f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
12/10/2022, 15:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
Size

1016KB
MD5

6112b7be85e203de144e8cf777877430
SHA1

eeca0708de0f1ea1fc8187c6d8d7e77d840fe894
SHA256

f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121
SHA512

dc117254e5d76aee4e304a8789e95ab7d0f860356e242c2c5e9b56194eb33f433e19ca19e93c573cdae5430ee744dd01ec645c98180cc5652fd65a65d7231fd3
SSDEEP

6144:1IXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHU:1IXsgtvm1De5YlOx6lzBH46U

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	dfjtx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	dfjtx.exe

UAC bypass 3 TTPs 10 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dfjtx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dfjtx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	dfjtx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dfjtx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dfjtx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dfjtx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	dfjtx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dfjtx.exe

Adds policy Run key to start application 2 TTPs 17 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdqjwkviuippst = "ofyxqkbumgtzipbydqkb.exe"	dfjtx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdndnygqzko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ancxmcpesirtybjc.exe"	dfjtx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdndnygqzko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brjhzsiarkwbjpawamf.exe"	dfjtx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdqjwkviuippst = "ancxmcpesirtybjc.exe"	dfjtx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdndnygqzko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ancxmcpesirtybjc.exe"	iffdguquspp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dfjtx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdqjwkviuippst = "ofyxqkbumgtzipbydqkb.exe"	dfjtx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdndnygqzko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfwtkcriyqbfmrbwzk.exe"	dfjtx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdndnygqzko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvppjewqjeszjreciwrjd.exe"	dfjtx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdqjwkviuippst = "brjhzsiarkwbjpawamf.exe"	iffdguquspp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dfjtx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdndnygqzko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvlhxocshyilrveya.exe"	dfjtx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdndnygqzko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfwtkcriyqbfmrbwzk.exe"	dfjtx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdqjwkviuippst = "qfwtkcriyqbfmrbwzk.exe"	dfjtx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdqjwkviuippst = "hvlhxocshyilrveya.exe"	dfjtx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdndnygqzko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvlhxocshyilrveya.exe"	dfjtx.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	dfjtx.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	dfjtx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	dfjtx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	dfjtx.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	iffdguquspp.exe

Executes dropped EXE 3 IoCs

pid	Process
2036	iffdguquspp.exe
536	dfjtx.exe
544	dfjtx.exe

Loads dropped DLL 6 IoCs

pid	Process
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
2036	iffdguquspp.exe
2036	iffdguquspp.exe
2036	iffdguquspp.exe
2036	iffdguquspp.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vhvpdsesfucdhjq = "hvlhxocshyilrveya.exe"	dfjtx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qfwtkcriyqbfmrbwzk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvlhxocshyilrveya.exe"	dfjtx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sbmdoajueqvt = "dvppjewqjeszjreciwrjd.exe"	dfjtx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qfwtkcriyqbfmrbwzk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ancxmcpesirtybjc.exe"	dfjtx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qfwtkcriyqbfmrbwzk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brjhzsiarkwbjpawamf.exe"	dfjtx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sbmdoajueqvt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvppjewqjeszjreciwrjd.exe"	dfjtx.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	iffdguquspp.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	dfjtx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rbnfreoalyedf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvppjewqjeszjreciwrjd.exe ."	dfjtx.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	dfjtx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hvlhxocshyilrveya = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvppjewqjeszjreciwrjd.exe ."	dfjtx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qfwtkcriyqbfmrbwzk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofyxqkbumgtzipbydqkb.exe"	dfjtx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sbmdoajueqvt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofyxqkbumgtzipbydqkb.exe"	dfjtx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	iffdguquspp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	dfjtx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sbmdoajueqvt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvlhxocshyilrveya.exe"	dfjtx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rbnfreoalyedf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ancxmcpesirtybjc.exe ."	dfjtx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qfwtkcriyqbfmrbwzk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvlhxocshyilrveya.exe"	iffdguquspp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ancxmcpesirtybjc = "brjhzsiarkwbjpawamf.exe ."	dfjtx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbnfreoalyedf = "qfwtkcriyqbfmrbwzk.exe ."	dfjtx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ancxmcpesirtybjc = "ancxmcpesirtybjc.exe ."	dfjtx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rbnfreoalyedf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvlhxocshyilrveya.exe ."	dfjtx.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	iffdguquspp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	dfjtx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ancxmcpesirtybjc = "qfwtkcriyqbfmrbwzk.exe ."	dfjtx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qfwtkcriyqbfmrbwzk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvppjewqjeszjreciwrjd.exe"	dfjtx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sbmdoajueqvt = "ofyxqkbumgtzipbydqkb.exe"	dfjtx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vhvpdsesfucdhjq = "qfwtkcriyqbfmrbwzk.exe"	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sbmdoajueqvt = "hvlhxocshyilrveya.exe"	dfjtx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ancxmcpesirtybjc = "ofyxqkbumgtzipbydqkb.exe ."	dfjtx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hvlhxocshyilrveya = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvppjewqjeszjreciwrjd.exe ."	dfjtx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qfwtkcriyqbfmrbwzk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvlhxocshyilrveya.exe"	dfjtx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sbmdoajueqvt = "ancxmcpesirtybjc.exe"	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hvlhxocshyilrveya = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvlhxocshyilrveya.exe ."	dfjtx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rbnfreoalyedf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ancxmcpesirtybjc.exe ."	dfjtx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sbmdoajueqvt = "dvppjewqjeszjreciwrjd.exe"	dfjtx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vhvpdsesfucdhjq = "brjhzsiarkwbjpawamf.exe"	dfjtx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ancxmcpesirtybjc = "brjhzsiarkwbjpawamf.exe ."	iffdguquspp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	dfjtx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vhvpdsesfucdhjq = "qfwtkcriyqbfmrbwzk.exe"	dfjtx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hvlhxocshyilrveya = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofyxqkbumgtzipbydqkb.exe ."	dfjtx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hvlhxocshyilrveya = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brjhzsiarkwbjpawamf.exe ."	iffdguquspp.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	dfjtx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sbmdoajueqvt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvppjewqjeszjreciwrjd.exe"	dfjtx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vhvpdsesfucdhjq = "qfwtkcriyqbfmrbwzk.exe"	dfjtx.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	dfjtx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ancxmcpesirtybjc = "dvppjewqjeszjreciwrjd.exe ."	dfjtx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sbmdoajueqvt = "ancxmcpesirtybjc.exe"	dfjtx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sbmdoajueqvt = "hvlhxocshyilrveya.exe"	dfjtx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rbnfreoalyedf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfwtkcriyqbfmrbwzk.exe ."	iffdguquspp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vhvpdsesfucdhjq = "ofyxqkbumgtzipbydqkb.exe"	dfjtx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vhvpdsesfucdhjq = "brjhzsiarkwbjpawamf.exe"	dfjtx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sbmdoajueqvt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfwtkcriyqbfmrbwzk.exe"	dfjtx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ancxmcpesirtybjc = "ofyxqkbumgtzipbydqkb.exe ."	dfjtx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rbnfreoalyedf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvlhxocshyilrveya.exe ."	dfjtx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbnfreoalyedf = "brjhzsiarkwbjpawamf.exe ."	iffdguquspp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sbmdoajueqvt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfwtkcriyqbfmrbwzk.exe"	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbnfreoalyedf = "hvlhxocshyilrveya.exe ."	dfjtx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rbnfreoalyedf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfwtkcriyqbfmrbwzk.exe ."	dfjtx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sbmdoajueqvt = "ancxmcpesirtybjc.exe"	dfjtx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hvlhxocshyilrveya = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofyxqkbumgtzipbydqkb.exe ."	dfjtx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbnfreoalyedf = "ancxmcpesirtybjc.exe ."	dfjtx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	iffdguquspp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	dfjtx.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dfjtx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dfjtx.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dfjtx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	iffdguquspp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dfjtx.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	whatismyipaddress.com
7	www.showmyipaddress.com
19	whatismyip.everdot.org

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\hvlhxocshyilrveya.exe	dfjtx.exe
File opened for modification	C:\Windows\SysWOW64\unijeatoietbmvjipeatop.exe	dfjtx.exe
File opened for modification	C:\Windows\SysWOW64\qfwtkcriyqbfmrbwzk.exe	dfjtx.exe
File opened for modification	C:\Windows\SysWOW64\unijeatoietbmvjipeatop.exe	dfjtx.exe
File created	C:\Windows\SysWOW64\ihipqsrssupdujdivqsrszac.cce	dfjtx.exe
File opened for modification	C:\Windows\SysWOW64\qfwtkcriyqbfmrbwzk.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\unijeatoietbmvjipeatop.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\ancxmcpesirtybjc.exe	dfjtx.exe
File opened for modification	C:\Windows\SysWOW64\ancxmcpesirtybjc.exe	dfjtx.exe
File opened for modification	C:\Windows\SysWOW64\dvppjewqjeszjreciwrjd.exe	dfjtx.exe
File opened for modification	C:\Windows\SysWOW64\hvlhxocshyilrveya.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\brjhzsiarkwbjpawamf.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\dvppjewqjeszjreciwrjd.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\brjhzsiarkwbjpawamf.exe	dfjtx.exe
File opened for modification	C:\Windows\SysWOW64\ihipqsrssupdujdivqsrszac.cce	dfjtx.exe
File created	C:\Windows\SysWOW64\rbnfreoalyedffkayerbnfreoalyedffkay.rbn	dfjtx.exe
File opened for modification	C:\Windows\SysWOW64\ancxmcpesirtybjc.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\qfwtkcriyqbfmrbwzk.exe	dfjtx.exe
File opened for modification	C:\Windows\SysWOW64\brjhzsiarkwbjpawamf.exe	dfjtx.exe
File opened for modification	C:\Windows\SysWOW64\ofyxqkbumgtzipbydqkb.exe	dfjtx.exe
File opened for modification	C:\Windows\SysWOW64\hvlhxocshyilrveya.exe	dfjtx.exe
File opened for modification	C:\Windows\SysWOW64\ofyxqkbumgtzipbydqkb.exe	dfjtx.exe
File opened for modification	C:\Windows\SysWOW64\dvppjewqjeszjreciwrjd.exe	dfjtx.exe
File opened for modification	C:\Windows\SysWOW64\rbnfreoalyedffkayerbnfreoalyedffkay.rbn	dfjtx.exe
File opened for modification	C:\Windows\SysWOW64\ofyxqkbumgtzipbydqkb.exe	iffdguquspp.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\rbnfreoalyedffkayerbnfreoalyedffkay.rbn	dfjtx.exe
File opened for modification	C:\Program Files (x86)\ihipqsrssupdujdivqsrszac.cce	dfjtx.exe
File created	C:\Program Files (x86)\ihipqsrssupdujdivqsrszac.cce	dfjtx.exe
File opened for modification	C:\Program Files (x86)\rbnfreoalyedffkayerbnfreoalyedffkay.rbn	dfjtx.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ofyxqkbumgtzipbydqkb.exe	dfjtx.exe
File opened for modification	C:\Windows\unijeatoietbmvjipeatop.exe	dfjtx.exe
File opened for modification	C:\Windows\dvppjewqjeszjreciwrjd.exe	dfjtx.exe
File opened for modification	C:\Windows\hvlhxocshyilrveya.exe	dfjtx.exe
File opened for modification	C:\Windows\brjhzsiarkwbjpawamf.exe	iffdguquspp.exe
File opened for modification	C:\Windows\ofyxqkbumgtzipbydqkb.exe	iffdguquspp.exe
File opened for modification	C:\Windows\dvppjewqjeszjreciwrjd.exe	iffdguquspp.exe
File opened for modification	C:\Windows\ancxmcpesirtybjc.exe	dfjtx.exe
File opened for modification	C:\Windows\brjhzsiarkwbjpawamf.exe	dfjtx.exe
File opened for modification	C:\Windows\dvppjewqjeszjreciwrjd.exe	dfjtx.exe
File opened for modification	C:\Windows\brjhzsiarkwbjpawamf.exe	dfjtx.exe
File opened for modification	C:\Windows\qfwtkcriyqbfmrbwzk.exe	iffdguquspp.exe
File opened for modification	C:\Windows\unijeatoietbmvjipeatop.exe	dfjtx.exe
File opened for modification	C:\Windows\ihipqsrssupdujdivqsrszac.cce	dfjtx.exe
File opened for modification	C:\Windows\rbnfreoalyedffkayerbnfreoalyedffkay.rbn	dfjtx.exe
File opened for modification	C:\Windows\ofyxqkbumgtzipbydqkb.exe	dfjtx.exe
File created	C:\Windows\ihipqsrssupdujdivqsrszac.cce	dfjtx.exe
File created	C:\Windows\rbnfreoalyedffkayerbnfreoalyedffkay.rbn	dfjtx.exe
File opened for modification	C:\Windows\qfwtkcriyqbfmrbwzk.exe	dfjtx.exe
File opened for modification	C:\Windows\hvlhxocshyilrveya.exe	iffdguquspp.exe
File opened for modification	C:\Windows\unijeatoietbmvjipeatop.exe	iffdguquspp.exe
File opened for modification	C:\Windows\ancxmcpesirtybjc.exe	dfjtx.exe
File opened for modification	C:\Windows\hvlhxocshyilrveya.exe	dfjtx.exe
File opened for modification	C:\Windows\qfwtkcriyqbfmrbwzk.exe	dfjtx.exe
File opened for modification	C:\Windows\ancxmcpesirtybjc.exe	iffdguquspp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
536	dfjtx.exe
536	dfjtx.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
536	dfjtx.exe
536	dfjtx.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	536	dfjtx.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 2036	1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe	27
PID 1348 wrote to memory of 2036	1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe	27
PID 1348 wrote to memory of 2036	1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe	27
PID 1348 wrote to memory of 2036	1348	f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe	27
PID 2036 wrote to memory of 536	2036	iffdguquspp.exe	28
PID 2036 wrote to memory of 536	2036	iffdguquspp.exe	28
PID 2036 wrote to memory of 536	2036	iffdguquspp.exe	28
PID 2036 wrote to memory of 536	2036	iffdguquspp.exe	28
PID 2036 wrote to memory of 544	2036	iffdguquspp.exe	29
PID 2036 wrote to memory of 544	2036	iffdguquspp.exe	29
PID 2036 wrote to memory of 544	2036	iffdguquspp.exe	29
PID 2036 wrote to memory of 544	2036	iffdguquspp.exe	29

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	iffdguquspp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	dfjtx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	dfjtx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	dfjtx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dfjtx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dfjtx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	dfjtx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	dfjtx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	dfjtx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	dfjtx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dfjtx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dfjtx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	dfjtx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	dfjtx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	dfjtx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dfjtx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	iffdguquspp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	dfjtx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	dfjtx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dfjtx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dfjtx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	dfjtx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	dfjtx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	dfjtx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	dfjtx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dfjtx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	dfjtx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	dfjtx.exe

C:\Users\Admin\AppData\Local\Temp\f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe
"C:\Users\Admin\AppData\Local\Temp\f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Users\Admin\AppData\Local\Temp\iffdguquspp.exe
  "C:\Users\Admin\AppData\Local\Temp\iffdguquspp.exe" "c:\users\admin\appdata\local\temp\f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2036
- - C:\Users\Admin\AppData\Local\Temp\dfjtx.exe
    "C:\Users\Admin\AppData\Local\Temp\dfjtx.exe" "-C:\Users\Admin\AppData\Local\Temp\ancxmcpesirtybjc.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:536
- - C:\Users\Admin\AppData\Local\Temp\dfjtx.exe
    "C:\Users\Admin\AppData\Local\Temp\dfjtx.exe" "-C:\Users\Admin\AppData\Local\Temp\ancxmcpesirtybjc.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ancxmcpesirtybjc.exe

Filesize
1016KB

MD5
6112b7be85e203de144e8cf777877430

SHA1
eeca0708de0f1ea1fc8187c6d8d7e77d840fe894

SHA256
f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121

SHA512
dc117254e5d76aee4e304a8789e95ab7d0f860356e242c2c5e9b56194eb33f433e19ca19e93c573cdae5430ee744dd01ec645c98180cc5652fd65a65d7231fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\brjhzsiarkwbjpawamf.exe

Filesize
1016KB

MD5
6112b7be85e203de144e8cf777877430

SHA1
eeca0708de0f1ea1fc8187c6d8d7e77d840fe894

SHA256
f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121

SHA512
dc117254e5d76aee4e304a8789e95ab7d0f860356e242c2c5e9b56194eb33f433e19ca19e93c573cdae5430ee744dd01ec645c98180cc5652fd65a65d7231fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfjtx.exe

Filesize
696KB

MD5
aec39557ba53bd265a4565cc27733ec8

SHA1
f9b72625c3a2a0044dbc8ed85097159c5f6d9d17

SHA256
658ebe4a8c585c0214b8d25f37aa62c567a608b3125aa83dc02dafe595cd69cd

SHA512
3d804c2697e69624bd2d4a7365a3bfd1f808078450bbdc7cd55679f4d6790b08c1dc3f584249619d8df42684357f907865a58552553ed5ab11fa90cf91042655

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfjtx.exe

Filesize
696KB

MD5
aec39557ba53bd265a4565cc27733ec8

SHA1
f9b72625c3a2a0044dbc8ed85097159c5f6d9d17

SHA256
658ebe4a8c585c0214b8d25f37aa62c567a608b3125aa83dc02dafe595cd69cd

SHA512
3d804c2697e69624bd2d4a7365a3bfd1f808078450bbdc7cd55679f4d6790b08c1dc3f584249619d8df42684357f907865a58552553ed5ab11fa90cf91042655

Download Submit
C:\Users\Admin\AppData\Local\Temp\dvppjewqjeszjreciwrjd.exe

Filesize
1016KB

MD5
6112b7be85e203de144e8cf777877430

SHA1
eeca0708de0f1ea1fc8187c6d8d7e77d840fe894

SHA256
f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121

SHA512
dc117254e5d76aee4e304a8789e95ab7d0f860356e242c2c5e9b56194eb33f433e19ca19e93c573cdae5430ee744dd01ec645c98180cc5652fd65a65d7231fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hvlhxocshyilrveya.exe

Filesize
1016KB

MD5
6112b7be85e203de144e8cf777877430

SHA1
eeca0708de0f1ea1fc8187c6d8d7e77d840fe894

SHA256
f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121

SHA512
dc117254e5d76aee4e304a8789e95ab7d0f860356e242c2c5e9b56194eb33f433e19ca19e93c573cdae5430ee744dd01ec645c98180cc5652fd65a65d7231fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\iffdguquspp.exe

Filesize
320KB

MD5
f6946c82647fe785e23e90895f434f8a

SHA1
4fce236834554b30395248a926bf6553d5e8ee5c

SHA256
7dfb46e1cff0e6fdc2e3376fc69aff565a4fed9665ad79bbfa900a8a3b25217c

SHA512
07b6dc0e172fcf9c9f6e1f99fef1717b2c4cedaa7577d0767e0dbf9877b32cd4dbd5434af89975479e7ac4493779d573411f8da364965baea7de60b4e2a516b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\iffdguquspp.exe

Filesize
320KB

MD5
f6946c82647fe785e23e90895f434f8a

SHA1
4fce236834554b30395248a926bf6553d5e8ee5c

SHA256
7dfb46e1cff0e6fdc2e3376fc69aff565a4fed9665ad79bbfa900a8a3b25217c

SHA512
07b6dc0e172fcf9c9f6e1f99fef1717b2c4cedaa7577d0767e0dbf9877b32cd4dbd5434af89975479e7ac4493779d573411f8da364965baea7de60b4e2a516b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ofyxqkbumgtzipbydqkb.exe

Filesize
1016KB

MD5
6112b7be85e203de144e8cf777877430

SHA1
eeca0708de0f1ea1fc8187c6d8d7e77d840fe894

SHA256
f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121

SHA512
dc117254e5d76aee4e304a8789e95ab7d0f860356e242c2c5e9b56194eb33f433e19ca19e93c573cdae5430ee744dd01ec645c98180cc5652fd65a65d7231fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qfwtkcriyqbfmrbwzk.exe

Filesize
1016KB

MD5
6112b7be85e203de144e8cf777877430

SHA1
eeca0708de0f1ea1fc8187c6d8d7e77d840fe894

SHA256
f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121

SHA512
dc117254e5d76aee4e304a8789e95ab7d0f860356e242c2c5e9b56194eb33f433e19ca19e93c573cdae5430ee744dd01ec645c98180cc5652fd65a65d7231fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\unijeatoietbmvjipeatop.exe

Filesize
1016KB

MD5
6112b7be85e203de144e8cf777877430

SHA1
eeca0708de0f1ea1fc8187c6d8d7e77d840fe894

SHA256
f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121

SHA512
dc117254e5d76aee4e304a8789e95ab7d0f860356e242c2c5e9b56194eb33f433e19ca19e93c573cdae5430ee744dd01ec645c98180cc5652fd65a65d7231fd3

Download Submit
C:\Windows\SysWOW64\ancxmcpesirtybjc.exe

Filesize
1016KB

MD5
6112b7be85e203de144e8cf777877430

SHA1
eeca0708de0f1ea1fc8187c6d8d7e77d840fe894

SHA256
f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121

SHA512
dc117254e5d76aee4e304a8789e95ab7d0f860356e242c2c5e9b56194eb33f433e19ca19e93c573cdae5430ee744dd01ec645c98180cc5652fd65a65d7231fd3

Download Submit
C:\Windows\SysWOW64\brjhzsiarkwbjpawamf.exe

Filesize
1016KB

MD5
6112b7be85e203de144e8cf777877430

SHA1
eeca0708de0f1ea1fc8187c6d8d7e77d840fe894

SHA256
f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121

SHA512
dc117254e5d76aee4e304a8789e95ab7d0f860356e242c2c5e9b56194eb33f433e19ca19e93c573cdae5430ee744dd01ec645c98180cc5652fd65a65d7231fd3

Download Submit
C:\Windows\SysWOW64\dvppjewqjeszjreciwrjd.exe

Filesize
1016KB

MD5
6112b7be85e203de144e8cf777877430

SHA1
eeca0708de0f1ea1fc8187c6d8d7e77d840fe894

SHA256
f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121

SHA512
dc117254e5d76aee4e304a8789e95ab7d0f860356e242c2c5e9b56194eb33f433e19ca19e93c573cdae5430ee744dd01ec645c98180cc5652fd65a65d7231fd3

Download Submit
C:\Windows\SysWOW64\hvlhxocshyilrveya.exe

Filesize
1016KB

MD5
6112b7be85e203de144e8cf777877430

SHA1
eeca0708de0f1ea1fc8187c6d8d7e77d840fe894

SHA256
f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121

SHA512
dc117254e5d76aee4e304a8789e95ab7d0f860356e242c2c5e9b56194eb33f433e19ca19e93c573cdae5430ee744dd01ec645c98180cc5652fd65a65d7231fd3

Download Submit
C:\Windows\SysWOW64\ofyxqkbumgtzipbydqkb.exe

Filesize
1016KB

MD5
6112b7be85e203de144e8cf777877430

SHA1
eeca0708de0f1ea1fc8187c6d8d7e77d840fe894

SHA256
f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121

SHA512
dc117254e5d76aee4e304a8789e95ab7d0f860356e242c2c5e9b56194eb33f433e19ca19e93c573cdae5430ee744dd01ec645c98180cc5652fd65a65d7231fd3

Download Submit
C:\Windows\SysWOW64\qfwtkcriyqbfmrbwzk.exe

Filesize
1016KB

MD5
6112b7be85e203de144e8cf777877430

SHA1
eeca0708de0f1ea1fc8187c6d8d7e77d840fe894

SHA256
f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121

SHA512
dc117254e5d76aee4e304a8789e95ab7d0f860356e242c2c5e9b56194eb33f433e19ca19e93c573cdae5430ee744dd01ec645c98180cc5652fd65a65d7231fd3

Download Submit
C:\Windows\SysWOW64\unijeatoietbmvjipeatop.exe

Filesize
1016KB

MD5
6112b7be85e203de144e8cf777877430

SHA1
eeca0708de0f1ea1fc8187c6d8d7e77d840fe894

SHA256
f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121

SHA512
dc117254e5d76aee4e304a8789e95ab7d0f860356e242c2c5e9b56194eb33f433e19ca19e93c573cdae5430ee744dd01ec645c98180cc5652fd65a65d7231fd3

Download Submit
C:\Windows\ancxmcpesirtybjc.exe

Filesize
1016KB

MD5
6112b7be85e203de144e8cf777877430

SHA1
eeca0708de0f1ea1fc8187c6d8d7e77d840fe894

SHA256
f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121

SHA512
dc117254e5d76aee4e304a8789e95ab7d0f860356e242c2c5e9b56194eb33f433e19ca19e93c573cdae5430ee744dd01ec645c98180cc5652fd65a65d7231fd3

Download Submit
C:\Windows\ancxmcpesirtybjc.exe

Filesize
1016KB

MD5
6112b7be85e203de144e8cf777877430

SHA1
eeca0708de0f1ea1fc8187c6d8d7e77d840fe894

SHA256
f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121

SHA512
dc117254e5d76aee4e304a8789e95ab7d0f860356e242c2c5e9b56194eb33f433e19ca19e93c573cdae5430ee744dd01ec645c98180cc5652fd65a65d7231fd3

Download Submit
C:\Windows\brjhzsiarkwbjpawamf.exe

Filesize
1016KB

MD5
6112b7be85e203de144e8cf777877430

SHA1
eeca0708de0f1ea1fc8187c6d8d7e77d840fe894

SHA256
f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121

SHA512
dc117254e5d76aee4e304a8789e95ab7d0f860356e242c2c5e9b56194eb33f433e19ca19e93c573cdae5430ee744dd01ec645c98180cc5652fd65a65d7231fd3

Download Submit
C:\Windows\brjhzsiarkwbjpawamf.exe

Filesize
1016KB

MD5
6112b7be85e203de144e8cf777877430

SHA1
eeca0708de0f1ea1fc8187c6d8d7e77d840fe894

SHA256
f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121

SHA512
dc117254e5d76aee4e304a8789e95ab7d0f860356e242c2c5e9b56194eb33f433e19ca19e93c573cdae5430ee744dd01ec645c98180cc5652fd65a65d7231fd3

Download Submit
C:\Windows\dvppjewqjeszjreciwrjd.exe

Filesize
1016KB

MD5
6112b7be85e203de144e8cf777877430

SHA1
eeca0708de0f1ea1fc8187c6d8d7e77d840fe894

SHA256
f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121

SHA512
dc117254e5d76aee4e304a8789e95ab7d0f860356e242c2c5e9b56194eb33f433e19ca19e93c573cdae5430ee744dd01ec645c98180cc5652fd65a65d7231fd3

Download Submit
C:\Windows\dvppjewqjeszjreciwrjd.exe

Filesize
1016KB

MD5
6112b7be85e203de144e8cf777877430

SHA1
eeca0708de0f1ea1fc8187c6d8d7e77d840fe894

SHA256
f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121

SHA512
dc117254e5d76aee4e304a8789e95ab7d0f860356e242c2c5e9b56194eb33f433e19ca19e93c573cdae5430ee744dd01ec645c98180cc5652fd65a65d7231fd3

Download Submit
C:\Windows\hvlhxocshyilrveya.exe

Filesize
1016KB

MD5
6112b7be85e203de144e8cf777877430

SHA1
eeca0708de0f1ea1fc8187c6d8d7e77d840fe894

SHA256
f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121

SHA512
dc117254e5d76aee4e304a8789e95ab7d0f860356e242c2c5e9b56194eb33f433e19ca19e93c573cdae5430ee744dd01ec645c98180cc5652fd65a65d7231fd3

Download Submit
C:\Windows\hvlhxocshyilrveya.exe

Filesize
1016KB

MD5
6112b7be85e203de144e8cf777877430

SHA1
eeca0708de0f1ea1fc8187c6d8d7e77d840fe894

SHA256
f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121

SHA512
dc117254e5d76aee4e304a8789e95ab7d0f860356e242c2c5e9b56194eb33f433e19ca19e93c573cdae5430ee744dd01ec645c98180cc5652fd65a65d7231fd3

Download Submit
C:\Windows\ofyxqkbumgtzipbydqkb.exe

Filesize
1016KB

MD5
6112b7be85e203de144e8cf777877430

SHA1
eeca0708de0f1ea1fc8187c6d8d7e77d840fe894

SHA256
f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121

SHA512
dc117254e5d76aee4e304a8789e95ab7d0f860356e242c2c5e9b56194eb33f433e19ca19e93c573cdae5430ee744dd01ec645c98180cc5652fd65a65d7231fd3

Download Submit
C:\Windows\ofyxqkbumgtzipbydqkb.exe

Filesize
1016KB

MD5
6112b7be85e203de144e8cf777877430

SHA1
eeca0708de0f1ea1fc8187c6d8d7e77d840fe894

SHA256
f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121

SHA512
dc117254e5d76aee4e304a8789e95ab7d0f860356e242c2c5e9b56194eb33f433e19ca19e93c573cdae5430ee744dd01ec645c98180cc5652fd65a65d7231fd3

Download Submit
C:\Windows\qfwtkcriyqbfmrbwzk.exe

Filesize
1016KB

MD5
6112b7be85e203de144e8cf777877430

SHA1
eeca0708de0f1ea1fc8187c6d8d7e77d840fe894

SHA256
f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121

SHA512
dc117254e5d76aee4e304a8789e95ab7d0f860356e242c2c5e9b56194eb33f433e19ca19e93c573cdae5430ee744dd01ec645c98180cc5652fd65a65d7231fd3

Download Submit
C:\Windows\qfwtkcriyqbfmrbwzk.exe

Filesize
1016KB

MD5
6112b7be85e203de144e8cf777877430

SHA1
eeca0708de0f1ea1fc8187c6d8d7e77d840fe894

SHA256
f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121

SHA512
dc117254e5d76aee4e304a8789e95ab7d0f860356e242c2c5e9b56194eb33f433e19ca19e93c573cdae5430ee744dd01ec645c98180cc5652fd65a65d7231fd3

Download Submit
C:\Windows\unijeatoietbmvjipeatop.exe

Filesize
1016KB

MD5
6112b7be85e203de144e8cf777877430

SHA1
eeca0708de0f1ea1fc8187c6d8d7e77d840fe894

SHA256
f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121

SHA512
dc117254e5d76aee4e304a8789e95ab7d0f860356e242c2c5e9b56194eb33f433e19ca19e93c573cdae5430ee744dd01ec645c98180cc5652fd65a65d7231fd3

Download Submit
C:\Windows\unijeatoietbmvjipeatop.exe

Filesize
1016KB

MD5
6112b7be85e203de144e8cf777877430

SHA1
eeca0708de0f1ea1fc8187c6d8d7e77d840fe894

SHA256
f94a2ec66b0687d8653e12ab2587ca408e823f609a70ddd400afcb6e343c4121

SHA512
dc117254e5d76aee4e304a8789e95ab7d0f860356e242c2c5e9b56194eb33f433e19ca19e93c573cdae5430ee744dd01ec645c98180cc5652fd65a65d7231fd3

Download Submit
\Users\Admin\AppData\Local\Temp\dfjtx.exe

Filesize
696KB

MD5
aec39557ba53bd265a4565cc27733ec8

SHA1
f9b72625c3a2a0044dbc8ed85097159c5f6d9d17

SHA256
658ebe4a8c585c0214b8d25f37aa62c567a608b3125aa83dc02dafe595cd69cd

SHA512
3d804c2697e69624bd2d4a7365a3bfd1f808078450bbdc7cd55679f4d6790b08c1dc3f584249619d8df42684357f907865a58552553ed5ab11fa90cf91042655

Download Submit
\Users\Admin\AppData\Local\Temp\dfjtx.exe

Filesize
696KB

MD5
aec39557ba53bd265a4565cc27733ec8

SHA1
f9b72625c3a2a0044dbc8ed85097159c5f6d9d17

SHA256
658ebe4a8c585c0214b8d25f37aa62c567a608b3125aa83dc02dafe595cd69cd

SHA512
3d804c2697e69624bd2d4a7365a3bfd1f808078450bbdc7cd55679f4d6790b08c1dc3f584249619d8df42684357f907865a58552553ed5ab11fa90cf91042655

Download Submit
\Users\Admin\AppData\Local\Temp\dfjtx.exe

Filesize
696KB

MD5
aec39557ba53bd265a4565cc27733ec8

SHA1
f9b72625c3a2a0044dbc8ed85097159c5f6d9d17

SHA256
658ebe4a8c585c0214b8d25f37aa62c567a608b3125aa83dc02dafe595cd69cd

SHA512
3d804c2697e69624bd2d4a7365a3bfd1f808078450bbdc7cd55679f4d6790b08c1dc3f584249619d8df42684357f907865a58552553ed5ab11fa90cf91042655

Download Submit
\Users\Admin\AppData\Local\Temp\dfjtx.exe

Filesize
696KB

MD5
aec39557ba53bd265a4565cc27733ec8

SHA1
f9b72625c3a2a0044dbc8ed85097159c5f6d9d17

SHA256
658ebe4a8c585c0214b8d25f37aa62c567a608b3125aa83dc02dafe595cd69cd

SHA512
3d804c2697e69624bd2d4a7365a3bfd1f808078450bbdc7cd55679f4d6790b08c1dc3f584249619d8df42684357f907865a58552553ed5ab11fa90cf91042655

Download Submit
\Users\Admin\AppData\Local\Temp\iffdguquspp.exe

Filesize
320KB

MD5
f6946c82647fe785e23e90895f434f8a

SHA1
4fce236834554b30395248a926bf6553d5e8ee5c

SHA256
7dfb46e1cff0e6fdc2e3376fc69aff565a4fed9665ad79bbfa900a8a3b25217c

SHA512
07b6dc0e172fcf9c9f6e1f99fef1717b2c4cedaa7577d0767e0dbf9877b32cd4dbd5434af89975479e7ac4493779d573411f8da364965baea7de60b4e2a516b9

Download Submit
\Users\Admin\AppData\Local\Temp\iffdguquspp.exe

Filesize
320KB

MD5
f6946c82647fe785e23e90895f434f8a

SHA1
4fce236834554b30395248a926bf6553d5e8ee5c

SHA256
7dfb46e1cff0e6fdc2e3376fc69aff565a4fed9665ad79bbfa900a8a3b25217c

SHA512
07b6dc0e172fcf9c9f6e1f99fef1717b2c4cedaa7577d0767e0dbf9877b32cd4dbd5434af89975479e7ac4493779d573411f8da364965baea7de60b4e2a516b9

Download Submit
memory/1348-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download