8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

Analysis

max time kernel
151s
max time network
174s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
Size

592KB
MD5

65a26623095e6f02ecbfb2e438189110
SHA1

2bd285516698ad16ce7636e72c1c4045755d3db2
SHA256

8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7
SHA512

836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd
SSDEEP

12288:ZpUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqs0E2:ZpUNr6YkVRFkgbeqeo68FhqTz

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jmxhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ixiyjejjshs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jmxhnm.exe

UAC bypass 3 TTPs 11 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jmxhnm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jmxhnm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	jmxhnm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	jmxhnm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	jmxhnm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	jmxhnm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jmxhnm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jmxhnm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ixiyjejjshs.exe

Adds policy Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwndpulskjzl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqmhyieqnrmdzqrci.exe"	ixiyjejjshs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwndpulskjzl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqmhyieqnrmdzqrci.exe"	jmxhnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jmxhnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jmxhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qcwpemgqlngvped = "vidxnwrcybvlgwwg.exe"	jmxhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwndpulskjzl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jazxredsszxrqkocllcb.exe"	jmxhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qcwpemgqlngvped = "wmkhamkyxdatrknaihx.exe"	jmxhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwndpulskjzl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\laxtlwtgejfxumoahf.exe"	jmxhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qcwpemgqlngvped = "laxtlwtgejfxumoahf.exe"	jmxhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qcwpemgqlngvped = "yqqpkyyopxwrrmrgqrjji.exe"	jmxhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwndpulskjzl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqqpkyyopxwrrmrgqrjji.exe"	jmxhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qcwpemgqlngvped = "cqmhyieqnrmdzqrci.exe"	jmxhnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ixiyjejjshs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qcwpemgqlngvped = "vidxnwrcybvlgwwg.exe"	ixiyjejjshs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qcwpemgqlngvped = "wmkhamkyxdatrknaihx.exe"	jmxhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwndpulskjzl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmkhamkyxdatrknaihx.exe"	jmxhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qcwpemgqlngvped = "jazxredsszxrqkocllcb.exe"	jmxhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwndpulskjzl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqqpkyyopxwrrmrgqrjji.exe"	jmxhnm.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jmxhnm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jmxhnm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jmxhnm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jmxhnm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ixiyjejjshs.exe

Executes dropped EXE 3 IoCs

pid	Process
2000	ixiyjejjshs.exe
1932	jmxhnm.exe
1840	jmxhnm.exe

Loads dropped DLL 6 IoCs

pid	Process
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
2000	ixiyjejjshs.exe
2000	ixiyjejjshs.exe
2000	ixiyjejjshs.exe
2000	ixiyjejjshs.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	ixiyjejjshs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	jmxhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\laxtlwtgejfxumoahf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jazxredsszxrqkocllcb.exe ."	jmxhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\laxtlwtgejfxumoahf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqqpkyyopxwrrmrgqrjji.exe ."	jmxhnm.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	ixiyjejjshs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\laxtlwtgejfxumoahf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmkhamkyxdatrknaihx.exe ."	jmxhnm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nyrjxexgabthao = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqmhyieqnrmdzqrci.exe ."	jmxhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mwofsyqyrrivn = "wmkhamkyxdatrknaihx.exe"	jmxhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\laxtlwtgejfxumoahf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqmhyieqnrmdzqrci.exe ."	jmxhnm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nyrjxexgabthao = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqmhyieqnrmdzqrci.exe ."	jmxhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mwofsyqyrrivn = "wmkhamkyxdatrknaihx.exe"	jmxhnm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cqmhyieqnrmdzqrci = "wmkhamkyxdatrknaihx.exe ."	ixiyjejjshs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wmkhamkyxdatrknaihx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqqpkyyopxwrrmrgqrjji.exe"	ixiyjejjshs.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	jmxhnm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cqmhyieqnrmdzqrci = "jazxredsszxrqkocllcb.exe ."	jmxhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyrjxexgabthao = "yqqpkyyopxwrrmrgqrjji.exe ."	jmxhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wmkhamkyxdatrknaihx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jazxredsszxrqkocllcb.exe"	jmxhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyrjxexgabthao = "vidxnwrcybvlgwwg.exe ."	jmxhnm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vidxnwrcybvlgwwg = "jazxredsszxrqkocllcb.exe"	jmxhnm.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	jmxhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wmkhamkyxdatrknaihx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jazxredsszxrqkocllcb.exe"	jmxhnm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cqmhyieqnrmdzqrci = "vidxnwrcybvlgwwg.exe ."	jmxhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mwofsyqyrrivn = "vidxnwrcybvlgwwg.exe"	jmxhnm.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	jmxhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mwofsyqyrrivn = "vidxnwrcybvlgwwg.exe"	jmxhnm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nyrjxexgabthao = "C:\\Users\\Admin\\AppData\\Local\\Temp\\laxtlwtgejfxumoahf.exe ."	jmxhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyrjxexgabthao = "jazxredsszxrqkocllcb.exe ."	jmxhnm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vidxnwrcybvlgwwg = "wmkhamkyxdatrknaihx.exe"	jmxhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wmkhamkyxdatrknaihx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqqpkyyopxwrrmrgqrjji.exe"	jmxhnm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vidxnwrcybvlgwwg = "vidxnwrcybvlgwwg.exe"	jmxhnm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vidxnwrcybvlgwwg = "vidxnwrcybvlgwwg.exe"	jmxhnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ixiyjejjshs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwofsyqyrrivn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jazxredsszxrqkocllcb.exe"	ixiyjejjshs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cqmhyieqnrmdzqrci = "cqmhyieqnrmdzqrci.exe ."	jmxhnm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nyrjxexgabthao = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vidxnwrcybvlgwwg.exe ."	jmxhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wmkhamkyxdatrknaihx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqqpkyyopxwrrmrgqrjji.exe"	jmxhnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	jmxhnm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vidxnwrcybvlgwwg = "jazxredsszxrqkocllcb.exe"	jmxhnm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cqmhyieqnrmdzqrci = "wmkhamkyxdatrknaihx.exe ."	jmxhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mwofsyqyrrivn = "vidxnwrcybvlgwwg.exe"	ixiyjejjshs.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	jmxhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wmkhamkyxdatrknaihx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqmhyieqnrmdzqrci.exe"	jmxhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mwofsyqyrrivn = "yqqpkyyopxwrrmrgqrjji.exe"	jmxhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyrjxexgabthao = "wmkhamkyxdatrknaihx.exe ."	jmxhnm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwofsyqyrrivn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vidxnwrcybvlgwwg.exe"	jmxhnm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwofsyqyrrivn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\laxtlwtgejfxumoahf.exe"	jmxhnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ixiyjejjshs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwofsyqyrrivn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jazxredsszxrqkocllcb.exe"	jmxhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wmkhamkyxdatrknaihx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vidxnwrcybvlgwwg.exe"	jmxhnm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nyrjxexgabthao = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmkhamkyxdatrknaihx.exe ."	ixiyjejjshs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\laxtlwtgejfxumoahf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vidxnwrcybvlgwwg.exe ."	jmxhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wmkhamkyxdatrknaihx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmkhamkyxdatrknaihx.exe"	jmxhnm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwofsyqyrrivn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqmhyieqnrmdzqrci.exe"	jmxhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mwofsyqyrrivn = "jazxredsszxrqkocllcb.exe"	jmxhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\laxtlwtgejfxumoahf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmkhamkyxdatrknaihx.exe ."	ixiyjejjshs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mwofsyqyrrivn = "jazxredsszxrqkocllcb.exe"	jmxhnm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cqmhyieqnrmdzqrci = "cqmhyieqnrmdzqrci.exe ."	jmxhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\laxtlwtgejfxumoahf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\laxtlwtgejfxumoahf.exe ."	jmxhnm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwofsyqyrrivn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vidxnwrcybvlgwwg.exe"	jmxhnm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nyrjxexgabthao = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vidxnwrcybvlgwwg.exe ."	jmxhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyrjxexgabthao = "cqmhyieqnrmdzqrci.exe ."	jmxhnm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nyrjxexgabthao = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqqpkyyopxwrrmrgqrjji.exe ."	jmxhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyrjxexgabthao = "yqqpkyyopxwrrmrgqrjji.exe ."	ixiyjejjshs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	jmxhnm.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ixiyjejjshs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jmxhnm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jmxhnm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jmxhnm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jmxhnm.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	whatismyipaddress.com
3	whatismyip.everdot.org
11	www.showmyipaddress.com

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\pijjfuvmoxxtuqwmxzsttp.exe	jmxhnm.exe
File opened for modification	C:\Windows\SysWOW64\wmkhamkyxdatrknaihx.exe	jmxhnm.exe
File opened for modification	C:\Windows\SysWOW64\yqqpkyyopxwrrmrgqrjji.exe	jmxhnm.exe
File opened for modification	C:\Windows\SysWOW64\yaktywggrjsxhmbaufhrafdnnyq.eot	jmxhnm.exe
File created	C:\Windows\SysWOW64\vidxnwrcybvlgwwglhupjzidoknhxsiisxtgbv.upa	jmxhnm.exe
File opened for modification	C:\Windows\SysWOW64\wmkhamkyxdatrknaihx.exe	jmxhnm.exe
File opened for modification	C:\Windows\SysWOW64\jazxredsszxrqkocllcb.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\SysWOW64\pijjfuvmoxxtuqwmxzsttp.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\SysWOW64\cqmhyieqnrmdzqrci.exe	jmxhnm.exe
File opened for modification	C:\Windows\SysWOW64\jazxredsszxrqkocllcb.exe	jmxhnm.exe
File opened for modification	C:\Windows\SysWOW64\yqqpkyyopxwrrmrgqrjji.exe	jmxhnm.exe
File opened for modification	C:\Windows\SysWOW64\laxtlwtgejfxumoahf.exe	jmxhnm.exe
File opened for modification	C:\Windows\SysWOW64\jazxredsszxrqkocllcb.exe	jmxhnm.exe
File opened for modification	C:\Windows\SysWOW64\wmkhamkyxdatrknaihx.exe	ixiyjejjshs.exe
File created	C:\Windows\SysWOW64\yaktywggrjsxhmbaufhrafdnnyq.eot	jmxhnm.exe
File opened for modification	C:\Windows\SysWOW64\vidxnwrcybvlgwwglhupjzidoknhxsiisxtgbv.upa	jmxhnm.exe
File opened for modification	C:\Windows\SysWOW64\pijjfuvmoxxtuqwmxzsttp.exe	jmxhnm.exe
File opened for modification	C:\Windows\SysWOW64\yqqpkyyopxwrrmrgqrjji.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\SysWOW64\cqmhyieqnrmdzqrci.exe	jmxhnm.exe
File opened for modification	C:\Windows\SysWOW64\cqmhyieqnrmdzqrci.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\SysWOW64\laxtlwtgejfxumoahf.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\SysWOW64\vidxnwrcybvlgwwg.exe	jmxhnm.exe
File opened for modification	C:\Windows\SysWOW64\laxtlwtgejfxumoahf.exe	jmxhnm.exe
File opened for modification	C:\Windows\SysWOW64\vidxnwrcybvlgwwg.exe	jmxhnm.exe
File opened for modification	C:\Windows\SysWOW64\vidxnwrcybvlgwwg.exe	ixiyjejjshs.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\yaktywggrjsxhmbaufhrafdnnyq.eot	jmxhnm.exe
File opened for modification	C:\Program Files (x86)\vidxnwrcybvlgwwglhupjzidoknhxsiisxtgbv.upa	jmxhnm.exe
File created	C:\Program Files (x86)\vidxnwrcybvlgwwglhupjzidoknhxsiisxtgbv.upa	jmxhnm.exe
File opened for modification	C:\Program Files (x86)\yaktywggrjsxhmbaufhrafdnnyq.eot	jmxhnm.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File created	C:\Windows\vidxnwrcybvlgwwglhupjzidoknhxsiisxtgbv.upa	jmxhnm.exe
File opened for modification	C:\Windows\wmkhamkyxdatrknaihx.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\jazxredsszxrqkocllcb.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\yqqpkyyopxwrrmrgqrjji.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\jazxredsszxrqkocllcb.exe	jmxhnm.exe
File opened for modification	C:\Windows\vidxnwrcybvlgwwg.exe	jmxhnm.exe
File opened for modification	C:\Windows\pijjfuvmoxxtuqwmxzsttp.exe	jmxhnm.exe
File opened for modification	C:\Windows\yaktywggrjsxhmbaufhrafdnnyq.eot	jmxhnm.exe
File opened for modification	C:\Windows\laxtlwtgejfxumoahf.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\vidxnwrcybvlgwwg.exe	jmxhnm.exe
File opened for modification	C:\Windows\cqmhyieqnrmdzqrci.exe	jmxhnm.exe
File opened for modification	C:\Windows\vidxnwrcybvlgwwg.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\wmkhamkyxdatrknaihx.exe	jmxhnm.exe
File opened for modification	C:\Windows\pijjfuvmoxxtuqwmxzsttp.exe	jmxhnm.exe
File opened for modification	C:\Windows\wmkhamkyxdatrknaihx.exe	jmxhnm.exe
File opened for modification	C:\Windows\jazxredsszxrqkocllcb.exe	jmxhnm.exe
File created	C:\Windows\yaktywggrjsxhmbaufhrafdnnyq.eot	jmxhnm.exe
File opened for modification	C:\Windows\vidxnwrcybvlgwwglhupjzidoknhxsiisxtgbv.upa	jmxhnm.exe
File opened for modification	C:\Windows\cqmhyieqnrmdzqrci.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\pijjfuvmoxxtuqwmxzsttp.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\cqmhyieqnrmdzqrci.exe	jmxhnm.exe
File opened for modification	C:\Windows\laxtlwtgejfxumoahf.exe	jmxhnm.exe
File opened for modification	C:\Windows\yqqpkyyopxwrrmrgqrjji.exe	jmxhnm.exe
File opened for modification	C:\Windows\laxtlwtgejfxumoahf.exe	jmxhnm.exe
File opened for modification	C:\Windows\yqqpkyyopxwrrmrgqrjji.exe	jmxhnm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
1932	jmxhnm.exe
1932	jmxhnm.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1932	jmxhnm.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 2000	900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe	27
PID 900 wrote to memory of 2000	900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe	27
PID 900 wrote to memory of 2000	900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe	27
PID 900 wrote to memory of 2000	900	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe	27
PID 2000 wrote to memory of 1932	2000	ixiyjejjshs.exe	28
PID 2000 wrote to memory of 1932	2000	ixiyjejjshs.exe	28
PID 2000 wrote to memory of 1932	2000	ixiyjejjshs.exe	28
PID 2000 wrote to memory of 1932	2000	ixiyjejjshs.exe	28
PID 2000 wrote to memory of 1840	2000	ixiyjejjshs.exe	29
PID 2000 wrote to memory of 1840	2000	ixiyjejjshs.exe	29
PID 2000 wrote to memory of 1840	2000	ixiyjejjshs.exe	29
PID 2000 wrote to memory of 1840	2000	ixiyjejjshs.exe	29

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jmxhnm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jmxhnm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	jmxhnm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	jmxhnm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jmxhnm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jmxhnm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	jmxhnm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	jmxhnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	jmxhnm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jmxhnm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	jmxhnm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jmxhnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	jmxhnm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	jmxhnm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	jmxhnm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	jmxhnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jmxhnm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	jmxhnm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	jmxhnm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	jmxhnm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	jmxhnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jmxhnm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	jmxhnm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	jmxhnm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	jmxhnm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	jmxhnm.exe

C:\Users\Admin\AppData\Local\Temp\8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
"C:\Users\Admin\AppData\Local\Temp\8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:900
- C:\Users\Admin\AppData\Local\Temp\ixiyjejjshs.exe
  "C:\Users\Admin\AppData\Local\Temp\ixiyjejjshs.exe" "c:\users\admin\appdata\local\temp\8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2000
- - C:\Users\Admin\AppData\Local\Temp\jmxhnm.exe
    "C:\Users\Admin\AppData\Local\Temp\jmxhnm.exe" "-C:\Users\Admin\AppData\Local\Temp\vidxnwrcybvlgwwg.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1932
- - C:\Users\Admin\AppData\Local\Temp\jmxhnm.exe
    "C:\Users\Admin\AppData\Local\Temp\jmxhnm.exe" "-C:\Users\Admin\AppData\Local\Temp\vidxnwrcybvlgwwg.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cqmhyieqnrmdzqrci.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixiyjejjshs.exe

Filesize
320KB

MD5
98aba709cb1b5d3404dfbda81c2f49aa

SHA1
1a2bc086d1398cc8c77e9dcffbc893de3c1e1d51

SHA256
e244fec162685891dcd9047af6c62243e78470261e40bb4a04e7546cb2e295b4

SHA512
78206775bc4f61b0d2ad499f13b045227fddd7fc9923396f00919116dd049cb1a3d0e61ef64eccb88ed13c844870d71e37f733bb17c411f3a6b465cdf16e0e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixiyjejjshs.exe

Filesize
320KB

MD5
98aba709cb1b5d3404dfbda81c2f49aa

SHA1
1a2bc086d1398cc8c77e9dcffbc893de3c1e1d51

SHA256
e244fec162685891dcd9047af6c62243e78470261e40bb4a04e7546cb2e295b4

SHA512
78206775bc4f61b0d2ad499f13b045227fddd7fc9923396f00919116dd049cb1a3d0e61ef64eccb88ed13c844870d71e37f733bb17c411f3a6b465cdf16e0e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\jazxredsszxrqkocllcb.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jmxhnm.exe

Filesize
716KB

MD5
83acb4a4b6e711e070c8ebd2ad2ef8ea

SHA1
d4e50cb9eaf8ed5c3e8f031ee9b380b7af19535f

SHA256
90af903712963aca5ad10204719ced41f46d0b2b1fc0a25ccefbe6d650ae2a33

SHA512
1a337ba11b6f32b43e224a3579c5e4a312c5fe28d094bb79a840fb4e749bf972f8ce45390721c497391a03eabd5ab0bd7a159a4632f58851c930a4421e9c2a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\jmxhnm.exe

Filesize
716KB

MD5
83acb4a4b6e711e070c8ebd2ad2ef8ea

SHA1
d4e50cb9eaf8ed5c3e8f031ee9b380b7af19535f

SHA256
90af903712963aca5ad10204719ced41f46d0b2b1fc0a25ccefbe6d650ae2a33

SHA512
1a337ba11b6f32b43e224a3579c5e4a312c5fe28d094bb79a840fb4e749bf972f8ce45390721c497391a03eabd5ab0bd7a159a4632f58851c930a4421e9c2a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\laxtlwtgejfxumoahf.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\pijjfuvmoxxtuqwmxzsttp.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vidxnwrcybvlgwwg.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmkhamkyxdatrknaihx.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\yqqpkyyopxwrrmrgqrjji.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\SysWOW64\cqmhyieqnrmdzqrci.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\SysWOW64\jazxredsszxrqkocllcb.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\SysWOW64\laxtlwtgejfxumoahf.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\SysWOW64\pijjfuvmoxxtuqwmxzsttp.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\SysWOW64\vidxnwrcybvlgwwg.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\SysWOW64\wmkhamkyxdatrknaihx.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\SysWOW64\yqqpkyyopxwrrmrgqrjji.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\cqmhyieqnrmdzqrci.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\cqmhyieqnrmdzqrci.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\jazxredsszxrqkocllcb.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\jazxredsszxrqkocllcb.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\laxtlwtgejfxumoahf.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\laxtlwtgejfxumoahf.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\pijjfuvmoxxtuqwmxzsttp.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\pijjfuvmoxxtuqwmxzsttp.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\vidxnwrcybvlgwwg.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\vidxnwrcybvlgwwg.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\wmkhamkyxdatrknaihx.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\wmkhamkyxdatrknaihx.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\yqqpkyyopxwrrmrgqrjji.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\yqqpkyyopxwrrmrgqrjji.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
\Users\Admin\AppData\Local\Temp\ixiyjejjshs.exe

Filesize
320KB

MD5
98aba709cb1b5d3404dfbda81c2f49aa

SHA1
1a2bc086d1398cc8c77e9dcffbc893de3c1e1d51

SHA256
e244fec162685891dcd9047af6c62243e78470261e40bb4a04e7546cb2e295b4

SHA512
78206775bc4f61b0d2ad499f13b045227fddd7fc9923396f00919116dd049cb1a3d0e61ef64eccb88ed13c844870d71e37f733bb17c411f3a6b465cdf16e0e67

Download Submit
\Users\Admin\AppData\Local\Temp\ixiyjejjshs.exe

Filesize
320KB

MD5
98aba709cb1b5d3404dfbda81c2f49aa

SHA1
1a2bc086d1398cc8c77e9dcffbc893de3c1e1d51

SHA256
e244fec162685891dcd9047af6c62243e78470261e40bb4a04e7546cb2e295b4

SHA512
78206775bc4f61b0d2ad499f13b045227fddd7fc9923396f00919116dd049cb1a3d0e61ef64eccb88ed13c844870d71e37f733bb17c411f3a6b465cdf16e0e67

Download Submit
\Users\Admin\AppData\Local\Temp\jmxhnm.exe

Filesize
716KB

MD5
83acb4a4b6e711e070c8ebd2ad2ef8ea

SHA1
d4e50cb9eaf8ed5c3e8f031ee9b380b7af19535f

SHA256
90af903712963aca5ad10204719ced41f46d0b2b1fc0a25ccefbe6d650ae2a33

SHA512
1a337ba11b6f32b43e224a3579c5e4a312c5fe28d094bb79a840fb4e749bf972f8ce45390721c497391a03eabd5ab0bd7a159a4632f58851c930a4421e9c2a26

Download Submit
\Users\Admin\AppData\Local\Temp\jmxhnm.exe

Filesize
716KB

MD5
83acb4a4b6e711e070c8ebd2ad2ef8ea

SHA1
d4e50cb9eaf8ed5c3e8f031ee9b380b7af19535f

SHA256
90af903712963aca5ad10204719ced41f46d0b2b1fc0a25ccefbe6d650ae2a33

SHA512
1a337ba11b6f32b43e224a3579c5e4a312c5fe28d094bb79a840fb4e749bf972f8ce45390721c497391a03eabd5ab0bd7a159a4632f58851c930a4421e9c2a26

Download Submit
\Users\Admin\AppData\Local\Temp\jmxhnm.exe

Filesize
716KB

MD5
83acb4a4b6e711e070c8ebd2ad2ef8ea

SHA1
d4e50cb9eaf8ed5c3e8f031ee9b380b7af19535f

SHA256
90af903712963aca5ad10204719ced41f46d0b2b1fc0a25ccefbe6d650ae2a33

SHA512
1a337ba11b6f32b43e224a3579c5e4a312c5fe28d094bb79a840fb4e749bf972f8ce45390721c497391a03eabd5ab0bd7a159a4632f58851c930a4421e9c2a26

Download Submit
\Users\Admin\AppData\Local\Temp\jmxhnm.exe

Filesize
716KB

MD5
83acb4a4b6e711e070c8ebd2ad2ef8ea

SHA1
d4e50cb9eaf8ed5c3e8f031ee9b380b7af19535f

SHA256
90af903712963aca5ad10204719ced41f46d0b2b1fc0a25ccefbe6d650ae2a33

SHA512
1a337ba11b6f32b43e224a3579c5e4a312c5fe28d094bb79a840fb4e749bf972f8ce45390721c497391a03eabd5ab0bd7a159a4632f58851c930a4421e9c2a26

Download Submit
memory/900-54-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download