqmqzvrrckz.exe	yfnps.exe
File opened for modification	C:\Windows\SysWOW64\cvpdsmdqmqzvrrckz.exe	yfnps.exe
File opened for modification	C:\Windows\SysWOW64\yvtlecxoowjjjncohrome.exe	yfnps.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{D20FAA4E-F9C5-49A5-A5E8-B4775D821862}.catalogItem	svchost.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\adhfeijgmatzfpkcbruywvz.xdr	yfnps.exe
File created	C:\Program Files (x86)\adhfeijgmatzfpkcbruywvz.xdr	yfnps.exe
File opened for modification	C:\Program Files (x86)\nbqzjyksjimdupvyijxmvfugofeizqlrue.tir	yfnps.exe
File created	C:\Program Files (x86)\nbqzjyksjimdupvyijxmvfugofeizqlrue.tir	yfnps.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\vngthaqcxaidyxho.exe	yfnps.exe
File opened for modification	C:\Windows\cvpdsmdqmqzvrrckz.exe	yfnps.exe
File opened for modification	C:\Windows\yvtlecxoowjjjncohrome.exe	hkaqkpraruk.exe
File opened for modification	C:\Windows\pnmfzyumnwklmrhuozxwpj.exe	hkaqkpraruk.exe
File opened for modification	C:\Windows\vngthaqcxaidyxho.exe	yfnps.exe
File opened for modification	C:\Windows\jfctlicsrykjilzkclhe.exe	yfnps.exe
File opened for modification	C:\Windows\yvtlecxoowjjjncohrome.exe	yfnps.exe
File opened for modification	C:\Windows\pnmfzyumnwklmrhuozxwpj.exe	yfnps.exe
File opened for modification	C:\Windows\lfapfasgdispmnziyf.exe	yfnps.exe
File opened for modification	C:\Windows\nbqzjyksjimdupvyijxmvfugofeizqlrue.tir	yfnps.exe
File opened for modification	C:\Windows\wrnduqjywcnljlyizhc.exe	hkaqkpraruk.exe
File opened for modification	C:\Windows\jfctlicsrykjilzkclhe.exe	hkaqkpraruk.exe
File opened for modification	C:\Windows\cvpdsmdqmqzvrrckz.exe	yfnps.exe
File opened for modification	C:\Windows\adhfeijgmatzfpkcbruywvz.xdr	yfnps.exe
File opened for modification	C:\Windows\cvpdsmdqmqzvrrckz.exe	hkaqkpraruk.exe
File opened for modification	C:\Windows\wrnduqjywcnljlyizhc.exe	yfnps.exe
File opened for modification	C:\Windows\yvtlecxoowjjjncohrome.exe	yfnps.exe
File opened for modification	C:\Windows\pnmfzyumnwklmrhuozxwpj.exe	yfnps.exe
File created	C:\Windows\adhfeijgmatzfpkcbruywvz.xdr	yfnps.exe
File opened for modification	C:\Windows\vngthaqcxaidyxho.exe	hkaqkpraruk.exe
File opened for modification	C:\Windows\lfapfasgdispmnziyf.exe	hkaqkpraruk.exe
File opened for modification	C:\Windows\lfapfasgdispmnziyf.exe	yfnps.exe
File opened for modification	C:\Windows\wrnduqjywcnljlyizhc.exe	yfnps.exe
File opened for modification	C:\Windows\jfctlicsrykjilzkclhe.exe	yfnps.exe
File created	C:\Windows\nbqzjyksjimdupvyijxmvfugofeizqlrue.tir	yfnps.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
1936	yfnps.exe
1936	yfnps.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
1936	yfnps.exe
1936	yfnps.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1936	yfnps.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 4756	2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe	75
PID 2228 wrote to memory of 4756	2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe	75
PID 2228 wrote to memory of 4756	2228	72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe	75
PID 4756 wrote to memory of 1936	4756	hkaqkpraruk.exe	76
PID 4756 wrote to memory of 1936	4756	hkaqkpraruk.exe	76
PID 4756 wrote to memory of 1936	4756	hkaqkpraruk.exe	76
PID 4756 wrote to memory of 4348	4756	hkaqkpraruk.exe	77
PID 4756 wrote to memory of 4348	4756	hkaqkpraruk.exe	77
PID 4756 wrote to memory of 4348	4756	hkaqkpraruk.exe	77

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	hkaqkpraruk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	yfnps.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	yfnps.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	yfnps.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	yfnps.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	yfnps.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	hkaqkpraruk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	hkaqkpraruk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	hkaqkpraruk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	hkaqkpraruk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	hkaqkpraruk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	yfnps.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	yfnps.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	yfnps.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	yfnps.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	yfnps.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	yfnps.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	hkaqkpraruk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	yfnps.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	yfnps.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	yfnps.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	yfnps.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yfnps.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	hkaqkpraruk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yfnps.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yfnps.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	yfnps.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hkaqkpraruk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	hkaqkpraruk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	hkaqkpraruk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	yfnps.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	yfnps.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	yfnps.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	yfnps.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hkaqkpraruk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	hkaqkpraruk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yfnps.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	yfnps.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	yfnps.exe

C:\Users\Admin\AppData\Local\Temp\72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe
"C:\Users\Admin\AppData\Local\Temp\72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Local\Temp\hkaqkpraruk.exe
  "C:\Users\Admin\AppData\Local\Temp\hkaqkpraruk.exe" "c:\users\admin\appdata\local\temp\72adc870e88af296e4b421674faa29b68080c2780ac35588fa0a73bccb10194d.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4756
- - C:\Users\Admin\AppData\Local\Temp\yfnps.exe
    "C:\Users\Admin\AppData\Local\Temp\yfnps.exe" "-C:\Users\Admin\AppData\Local\Temp\vngthaqcxaidyxho.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1936
- - C:\Users\Admin\AppData\Local\Temp\yfnps.exe
    "C:\Users\Admin\AppData\Local\Temp\yfnps.exe" "-C:\Users\Admin\AppData\Local\Temp\vngthaqcxaidyxho.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4348

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:4948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery