8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

Analysis

max time kernel
167s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
Size

592KB
MD5

65a26623095e6f02ecbfb2e438189110
SHA1

2bd285516698ad16ce7636e72c1c4045755d3db2
SHA256

8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7
SHA512

836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd
SSDEEP

12288:ZpUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqs0E2:ZpUNr6YkVRFkgbeqeo68FhqTz

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ubnwvck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ubnwvck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	grrfdxtjqbb.exe

UAC bypass 3 TTPs 13 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ubnwvck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ubnwvck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ubnwvck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ubnwvck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ubnwvck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ubnwvck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ubnwvck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ubnwvck.exe

Adds policy Run key to start application 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jbyscunjwqzrytyzcz.exe"	ubnwvck.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ubnwvck.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ubnwvck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnygek = "arngpgytfygxdxbbd.exe"	ubnwvck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tjeweulfqipfkdgf.exe"	ubnwvck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnygek = "unlgrkebpkunvrxzdby.exe"	ubnwvck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\unlgrkebpkunvrxzdby.exe"	ubnwvck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnygek = "hbawicxvkgrlurybgfdx.exe"	ubnwvck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnygek = "jbyscunjwqzrytyzcz.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnygek = "jbyscunjwqzrytyzcz.exe"	ubnwvck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnygek = "jbyscunjwqzrytyzcz.exe"	ubnwvck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hbawicxvkgrlurybgfdx.exe"	ubnwvck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\unlgrkebpkunvrxzdby.exe"	ubnwvck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnygek = "wrrobwsrheqlvtbfllkff.exe"	ubnwvck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnygek = "unlgrkebpkunvrxzdby.exe"	ubnwvck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jbyscunjwqzrytyzcz.exe"	ubnwvck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hbawicxvkgrlurybgfdx.exe"	ubnwvck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tjeweulfqipfkdgf.exe"	ubnwvck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrrobwsrheqlvtbfllkff.exe"	ubnwvck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arngpgytfygxdxbbd.exe"	ubnwvck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnygek = "jbyscunjwqzrytyzcz.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnygek = "wrrobwsrheqlvtbfllkff.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jbyscunjwqzrytyzcz.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arngpgytfygxdxbbd.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnygek = "tjeweulfqipfkdgf.exe"	ubnwvck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arngpgytfygxdxbbd.exe"	ubnwvck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\unlgrkebpkunvrxzdby.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hnygek = "arngpgytfygxdxbbd.exe"	ubnwvck.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ubnwvck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ubnwvck.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ubnwvck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ubnwvck.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	grrfdxtjqbb.exe

Executes dropped EXE 4 IoCs

pid	Process
1208	grrfdxtjqbb.exe
1452	ubnwvck.exe
2100	ubnwvck.exe
2540	grrfdxtjqbb.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	grrfdxtjqbb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ubnwvck = "hbawicxvkgrlurybgfdx.exe"	ubnwvck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jreoowfr = "arngpgytfygxdxbbd.exe ."	ubnwvck.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nrag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tjeweulfqipfkdgf.exe"	ubnwvck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdsegqbpug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\unlgrkebpkunvrxzdby.exe"	ubnwvck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ubnwvck = "tjeweulfqipfkdgf.exe"	ubnwvck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nrag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tjeweulfqipfkdgf.exe"	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ajxijscpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\unlgrkebpkunvrxzdby.exe ."	ubnwvck.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ubnwvck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ajxijscpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\unlgrkebpkunvrxzdby.exe ."	ubnwvck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ubnwvck = "unlgrkebpkunvrxzdby.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wblsp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrrobwsrheqlvtbfllkff.exe ."	ubnwvck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ubnwvck = "wrrobwsrheqlvtbfllkff.exe"	ubnwvck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ubnwvck = "jbyscunjwqzrytyzcz.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdsegqbpug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrrobwsrheqlvtbfllkff.exe"	ubnwvck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nrag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jbyscunjwqzrytyzcz.exe"	ubnwvck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nrag = "unlgrkebpkunvrxzdby.exe"	ubnwvck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ajxijscpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tjeweulfqipfkdgf.exe ."	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdsegqbpug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrrobwsrheqlvtbfllkff.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ajxijscpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hbawicxvkgrlurybgfdx.exe ."	ubnwvck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wblsp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arngpgytfygxdxbbd.exe ."	ubnwvck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wblsp = "wrrobwsrheqlvtbfllkff.exe ."	ubnwvck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nrag = "hbawicxvkgrlurybgfdx.exe"	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	ubnwvck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wblsp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jbyscunjwqzrytyzcz.exe ."	ubnwvck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wblsp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrrobwsrheqlvtbfllkff.exe ."	ubnwvck.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdsegqbpug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tjeweulfqipfkdgf.exe"	grrfdxtjqbb.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	ubnwvck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdsegqbpug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tjeweulfqipfkdgf.exe"	ubnwvck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ubnwvck = "tjeweulfqipfkdgf.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ajxijscpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arngpgytfygxdxbbd.exe ."	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wblsp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arngpgytfygxdxbbd.exe ."	ubnwvck.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	ubnwvck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wblsp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\unlgrkebpkunvrxzdby.exe ."	ubnwvck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nrag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arngpgytfygxdxbbd.exe"	ubnwvck.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	grrfdxtjqbb.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jreoowfr = "tjeweulfqipfkdgf.exe ."	ubnwvck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdsegqbpug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hbawicxvkgrlurybgfdx.exe"	ubnwvck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nrag = "jbyscunjwqzrytyzcz.exe"	ubnwvck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wblsp = "tjeweulfqipfkdgf.exe ."	ubnwvck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ajxijscpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jbyscunjwqzrytyzcz.exe ."	ubnwvck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wblsp = "jbyscunjwqzrytyzcz.exe ."	ubnwvck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nrag = "hbawicxvkgrlurybgfdx.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdsegqbpug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tjeweulfqipfkdgf.exe"	grrfdxtjqbb.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	ubnwvck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ubnwvck = "arngpgytfygxdxbbd.exe"	ubnwvck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nrag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tjeweulfqipfkdgf.exe"	ubnwvck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jreoowfr = "unlgrkebpkunvrxzdby.exe ."	ubnwvck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wblsp = "wrrobwsrheqlvtbfllkff.exe ."	ubnwvck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ubnwvck = "tjeweulfqipfkdgf.exe"	ubnwvck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wblsp = "unlgrkebpkunvrxzdby.exe ."	ubnwvck.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	ubnwvck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nrag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hbawicxvkgrlurybgfdx.exe"	ubnwvck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ajxijscpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrrobwsrheqlvtbfllkff.exe ."	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wblsp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrrobwsrheqlvtbfllkff.exe ."	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jreoowfr = "arngpgytfygxdxbbd.exe ."	ubnwvck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wblsp = "hbawicxvkgrlurybgfdx.exe ."	ubnwvck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wblsp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jbyscunjwqzrytyzcz.exe ."	ubnwvck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jreoowfr = "hbawicxvkgrlurybgfdx.exe ."	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nrag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hbawicxvkgrlurybgfdx.exe"	grrfdxtjqbb.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ubnwvck.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ubnwvck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ubnwvck.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ubnwvck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	grrfdxtjqbb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	grrfdxtjqbb.exe

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
30	whatismyipaddress.com
32	whatismyip.everdot.org
42	whatismyip.everdot.org
43	www.showmyipaddress.com
45	whatismyip.everdot.org
47	whatismyip.everdot.org
49	www.showmyipaddress.com
20	whatismyip.everdot.org

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\njkiwsppgernyxglsttpqo.exe	ubnwvck.exe
File opened for modification	C:\Windows\SysWOW64\tjeweulfqipfkdgf.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\njkiwsppgernyxglsttpqo.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\arngpgytfygxdxbbd.exe	ubnwvck.exe
File opened for modification	C:\Windows\SysWOW64\njkiwsppgernyxglsttpqo.exe	ubnwvck.exe
File opened for modification	C:\Windows\SysWOW64\hbawicxvkgrlurybgfdx.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\hbawicxvkgrlurybgfdx.exe	ubnwvck.exe
File opened for modification	C:\Windows\SysWOW64\hbawicxvkgrlurybgfdx.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\tjeweulfqipfkdgf.exe	ubnwvck.exe
File opened for modification	C:\Windows\SysWOW64\wrrobwsrheqlvtbfllkff.exe	ubnwvck.exe
File opened for modification	C:\Windows\SysWOW64\gjrwruyfdicfxdtftbiltytwa.fke	ubnwvck.exe
File created	C:\Windows\SysWOW64\gjrwruyfdicfxdtftbiltytwa.fke	ubnwvck.exe
File opened for modification	C:\Windows\SysWOW64\wrrobwsrheqlvtbfllkff.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\unlgrkebpkunvrxzdby.exe	ubnwvck.exe
File opened for modification	C:\Windows\SysWOW64\wrrobwsrheqlvtbfllkff.exe	ubnwvck.exe
File opened for modification	C:\Windows\SysWOW64\jbyscunjwqzrytyzcz.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\jbyscunjwqzrytyzcz.exe	ubnwvck.exe
File opened for modification	C:\Windows\SysWOW64\arngpgytfygxdxbbd.exe	grrfdxtjqbb.exe
File created	C:\Windows\SysWOW64\lzsiocrjsinbevwtsldrkagujbkaftwnolkd.jcs	ubnwvck.exe
File opened for modification	C:\Windows\SysWOW64\wrrobwsrheqlvtbfllkff.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\arngpgytfygxdxbbd.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\unlgrkebpkunvrxzdby.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\lzsiocrjsinbevwtsldrkagujbkaftwnolkd.jcs	ubnwvck.exe
File opened for modification	C:\Windows\SysWOW64\tjeweulfqipfkdgf.exe	ubnwvck.exe
File opened for modification	C:\Windows\SysWOW64\jbyscunjwqzrytyzcz.exe	ubnwvck.exe
File opened for modification	C:\Windows\SysWOW64\jbyscunjwqzrytyzcz.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\unlgrkebpkunvrxzdby.exe	ubnwvck.exe
File opened for modification	C:\Windows\SysWOW64\unlgrkebpkunvrxzdby.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\njkiwsppgernyxglsttpqo.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\tjeweulfqipfkdgf.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\hbawicxvkgrlurybgfdx.exe	ubnwvck.exe
File opened for modification	C:\Windows\SysWOW64\arngpgytfygxdxbbd.exe	ubnwvck.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\gjrwruyfdicfxdtftbiltytwa.fke	ubnwvck.exe
File created	C:\Program Files (x86)\gjrwruyfdicfxdtftbiltytwa.fke	ubnwvck.exe
File opened for modification	C:\Program Files (x86)\lzsiocrjsinbevwtsldrkagujbkaftwnolkd.jcs	ubnwvck.exe
File created	C:\Program Files (x86)\lzsiocrjsinbevwtsldrkagujbkaftwnolkd.jcs	ubnwvck.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\wrrobwsrheqlvtbfllkff.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\jbyscunjwqzrytyzcz.exe	ubnwvck.exe
File opened for modification	C:\Windows\tjeweulfqipfkdgf.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\arngpgytfygxdxbbd.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\njkiwsppgernyxglsttpqo.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\wrrobwsrheqlvtbfllkff.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\arngpgytfygxdxbbd.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\jbyscunjwqzrytyzcz.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\njkiwsppgernyxglsttpqo.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\jbyscunjwqzrytyzcz.exe	ubnwvck.exe
File opened for modification	C:\Windows\njkiwsppgernyxglsttpqo.exe	ubnwvck.exe
File opened for modification	C:\Windows\hbawicxvkgrlurybgfdx.exe	ubnwvck.exe
File opened for modification	C:\Windows\tjeweulfqipfkdgf.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\hbawicxvkgrlurybgfdx.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\wrrobwsrheqlvtbfllkff.exe	ubnwvck.exe
File opened for modification	C:\Windows\arngpgytfygxdxbbd.exe	ubnwvck.exe
File opened for modification	C:\Windows\gjrwruyfdicfxdtftbiltytwa.fke	ubnwvck.exe
File opened for modification	C:\Windows\hbawicxvkgrlurybgfdx.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\lzsiocrjsinbevwtsldrkagujbkaftwnolkd.jcs	ubnwvck.exe
File opened for modification	C:\Windows\unlgrkebpkunvrxzdby.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\unlgrkebpkunvrxzdby.exe	ubnwvck.exe
File opened for modification	C:\Windows\wrrobwsrheqlvtbfllkff.exe	ubnwvck.exe
File opened for modification	C:\Windows\jbyscunjwqzrytyzcz.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\arngpgytfygxdxbbd.exe	ubnwvck.exe
File opened for modification	C:\Windows\tjeweulfqipfkdgf.exe	ubnwvck.exe
File opened for modification	C:\Windows\unlgrkebpkunvrxzdby.exe	ubnwvck.exe
File created	C:\Windows\gjrwruyfdicfxdtftbiltytwa.fke	ubnwvck.exe
File opened for modification	C:\Windows\tjeweulfqipfkdgf.exe	ubnwvck.exe
File opened for modification	C:\Windows\hbawicxvkgrlurybgfdx.exe	ubnwvck.exe
File opened for modification	C:\Windows\njkiwsppgernyxglsttpqo.exe	ubnwvck.exe
File created	C:\Windows\lzsiocrjsinbevwtsldrkagujbkaftwnolkd.jcs	ubnwvck.exe
File opened for modification	C:\Windows\unlgrkebpkunvrxzdby.exe	grrfdxtjqbb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
1452	ubnwvck.exe
1452	ubnwvck.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1452	ubnwvck.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 1208	4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe	83
PID 4908 wrote to memory of 1208	4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe	83
PID 4908 wrote to memory of 1208	4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe	83
PID 1208 wrote to memory of 1452	1208	grrfdxtjqbb.exe	85
PID 1208 wrote to memory of 1452	1208	grrfdxtjqbb.exe	85
PID 1208 wrote to memory of 1452	1208	grrfdxtjqbb.exe	85
PID 1208 wrote to memory of 2100	1208	grrfdxtjqbb.exe	86
PID 1208 wrote to memory of 2100	1208	grrfdxtjqbb.exe	86
PID 1208 wrote to memory of 2100	1208	grrfdxtjqbb.exe	86
PID 4908 wrote to memory of 2540	4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe	94
PID 4908 wrote to memory of 2540	4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe	94
PID 4908 wrote to memory of 2540	4908	8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe	94

System policy modification 1 TTPs 41 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ubnwvck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ubnwvck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ubnwvck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ubnwvck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ubnwvck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ubnwvck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ubnwvck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ubnwvck.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ubnwvck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ubnwvck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ubnwvck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ubnwvck.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ubnwvck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ubnwvck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ubnwvck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ubnwvck.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ubnwvck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ubnwvck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ubnwvck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ubnwvck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ubnwvck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ubnwvck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ubnwvck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ubnwvck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ubnwvck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ubnwvck.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	grrfdxtjqbb.exe

C:\Users\Admin\AppData\Local\Temp\8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe
"C:\Users\Admin\AppData\Local\Temp\8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe
  "C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe" "c:\users\admin\appdata\local\temp\8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1208
- - C:\Users\Admin\AppData\Local\Temp\ubnwvck.exe
    "C:\Users\Admin\AppData\Local\Temp\ubnwvck.exe" "-C:\Users\Admin\AppData\Local\Temp\tjeweulfqipfkdgf.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1452
- - C:\Users\Admin\AppData\Local\Temp\ubnwvck.exe
    "C:\Users\Admin\AppData\Local\Temp\ubnwvck.exe" "-C:\Users\Admin\AppData\Local\Temp\tjeweulfqipfkdgf.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2100
- C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe
  "C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe" "c:\users\admin\appdata\local\temp\8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System policy modification
  PID:2540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\arngpgytfygxdxbbd.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe

Filesize
320KB

MD5
7eeaea31a29301ed4ed4762cb5ecaec8

SHA1
94a24367376f758b0d1170b461211f1609cd910e

SHA256
0a61f44e5428692822702f6c08caf8cf6ca6b157c8724c04633c1868e909714b

SHA512
a8b5d8747e39a7c56056d0e1490932c1e12c65f04fccd36ca5ff94416f2ff27efe4a2aee3566843192e21e7b92dc17ad92adec905b2f1b83ae7eb681cc690838

Download Submit
C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe

Filesize
320KB

MD5
7eeaea31a29301ed4ed4762cb5ecaec8

SHA1
94a24367376f758b0d1170b461211f1609cd910e

SHA256
0a61f44e5428692822702f6c08caf8cf6ca6b157c8724c04633c1868e909714b

SHA512
a8b5d8747e39a7c56056d0e1490932c1e12c65f04fccd36ca5ff94416f2ff27efe4a2aee3566843192e21e7b92dc17ad92adec905b2f1b83ae7eb681cc690838

Download Submit
C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe

Filesize
320KB

MD5
7eeaea31a29301ed4ed4762cb5ecaec8

SHA1
94a24367376f758b0d1170b461211f1609cd910e

SHA256
0a61f44e5428692822702f6c08caf8cf6ca6b157c8724c04633c1868e909714b

SHA512
a8b5d8747e39a7c56056d0e1490932c1e12c65f04fccd36ca5ff94416f2ff27efe4a2aee3566843192e21e7b92dc17ad92adec905b2f1b83ae7eb681cc690838

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbawicxvkgrlurybgfdx.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jbyscunjwqzrytyzcz.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\njkiwsppgernyxglsttpqo.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tjeweulfqipfkdgf.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ubnwvck.exe

Filesize
712KB

MD5
eb8b77821f7217a06a648ff17f3c91fe

SHA1
dd8a5ef0a72669f9bd53e93e29922011d420bd15

SHA256
1580739ad7874589a9dd782bae23b79682aea7f21f133bf46905347a30f22747

SHA512
037f4d0cef031588b7984c989d29359bec8874c12250e8a76af2326b2be5c6d74b1bcadd931d7fef076ca27717fcee8780a510f380a8d1cad962a3e43dc4f9dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ubnwvck.exe

Filesize
712KB

MD5
eb8b77821f7217a06a648ff17f3c91fe

SHA1
dd8a5ef0a72669f9bd53e93e29922011d420bd15

SHA256
1580739ad7874589a9dd782bae23b79682aea7f21f133bf46905347a30f22747

SHA512
037f4d0cef031588b7984c989d29359bec8874c12250e8a76af2326b2be5c6d74b1bcadd931d7fef076ca27717fcee8780a510f380a8d1cad962a3e43dc4f9dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ubnwvck.exe

Filesize
712KB

MD5
eb8b77821f7217a06a648ff17f3c91fe

SHA1
dd8a5ef0a72669f9bd53e93e29922011d420bd15

SHA256
1580739ad7874589a9dd782bae23b79682aea7f21f133bf46905347a30f22747

SHA512
037f4d0cef031588b7984c989d29359bec8874c12250e8a76af2326b2be5c6d74b1bcadd931d7fef076ca27717fcee8780a510f380a8d1cad962a3e43dc4f9dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\unlgrkebpkunvrxzdby.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\wrrobwsrheqlvtbfllkff.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\SysWOW64\arngpgytfygxdxbbd.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\SysWOW64\hbawicxvkgrlurybgfdx.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\SysWOW64\jbyscunjwqzrytyzcz.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\SysWOW64\njkiwsppgernyxglsttpqo.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\SysWOW64\tjeweulfqipfkdgf.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\SysWOW64\unlgrkebpkunvrxzdby.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\SysWOW64\wrrobwsrheqlvtbfllkff.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\arngpgytfygxdxbbd.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\arngpgytfygxdxbbd.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\arngpgytfygxdxbbd.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\hbawicxvkgrlurybgfdx.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\hbawicxvkgrlurybgfdx.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\hbawicxvkgrlurybgfdx.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\jbyscunjwqzrytyzcz.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\jbyscunjwqzrytyzcz.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\jbyscunjwqzrytyzcz.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\njkiwsppgernyxglsttpqo.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\njkiwsppgernyxglsttpqo.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\njkiwsppgernyxglsttpqo.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\tjeweulfqipfkdgf.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\tjeweulfqipfkdgf.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\tjeweulfqipfkdgf.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\unlgrkebpkunvrxzdby.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\unlgrkebpkunvrxzdby.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\unlgrkebpkunvrxzdby.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\wrrobwsrheqlvtbfllkff.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\wrrobwsrheqlvtbfllkff.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit
C:\Windows\wrrobwsrheqlvtbfllkff.exe

Filesize
592KB

MD5
65a26623095e6f02ecbfb2e438189110

SHA1
2bd285516698ad16ce7636e72c1c4045755d3db2

SHA256
8da6678bd41fb6d8c02642a8e35ab7d597567a02fecc7e1a8d99906768f1c4b7

SHA512
836aff8f9545273e4287881627548e39aaf8054c997e7577ddb9eb68b01415f3ff947080542de801f58d418c20fcec966086da525dd98f1dd11867b128f005dd

Download Submit