2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

Analysis

max time kernel
152s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
Size

892KB
MD5

d926c47b0ac935c8364502032b439f5e
SHA1

63f3d8e9c63c97d79b7df48b38880332e9a37597
SHA256

2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a
SHA512

1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe
SSDEEP

12288:eQMiG+2gef5x/xQTB2OfDKC7WgcEY53khxzNNu0A5YPSbXKLePlWd6SeCd:eQ0+29VgfDnKYY53SuNYPSb8ePlixd

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	pwyrqtqlzgi.exe

UAC bypass 3 TTPs 13 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	udmvxdq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	udmvxdq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	udmvxdq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	udmvxdq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	udmvxdq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	udmvxdq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	udmvxdq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	udmvxdq.exe

Adds policy Run key to start application 2 TTPs 31 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lbrhqdxmxhwglh = "hdzvkddypfaqbdlxdhdz.exe"	udmvxdq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lbrhqdxmxhwglh = "upkftlkeujdscdkvady.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\obobhriucjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upkftlkeujdscdkvady.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lbrhqdxmxhwglh = "hdzvkddypfaqbdlxdhdz.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\obobhriucjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtqndxyumdzqcfobinkhe.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\obobhriucjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hdzvkddypfaqbdlxdhdz.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\obobhriucjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atmfrhewkxpckjoxa.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\obobhriucjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atmfrhewkxpckjoxa.exe"	udmvxdq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lbrhqdxmxhwglh = "tldvgvrivhykrptb.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lbrhqdxmxhwglh = "atmfrhewkxpckjoxa.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\obobhriucjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdxrevtmbpiwfflvzb.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lbrhqdxmxhwglh = "atmfrhewkxpckjoxa.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lbrhqdxmxhwglh = "wtqndxyumdzqcfobinkhe.exe"	udmvxdq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lbrhqdxmxhwglh = "atmfrhewkxpckjoxa.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lbrhqdxmxhwglh = "jdxrevtmbpiwfflvzb.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lbrhqdxmxhwglh = "upkftlkeujdscdkvady.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lbrhqdxmxhwglh = "tldvgvrivhykrptb.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\obobhriucjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tldvgvrivhykrptb.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\obobhriucjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tldvgvrivhykrptb.exe"	udmvxdq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lbrhqdxmxhwglh = "upkftlkeujdscdkvady.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\obobhriucjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdxrevtmbpiwfflvzb.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lbrhqdxmxhwglh = "wtqndxyumdzqcfobinkhe.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\obobhriucjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upkftlkeujdscdkvady.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\obobhriucjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtqndxyumdzqcfobinkhe.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\obobhriucjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tldvgvrivhykrptb.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\obobhriucjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdxrevtmbpiwfflvzb.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\obobhriucjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hdzvkddypfaqbdlxdhdz.exe"	udmvxdq.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	udmvxdq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	udmvxdq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	udmvxdq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	udmvxdq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	pwyrqtqlzgi.exe

Executes dropped EXE 4 IoCs

pid	Process
3480	pwyrqtqlzgi.exe
3860	udmvxdq.exe
3632	udmvxdq.exe
1496	pwyrqtqlzgi.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	pwyrqtqlzgi.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lznbitlyhpck = "jdxrevtmbpiwfflvzb.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\atmfrhewkxpckjoxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdxrevtmbpiwfflvzb.exe ."	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kzodlxqeoxluy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upkftlkeujdscdkvady.exe ."	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lznbitlyhpck = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upkftlkeujdscdkvady.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lznbitlyhpck = "tldvgvrivhykrptb.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kzodlxqeoxluy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hdzvkddypfaqbdlxdhdz.exe ."	pwyrqtqlzgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	udmvxdq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tldvgvrivhykrptb = "wtqndxyumdzqcfobinkhe.exe ."	udmvxdq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lznbitlyhpck = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upkftlkeujdscdkvady.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lznbitlyhpck = "jdxrevtmbpiwfflvzb.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\kzodlxqeoxluy = "atmfrhewkxpckjoxa.exe ."	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jdxrevtmbpiwfflvzb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atmfrhewkxpckjoxa.exe"	udmvxdq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	udmvxdq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ofwnxlgwitjuaxa = "tldvgvrivhykrptb.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lznbitlyhpck = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tldvgvrivhykrptb.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kzodlxqeoxluy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tldvgvrivhykrptb.exe ."	udmvxdq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kzodlxqeoxluy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtqndxyumdzqcfobinkhe.exe ."	udmvxdq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	pwyrqtqlzgi.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	udmvxdq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ofwnxlgwitjuaxa = "jdxrevtmbpiwfflvzb.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\kzodlxqeoxluy = "upkftlkeujdscdkvady.exe ."	udmvxdq.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ofwnxlgwitjuaxa = "atmfrhewkxpckjoxa.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ofwnxlgwitjuaxa = "hdzvkddypfaqbdlxdhdz.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\atmfrhewkxpckjoxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atmfrhewkxpckjoxa.exe ."	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\atmfrhewkxpckjoxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atmfrhewkxpckjoxa.exe ."	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\kzodlxqeoxluy = "hdzvkddypfaqbdlxdhdz.exe ."	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jdxrevtmbpiwfflvzb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdxrevtmbpiwfflvzb.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jdxrevtmbpiwfflvzb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hdzvkddypfaqbdlxdhdz.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\atmfrhewkxpckjoxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upkftlkeujdscdkvady.exe ."	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lznbitlyhpck = "hdzvkddypfaqbdlxdhdz.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lznbitlyhpck = "atmfrhewkxpckjoxa.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lznbitlyhpck = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtqndxyumdzqcfobinkhe.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\kzodlxqeoxluy = "wtqndxyumdzqcfobinkhe.exe ."	udmvxdq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ofwnxlgwitjuaxa = "tldvgvrivhykrptb.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jdxrevtmbpiwfflvzb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdxrevtmbpiwfflvzb.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ofwnxlgwitjuaxa = "hdzvkddypfaqbdlxdhdz.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lznbitlyhpck = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upkftlkeujdscdkvady.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\kzodlxqeoxluy = "hdzvkddypfaqbdlxdhdz.exe ."	udmvxdq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ofwnxlgwitjuaxa = "upkftlkeujdscdkvady.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lznbitlyhpck = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atmfrhewkxpckjoxa.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lznbitlyhpck = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hdzvkddypfaqbdlxdhdz.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\atmfrhewkxpckjoxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upkftlkeujdscdkvady.exe ."	pwyrqtqlzgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tldvgvrivhykrptb = "atmfrhewkxpckjoxa.exe ."	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\atmfrhewkxpckjoxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tldvgvrivhykrptb.exe ."	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\kzodlxqeoxluy = "jdxrevtmbpiwfflvzb.exe ."	udmvxdq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\atmfrhewkxpckjoxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hdzvkddypfaqbdlxdhdz.exe ."	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\kzodlxqeoxluy = "wtqndxyumdzqcfobinkhe.exe ."	pwyrqtqlzgi.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jdxrevtmbpiwfflvzb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tldvgvrivhykrptb.exe"	udmvxdq.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	udmvxdq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tldvgvrivhykrptb = "tldvgvrivhykrptb.exe ."	udmvxdq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tldvgvrivhykrptb = "upkftlkeujdscdkvady.exe ."	udmvxdq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kzodlxqeoxluy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdxrevtmbpiwfflvzb.exe ."	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lznbitlyhpck = "atmfrhewkxpckjoxa.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tldvgvrivhykrptb = "atmfrhewkxpckjoxa.exe ."	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jdxrevtmbpiwfflvzb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atmfrhewkxpckjoxa.exe"	udmvxdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\atmfrhewkxpckjoxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdxrevtmbpiwfflvzb.exe ."	udmvxdq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kzodlxqeoxluy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upkftlkeujdscdkvady.exe ."	udmvxdq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	udmvxdq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lznbitlyhpck = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtqndxyumdzqcfobinkhe.exe"	udmvxdq.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	udmvxdq.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	udmvxdq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	udmvxdq.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	udmvxdq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pwyrqtqlzgi.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pwyrqtqlzgi.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	pwyrqtqlzgi.exe

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
35	www.showmyipaddress.com
41	whatismyipaddress.com
55	whatismyip.everdot.org
62	whatismyip.everdot.org
69	www.showmyipaddress.com
34	whatismyip.everdot.org

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	udmvxdq.exe
File opened for modification	C:\autorun.inf	udmvxdq.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\nljhytvsldasfjthpvtrpn.exe	udmvxdq.exe
File opened for modification	C:\Windows\SysWOW64\wtqndxyumdzqcfobinkhe.exe	udmvxdq.exe
File created	C:\Windows\SysWOW64\wtqndxyumdzqcfobinkhe.exe	udmvxdq.exe
File opened for modification	C:\Windows\SysWOW64\atmfrhewkxpckjoxa.exe	udmvxdq.exe
File opened for modification	C:\Windows\SysWOW64\atmfrhewkxpckjoxa.exe	pwyrqtqlzgi.exe
File created	C:\Windows\SysWOW64\atmfrhewkxpckjoxa.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\wtqndxyumdzqcfobinkhe.exe	pwyrqtqlzgi.exe
File created	C:\Windows\SysWOW64\upkftlkeujdscdkvady.exe	udmvxdq.exe
File created	C:\Windows\SysWOW64\wtqndxyumdzqcfobinkhe.exe	udmvxdq.exe
File opened for modification	C:\Windows\SysWOW64\tldvgvrivhykrptb.exe	pwyrqtqlzgi.exe
File created	C:\Windows\SysWOW64\jdxrevtmbpiwfflvzb.exe	pwyrqtqlzgi.exe
File created	C:\Windows\SysWOW64\upkftlkeujdscdkvady.exe	pwyrqtqlzgi.exe
File created	C:\Windows\SysWOW64\upkftlkeujdscdkvady.exe	udmvxdq.exe
File opened for modification	C:\Windows\SysWOW64\upkftlkeujdscdkvady.exe	pwyrqtqlzgi.exe
File created	C:\Windows\SysWOW64\tldvgvrivhykrptb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\atmfrhewkxpckjoxa.exe	pwyrqtqlzgi.exe
File created	C:\Windows\SysWOW64\jdxrevtmbpiwfflvzb.exe	pwyrqtqlzgi.exe
File created	C:\Windows\SysWOW64\hdzvkddypfaqbdlxdhdz.exe	udmvxdq.exe
File opened for modification	C:\Windows\SysWOW64\jdxrevtmbpiwfflvzb.exe	udmvxdq.exe
File opened for modification	C:\Windows\SysWOW64\upkftlkeujdscdkvady.exe	udmvxdq.exe
File opened for modification	C:\Windows\SysWOW64\tldvgvrivhykrptbddvnfxixtkxjamtrvdffxp.zkz	udmvxdq.exe
File opened for modification	C:\Windows\SysWOW64\hdzvkddypfaqbdlxdhdz.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\wtqndxyumdzqcfobinkhe.exe	pwyrqtqlzgi.exe
File created	C:\Windows\SysWOW64\tldvgvrivhykrptb.exe	udmvxdq.exe
File created	C:\Windows\SysWOW64\hdzvkddypfaqbdlxdhdz.exe	udmvxdq.exe
File created	C:\Windows\SysWOW64\upkftlkeujdscdkvady.exe	pwyrqtqlzgi.exe
File created	C:\Windows\SysWOW64\tldvgvrivhykrptb.exe	udmvxdq.exe
File created	C:\Windows\SysWOW64\tldvgvrivhykrptb.exe	pwyrqtqlzgi.exe
File created	C:\Windows\SysWOW64\nljhytvsldasfjthpvtrpn.exe	pwyrqtqlzgi.exe
File created	C:\Windows\SysWOW64\atmfrhewkxpckjoxa.exe	pwyrqtqlzgi.exe
File created	C:\Windows\SysWOW64\atmfrhewkxpckjoxa.exe	udmvxdq.exe
File opened for modification	C:\Windows\SysWOW64\hdzvkddypfaqbdlxdhdz.exe	udmvxdq.exe
File created	C:\Windows\SysWOW64\nljhytvsldasfjthpvtrpn.exe	udmvxdq.exe
File created	C:\Windows\SysWOW64\wtqndxyumdzqcfobinkhe.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\tldvgvrivhykrptb.exe	udmvxdq.exe
File created	C:\Windows\SysWOW64\jdxrevtmbpiwfflvzb.exe	udmvxdq.exe
File opened for modification	C:\Windows\SysWOW64\upkftlkeujdscdkvady.exe	udmvxdq.exe
File opened for modification	C:\Windows\SysWOW64\hdzvkddypfaqbdlxdhdz.exe	udmvxdq.exe
File created	C:\Windows\SysWOW64\hdzvkddypfaqbdlxdhdz.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\jdxrevtmbpiwfflvzb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\hdzvkddypfaqbdlxdhdz.exe	pwyrqtqlzgi.exe
File created	C:\Windows\SysWOW64\hdzvkddypfaqbdlxdhdz.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\nljhytvsldasfjthpvtrpn.exe	pwyrqtqlzgi.exe
File created	C:\Windows\SysWOW64\nljhytvsldasfjthpvtrpn.exe	pwyrqtqlzgi.exe
File created	C:\Windows\SysWOW64\atmfrhewkxpckjoxa.exe	udmvxdq.exe
File opened for modification	C:\Windows\SysWOW64\nljhytvsldasfjthpvtrpn.exe	udmvxdq.exe
File created	C:\Windows\SysWOW64\wdkrrvgmopvwsfyvmbipwddhsya.hie	udmvxdq.exe
File created	C:\Windows\SysWOW64\wtqndxyumdzqcfobinkhe.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\wdkrrvgmopvwsfyvmbipwddhsya.hie	udmvxdq.exe
File opened for modification	C:\Windows\SysWOW64\tldvgvrivhykrptb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\atmfrhewkxpckjoxa.exe	udmvxdq.exe
File opened for modification	C:\Windows\SysWOW64\jdxrevtmbpiwfflvzb.exe	udmvxdq.exe
File created	C:\Windows\SysWOW64\nljhytvsldasfjthpvtrpn.exe	udmvxdq.exe
File created	C:\Windows\SysWOW64\tldvgvrivhykrptbddvnfxixtkxjamtrvdffxp.zkz	udmvxdq.exe
File opened for modification	C:\Windows\SysWOW64\upkftlkeujdscdkvady.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\wtqndxyumdzqcfobinkhe.exe	udmvxdq.exe
File opened for modification	C:\Windows\SysWOW64\nljhytvsldasfjthpvtrpn.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\tldvgvrivhykrptb.exe	udmvxdq.exe
File created	C:\Windows\SysWOW64\jdxrevtmbpiwfflvzb.exe	udmvxdq.exe
File opened for modification	C:\Windows\SysWOW64\jdxrevtmbpiwfflvzb.exe	pwyrqtqlzgi.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\wdkrrvgmopvwsfyvmbipwddhsya.hie	udmvxdq.exe
File created	C:\Program Files (x86)\wdkrrvgmopvwsfyvmbipwddhsya.hie	udmvxdq.exe
File opened for modification	C:\Program Files (x86)\tldvgvrivhykrptbddvnfxixtkxjamtrvdffxp.zkz	udmvxdq.exe
File created	C:\Program Files (x86)\tldvgvrivhykrptbddvnfxixtkxjamtrvdffxp.zkz	udmvxdq.exe

Drops file in Windows directory 39 IoCs

description	ioc	Process
File created	C:\Windows\jdxrevtmbpiwfflvzb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\wtqndxyumdzqcfobinkhe.exe	udmvxdq.exe
File opened for modification	C:\Windows\upkftlkeujdscdkvady.exe	udmvxdq.exe
File opened for modification	C:\Windows\wtqndxyumdzqcfobinkhe.exe	udmvxdq.exe
File opened for modification	C:\Windows\nljhytvsldasfjthpvtrpn.exe	udmvxdq.exe
File opened for modification	C:\Windows\tldvgvrivhykrptbddvnfxixtkxjamtrvdffxp.zkz	udmvxdq.exe
File opened for modification	C:\Windows\upkftlkeujdscdkvady.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\nljhytvsldasfjthpvtrpn.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\atmfrhewkxpckjoxa.exe	udmvxdq.exe
File opened for modification	C:\Windows\tldvgvrivhykrptb.exe	udmvxdq.exe
File opened for modification	C:\Windows\jdxrevtmbpiwfflvzb.exe	udmvxdq.exe
File opened for modification	C:\Windows\jdxrevtmbpiwfflvzb.exe	pwyrqtqlzgi.exe
File created	C:\Windows\hdzvkddypfaqbdlxdhdz.exe	pwyrqtqlzgi.exe
File created	C:\Windows\wtqndxyumdzqcfobinkhe.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\tldvgvrivhykrptb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\hdzvkddypfaqbdlxdhdz.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\tldvgvrivhykrptb.exe	pwyrqtqlzgi.exe
File created	C:\Windows\tldvgvrivhykrptb.exe	pwyrqtqlzgi.exe
File created	C:\Windows\tldvgvrivhykrptbddvnfxixtkxjamtrvdffxp.zkz	udmvxdq.exe
File opened for modification	C:\Windows\nljhytvsldasfjthpvtrpn.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\hdzvkddypfaqbdlxdhdz.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\wtqndxyumdzqcfobinkhe.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\hdzvkddypfaqbdlxdhdz.exe	udmvxdq.exe
File opened for modification	C:\Windows\atmfrhewkxpckjoxa.exe	udmvxdq.exe
File opened for modification	C:\Windows\hdzvkddypfaqbdlxdhdz.exe	udmvxdq.exe
File opened for modification	C:\Windows\wdkrrvgmopvwsfyvmbipwddhsya.hie	udmvxdq.exe
File created	C:\Windows\wdkrrvgmopvwsfyvmbipwddhsya.hie	udmvxdq.exe
File created	C:\Windows\upkftlkeujdscdkvady.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\nljhytvsldasfjthpvtrpn.exe	udmvxdq.exe
File opened for modification	C:\Windows\atmfrhewkxpckjoxa.exe	pwyrqtqlzgi.exe
File created	C:\Windows\atmfrhewkxpckjoxa.exe	pwyrqtqlzgi.exe
File created	C:\Windows\nljhytvsldasfjthpvtrpn.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\tldvgvrivhykrptb.exe	udmvxdq.exe
File opened for modification	C:\Windows\jdxrevtmbpiwfflvzb.exe	udmvxdq.exe
File opened for modification	C:\Windows\upkftlkeujdscdkvady.exe	udmvxdq.exe
File opened for modification	C:\Windows\atmfrhewkxpckjoxa.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\jdxrevtmbpiwfflvzb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\upkftlkeujdscdkvady.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\wtqndxyumdzqcfobinkhe.exe	pwyrqtqlzgi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
3860	udmvxdq.exe
3860	udmvxdq.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
3860	udmvxdq.exe
3860	udmvxdq.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3860	udmvxdq.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 644 wrote to memory of 3480	644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe	85
PID 644 wrote to memory of 3480	644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe	85
PID 644 wrote to memory of 3480	644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe	85
PID 3480 wrote to memory of 3860	3480	pwyrqtqlzgi.exe	89
PID 3480 wrote to memory of 3860	3480	pwyrqtqlzgi.exe	89
PID 3480 wrote to memory of 3860	3480	pwyrqtqlzgi.exe	89
PID 3480 wrote to memory of 3632	3480	pwyrqtqlzgi.exe	91
PID 3480 wrote to memory of 3632	3480	pwyrqtqlzgi.exe	91
PID 3480 wrote to memory of 3632	3480	pwyrqtqlzgi.exe	91
PID 644 wrote to memory of 1496	644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe	103
PID 644 wrote to memory of 1496	644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe	103
PID 644 wrote to memory of 1496	644	2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe	103

System policy modification 1 TTPs 41 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	udmvxdq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	udmvxdq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	udmvxdq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	udmvxdq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	udmvxdq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	udmvxdq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	pwyrqtqlzgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	udmvxdq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	udmvxdq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	pwyrqtqlzgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	udmvxdq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	udmvxdq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	udmvxdq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	udmvxdq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	udmvxdq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	udmvxdq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	udmvxdq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	udmvxdq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	udmvxdq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	udmvxdq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	udmvxdq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	udmvxdq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	pwyrqtqlzgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	udmvxdq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	pwyrqtqlzgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	udmvxdq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	udmvxdq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	udmvxdq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	udmvxdq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	udmvxdq.exe

C:\Users\Admin\AppData\Local\Temp\2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe
"C:\Users\Admin\AppData\Local\Temp\2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:644
- C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe
  "C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe" "c:\users\admin\appdata\local\temp\2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3480
- - C:\Users\Admin\AppData\Local\Temp\udmvxdq.exe
    "C:\Users\Admin\AppData\Local\Temp\udmvxdq.exe" "-C:\Users\Admin\AppData\Local\Temp\tldvgvrivhykrptb.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:3860
- - C:\Users\Admin\AppData\Local\Temp\udmvxdq.exe
    "C:\Users\Admin\AppData\Local\Temp\udmvxdq.exe" "-C:\Users\Admin\AppData\Local\Temp\tldvgvrivhykrptb.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3632
- C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe
  "C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe" "c:\users\admin\appdata\local\temp\2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System policy modification
  PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\atmfrhewkxpckjoxa.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\atmfrhewkxpckjoxa.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\hdzvkddypfaqbdlxdhdz.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\hdzvkddypfaqbdlxdhdz.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\jdxrevtmbpiwfflvzb.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\jdxrevtmbpiwfflvzb.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nljhytvsldasfjthpvtrpn.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nljhytvsldasfjthpvtrpn.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe

Filesize
320KB

MD5
304415df6ad55a90301aa8158e5e3582

SHA1
cc20ee7d5e8607f4fa0633093083ec0a68dcf3cd

SHA256
34a5f9e2b494b086abad2721019be271fa43350c9146f000e50fe554f170743d

SHA512
4ef2a9a8a3b36ba8c40a0bda9de415c76f985da34475f9110f7fe7b70a8e235d66ec6e15f76b45c5f75f5594fe05051d8112745e5031a18c817bd5d86212c687

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe

Filesize
320KB

MD5
304415df6ad55a90301aa8158e5e3582

SHA1
cc20ee7d5e8607f4fa0633093083ec0a68dcf3cd

SHA256
34a5f9e2b494b086abad2721019be271fa43350c9146f000e50fe554f170743d

SHA512
4ef2a9a8a3b36ba8c40a0bda9de415c76f985da34475f9110f7fe7b70a8e235d66ec6e15f76b45c5f75f5594fe05051d8112745e5031a18c817bd5d86212c687

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe

Filesize
320KB

MD5
304415df6ad55a90301aa8158e5e3582

SHA1
cc20ee7d5e8607f4fa0633093083ec0a68dcf3cd

SHA256
34a5f9e2b494b086abad2721019be271fa43350c9146f000e50fe554f170743d

SHA512
4ef2a9a8a3b36ba8c40a0bda9de415c76f985da34475f9110f7fe7b70a8e235d66ec6e15f76b45c5f75f5594fe05051d8112745e5031a18c817bd5d86212c687

Download Submit
C:\Users\Admin\AppData\Local\Temp\tldvgvrivhykrptb.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\udmvxdq.exe

Filesize
712KB

MD5
4c980c171350e03dfafc1c3f3c32da86

SHA1
64a133ee77be2450b0ee0deb863b285e99b4c43b

SHA256
6c2a3a070294ebb0e0c61c91a2ec65592fc14a062479cf5388db563c26021eb9

SHA512
3687da69d44ae133e2e8dcc5fb6989ffb58917fbbc62da3e51ff97aa70ddb1a29682464b052cb23b8d262f681fcb4aaf138c8b74868253b10cde56e1832dd466

Download Submit
C:\Users\Admin\AppData\Local\Temp\udmvxdq.exe

Filesize
712KB

MD5
4c980c171350e03dfafc1c3f3c32da86

SHA1
64a133ee77be2450b0ee0deb863b285e99b4c43b

SHA256
6c2a3a070294ebb0e0c61c91a2ec65592fc14a062479cf5388db563c26021eb9

SHA512
3687da69d44ae133e2e8dcc5fb6989ffb58917fbbc62da3e51ff97aa70ddb1a29682464b052cb23b8d262f681fcb4aaf138c8b74868253b10cde56e1832dd466

Download Submit
C:\Users\Admin\AppData\Local\Temp\udmvxdq.exe

Filesize
712KB

MD5
4c980c171350e03dfafc1c3f3c32da86

SHA1
64a133ee77be2450b0ee0deb863b285e99b4c43b

SHA256
6c2a3a070294ebb0e0c61c91a2ec65592fc14a062479cf5388db563c26021eb9

SHA512
3687da69d44ae133e2e8dcc5fb6989ffb58917fbbc62da3e51ff97aa70ddb1a29682464b052cb23b8d262f681fcb4aaf138c8b74868253b10cde56e1832dd466

Download Submit
C:\Users\Admin\AppData\Local\Temp\upkftlkeujdscdkvady.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\upkftlkeujdscdkvady.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtqndxyumdzqcfobinkhe.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtqndxyumdzqcfobinkhe.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Windows\SysWOW64\atmfrhewkxpckjoxa.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Windows\SysWOW64\hdzvkddypfaqbdlxdhdz.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Windows\SysWOW64\jdxrevtmbpiwfflvzb.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Windows\SysWOW64\nljhytvsldasfjthpvtrpn.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Windows\SysWOW64\tldvgvrivhykrptb.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Windows\SysWOW64\upkftlkeujdscdkvady.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Windows\SysWOW64\wtqndxyumdzqcfobinkhe.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Windows\atmfrhewkxpckjoxa.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Windows\atmfrhewkxpckjoxa.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Windows\atmfrhewkxpckjoxa.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Windows\hdzvkddypfaqbdlxdhdz.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Windows\hdzvkddypfaqbdlxdhdz.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Windows\hdzvkddypfaqbdlxdhdz.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Windows\jdxrevtmbpiwfflvzb.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Windows\jdxrevtmbpiwfflvzb.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Windows\jdxrevtmbpiwfflvzb.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Windows\nljhytvsldasfjthpvtrpn.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Windows\nljhytvsldasfjthpvtrpn.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Windows\nljhytvsldasfjthpvtrpn.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Windows\tldvgvrivhykrptb.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Windows\tldvgvrivhykrptb.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Windows\tldvgvrivhykrptb.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Windows\upkftlkeujdscdkvady.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Windows\upkftlkeujdscdkvady.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Windows\upkftlkeujdscdkvady.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Windows\wtqndxyumdzqcfobinkhe.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Windows\wtqndxyumdzqcfobinkhe.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit
C:\Windows\wtqndxyumdzqcfobinkhe.exe

Filesize
892KB

MD5
d926c47b0ac935c8364502032b439f5e

SHA1
63f3d8e9c63c97d79b7df48b38880332e9a37597

SHA256
2b259640cce618d5919731adc0b3d8ce1124d474227104de1914d1b8ee76b35a

SHA512
1c3f9fda3f4193a1c81aa6cd1e96be427b65775c15885969caa8ccba42c7f12073faf437eb71fff4defda97205b512f817b0d3cda6c3ebf62344a61de4be48fe

Download Submit