da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2

Analysis

max time kernel
157s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/10/2022, 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
Size

1016KB
MD5

a18c15eec6f29f6068ad2233ed5f3b20
SHA1

c27c3f1aba2e08de4bc97ea415c38c5c71e81a12
SHA256

da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2
SHA512

962cc663c7f6f352788ad8c34c10c2229e95503afa703a6298900203e078a3e22de207c887bd39a3eb257d90977cc9f98761cc660de9cf065496261bf50e2d24
SSDEEP

6144:qIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHU:qIXsgtvm1De5YlOx6lzBH46U

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hkaqkpraruk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	gnbhjr.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hkaqkpraruk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	hkaqkpraruk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gnbhjr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	gnbhjr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	gnbhjr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	gnbhjr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	hkaqkpraruk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	hkaqkpraruk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gnbhjr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gnbhjr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gnbhjr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	gnbhjr.exe

Adds policy Run key to start application 2 TTPs 23 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kzvjtjwgbioung = "sjhxjbqcziqytonx.exe"	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzsdkxhogkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrupgdxoqereeeixjcjfi.exe"	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kzvjtjwgbioung = "vrupgdxoqereeeixjcjfi.exe"	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzsdkxhogkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrupgdxoqereeeixjcjfi.exe"	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzsdkxhogkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibbthbsgfqakhefraq.exe"	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kzvjtjwgbioung = "tnohwrjyykvgecerbsx.exe"	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kzvjtjwgbioung = "sjhxjbqcziqytonx.exe"	hkaqkpraruk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzsdkxhogkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrqhundqoyhqmiitb.exe"	hkaqkpraruk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzsdkxhogkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrqhundqoyhqmiitb.exe"	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzsdkxhogkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gbdxnjcstgsedcftewcx.exe"	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzsdkxhogkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tnohwrjyykvgecerbsx.exe"	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzsdkxhogkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrqhundqoyhqmiitb.exe"	gnbhjr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	hkaqkpraruk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kzvjtjwgbioung = "gbdxnjcstgsedcftewcx.exe"	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kzvjtjwgbioung = "zrqhundqoyhqmiitb.exe"	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzsdkxhogkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gbdxnjcstgsedcftewcx.exe"	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kzvjtjwgbioung = "tnohwrjyykvgecerbsx.exe"	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kzvjtjwgbioung = "ibbthbsgfqakhefraq.exe"	gnbhjr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kzvjtjwgbioung = "ibbthbsgfqakhefraq.exe"	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzsdkxhogkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibbthbsgfqakhefraq.exe"	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kzvjtjwgbioung = "gbdxnjcstgsedcftewcx.exe"	gnbhjr.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hkaqkpraruk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hkaqkpraruk.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gnbhjr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gnbhjr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gnbhjr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gnbhjr.exe

Executes dropped EXE 3 IoCs

pid	Process
2044	hkaqkpraruk.exe
3096	gnbhjr.exe
2872	gnbhjr.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	hkaqkpraruk.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	hkaqkpraruk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kxrdlzkslquy = "sjhxjbqcziqytonx.exe"	hkaqkpraruk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kxrdlzkslquy = "vrupgdxoqereeeixjcjfi.exe"	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ibbthbsgfqakhefraq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gbdxnjcstgsedcftewcx.exe"	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zrqhundqoyhqmiitb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrqhundqoyhqmiitb.exe ."	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kxrdlzkslquy = "tnohwrjyykvgecerbsx.exe"	gnbhjr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kxrdlzkslquy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrupgdxoqereeeixjcjfi.exe"	gnbhjr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ndaparfqmubicwu = "zrqhundqoyhqmiitb.exe"	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zrqhundqoyhqmiitb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sjhxjbqcziqytonx.exe ."	gnbhjr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sjhxjbqcziqytonx = "gbdxnjcstgsedcftewcx.exe ."	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zrqhundqoyhqmiitb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrupgdxoqereeeixjcjfi.exe ."	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jxsfodpysydia = "ibbthbsgfqakhefraq.exe ."	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zrqhundqoyhqmiitb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibbthbsgfqakhefraq.exe ."	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kxrdlzkslquy = "zrqhundqoyhqmiitb.exe"	gnbhjr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	hkaqkpraruk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jxsfodpysydia = "sjhxjbqcziqytonx.exe ."	hkaqkpraruk.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	hkaqkpraruk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	gnbhjr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ibbthbsgfqakhefraq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrupgdxoqereeeixjcjfi.exe"	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kxrdlzkslquy = "tnohwrjyykvgecerbsx.exe"	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zrqhundqoyhqmiitb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibbthbsgfqakhefraq.exe ."	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jxsfodpysydia = "gbdxnjcstgsedcftewcx.exe ."	gnbhjr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	gnbhjr.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	gnbhjr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sjhxjbqcziqytonx = "vrupgdxoqereeeixjcjfi.exe ."	gnbhjr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jxsfodpysydia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrqhundqoyhqmiitb.exe ."	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zrqhundqoyhqmiitb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gbdxnjcstgsedcftewcx.exe ."	gnbhjr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sjhxjbqcziqytonx = "vrupgdxoqereeeixjcjfi.exe ."	gnbhjr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kxrdlzkslquy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tnohwrjyykvgecerbsx.exe"	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ibbthbsgfqakhefraq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tnohwrjyykvgecerbsx.exe"	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jxsfodpysydia = "tnohwrjyykvgecerbsx.exe ."	hkaqkpraruk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sjhxjbqcziqytonx = "zrqhundqoyhqmiitb.exe ."	gnbhjr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kxrdlzkslquy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrqhundqoyhqmiitb.exe"	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kxrdlzkslquy = "gbdxnjcstgsedcftewcx.exe"	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kxrdlzkslquy = "sjhxjbqcziqytonx.exe"	gnbhjr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kxrdlzkslquy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gbdxnjcstgsedcftewcx.exe"	gnbhjr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jxsfodpysydia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibbthbsgfqakhefraq.exe ."	gnbhjr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kxrdlzkslquy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibbthbsgfqakhefraq.exe"	hkaqkpraruk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jxsfodpysydia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sjhxjbqcziqytonx.exe ."	hkaqkpraruk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kxrdlzkslquy = "gbdxnjcstgsedcftewcx.exe"	hkaqkpraruk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kxrdlzkslquy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gbdxnjcstgsedcftewcx.exe"	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jxsfodpysydia = "sjhxjbqcziqytonx.exe ."	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ibbthbsgfqakhefraq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrupgdxoqereeeixjcjfi.exe"	gnbhjr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jxsfodpysydia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sjhxjbqcziqytonx.exe ."	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kxrdlzkslquy = "sjhxjbqcziqytonx.exe"	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jxsfodpysydia = "ibbthbsgfqakhefraq.exe ."	gnbhjr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ndaparfqmubicwu = "sjhxjbqcziqytonx.exe"	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ibbthbsgfqakhefraq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gbdxnjcstgsedcftewcx.exe"	hkaqkpraruk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kxrdlzkslquy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrupgdxoqereeeixjcjfi.exe"	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jxsfodpysydia = "vrupgdxoqereeeixjcjfi.exe ."	gnbhjr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ndaparfqmubicwu = "gbdxnjcstgsedcftewcx.exe"	hkaqkpraruk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zrqhundqoyhqmiitb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibbthbsgfqakhefraq.exe ."	hkaqkpraruk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jxsfodpysydia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrupgdxoqereeeixjcjfi.exe ."	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jxsfodpysydia = "gbdxnjcstgsedcftewcx.exe ."	gnbhjr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jxsfodpysydia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gbdxnjcstgsedcftewcx.exe ."	gnbhjr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kxrdlzkslquy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sjhxjbqcziqytonx.exe"	gnbhjr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sjhxjbqcziqytonx = "sjhxjbqcziqytonx.exe ."	gnbhjr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jxsfodpysydia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sjhxjbqcziqytonx.exe ."	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ibbthbsgfqakhefraq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sjhxjbqcziqytonx.exe"	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kxrdlzkslquy = "ibbthbsgfqakhefraq.exe"	gnbhjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jxsfodpysydia = "zrqhundqoyhqmiitb.exe ."	gnbhjr.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	gnbhjr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jxsfodpysydia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gbdxnjcstgsedcftewcx.exe ."	gnbhjr.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gnbhjr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gnbhjr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gnbhjr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gnbhjr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hkaqkpraruk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hkaqkpraruk.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
49	whatismyip.everdot.org
22	www.showmyipaddress.com
35	whatismyipaddress.com
44	whatismyip.everdot.org

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\vrupgdxoqereeeixjcjfi.exe	gnbhjr.exe
File opened for modification	C:\Windows\SysWOW64\mjnjbzumpesghindqksptp.exe	gnbhjr.exe
File opened for modification	C:\Windows\SysWOW64\mrdhhnqqbyuqzivtoqglxbbhkk.sok	gnbhjr.exe
File opened for modification	C:\Windows\SysWOW64\ibbthbsgfqakhefraq.exe	gnbhjr.exe
File opened for modification	C:\Windows\SysWOW64\gbdxnjcstgsedcftewcx.exe	hkaqkpraruk.exe
File opened for modification	C:\Windows\SysWOW64\gbdxnjcstgsedcftewcx.exe	gnbhjr.exe
File opened for modification	C:\Windows\SysWOW64\ibbthbsgfqakhefraq.exe	gnbhjr.exe
File opened for modification	C:\Windows\SysWOW64\gbdxnjcstgsedcftewcx.exe	gnbhjr.exe
File opened for modification	C:\Windows\SysWOW64\tnohwrjyykvgecerbsx.exe	hkaqkpraruk.exe
File opened for modification	C:\Windows\SysWOW64\ibbthbsgfqakhefraq.exe	hkaqkpraruk.exe
File opened for modification	C:\Windows\SysWOW64\sjhxjbqcziqytonx.exe	gnbhjr.exe
File opened for modification	C:\Windows\SysWOW64\mjnjbzumpesghindqksptp.exe	gnbhjr.exe
File opened for modification	C:\Windows\SysWOW64\sjhxjbqcziqytonx.exe	gnbhjr.exe
File opened for modification	C:\Windows\SysWOW64\ndaparfqmubicwudjwxnkzkbpawelsmgentgh.uju	gnbhjr.exe
File opened for modification	C:\Windows\SysWOW64\zrqhundqoyhqmiitb.exe	hkaqkpraruk.exe
File opened for modification	C:\Windows\SysWOW64\vrupgdxoqereeeixjcjfi.exe	hkaqkpraruk.exe
File opened for modification	C:\Windows\SysWOW64\mjnjbzumpesghindqksptp.exe	hkaqkpraruk.exe
File opened for modification	C:\Windows\SysWOW64\zrqhundqoyhqmiitb.exe	gnbhjr.exe
File opened for modification	C:\Windows\SysWOW64\tnohwrjyykvgecerbsx.exe	gnbhjr.exe
File opened for modification	C:\Windows\SysWOW64\vrupgdxoqereeeixjcjfi.exe	gnbhjr.exe
File opened for modification	C:\Windows\SysWOW64\zrqhundqoyhqmiitb.exe	gnbhjr.exe
File opened for modification	C:\Windows\SysWOW64\tnohwrjyykvgecerbsx.exe	gnbhjr.exe
File opened for modification	C:\Windows\SysWOW64\sjhxjbqcziqytonx.exe	hkaqkpraruk.exe
File created	C:\Windows\SysWOW64\ndaparfqmubicwudjwxnkzkbpawelsmgentgh.uju	gnbhjr.exe
File created	C:\Windows\SysWOW64\mrdhhnqqbyuqzivtoqglxbbhkk.sok	gnbhjr.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\mrdhhnqqbyuqzivtoqglxbbhkk.sok	gnbhjr.exe
File created	C:\Program Files (x86)\mrdhhnqqbyuqzivtoqglxbbhkk.sok	gnbhjr.exe
File opened for modification	C:\Program Files (x86)\ndaparfqmubicwudjwxnkzkbpawelsmgentgh.uju	gnbhjr.exe
File created	C:\Program Files (x86)\ndaparfqmubicwudjwxnkzkbpawelsmgentgh.uju	gnbhjr.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mjnjbzumpesghindqksptp.exe	gnbhjr.exe
File created	C:\Windows\mrdhhnqqbyuqzivtoqglxbbhkk.sok	gnbhjr.exe
File opened for modification	C:\Windows\ndaparfqmubicwudjwxnkzkbpawelsmgentgh.uju	gnbhjr.exe
File opened for modification	C:\Windows\ibbthbsgfqakhefraq.exe	hkaqkpraruk.exe
File opened for modification	C:\Windows\mjnjbzumpesghindqksptp.exe	gnbhjr.exe
File opened for modification	C:\Windows\zrqhundqoyhqmiitb.exe	gnbhjr.exe
File opened for modification	C:\Windows\gbdxnjcstgsedcftewcx.exe	gnbhjr.exe
File opened for modification	C:\Windows\ibbthbsgfqakhefraq.exe	gnbhjr.exe
File opened for modification	C:\Windows\mrdhhnqqbyuqzivtoqglxbbhkk.sok	gnbhjr.exe
File opened for modification	C:\Windows\sjhxjbqcziqytonx.exe	hkaqkpraruk.exe
File opened for modification	C:\Windows\zrqhundqoyhqmiitb.exe	hkaqkpraruk.exe
File opened for modification	C:\Windows\ibbthbsgfqakhefraq.exe	gnbhjr.exe
File opened for modification	C:\Windows\vrupgdxoqereeeixjcjfi.exe	gnbhjr.exe
File opened for modification	C:\Windows\sjhxjbqcziqytonx.exe	gnbhjr.exe
File opened for modification	C:\Windows\tnohwrjyykvgecerbsx.exe	hkaqkpraruk.exe
File opened for modification	C:\Windows\gbdxnjcstgsedcftewcx.exe	hkaqkpraruk.exe
File opened for modification	C:\Windows\zrqhundqoyhqmiitb.exe	gnbhjr.exe
File opened for modification	C:\Windows\tnohwrjyykvgecerbsx.exe	gnbhjr.exe
File opened for modification	C:\Windows\tnohwrjyykvgecerbsx.exe	gnbhjr.exe
File opened for modification	C:\Windows\gbdxnjcstgsedcftewcx.exe	gnbhjr.exe
File opened for modification	C:\Windows\vrupgdxoqereeeixjcjfi.exe	gnbhjr.exe
File created	C:\Windows\ndaparfqmubicwudjwxnkzkbpawelsmgentgh.uju	gnbhjr.exe
File opened for modification	C:\Windows\vrupgdxoqereeeixjcjfi.exe	hkaqkpraruk.exe
File opened for modification	C:\Windows\mjnjbzumpesghindqksptp.exe	hkaqkpraruk.exe
File opened for modification	C:\Windows\sjhxjbqcziqytonx.exe	gnbhjr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
3096	gnbhjr.exe
3096	gnbhjr.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
3096	gnbhjr.exe
3096	gnbhjr.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3096	gnbhjr.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 2044	5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe	83
PID 5048 wrote to memory of 2044	5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe	83
PID 5048 wrote to memory of 2044	5048	da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe	83
PID 2044 wrote to memory of 3096	2044	hkaqkpraruk.exe	86
PID 2044 wrote to memory of 3096	2044	hkaqkpraruk.exe	86
PID 2044 wrote to memory of 3096	2044	hkaqkpraruk.exe	86
PID 2044 wrote to memory of 2872	2044	hkaqkpraruk.exe	87
PID 2044 wrote to memory of 2872	2044	hkaqkpraruk.exe	87
PID 2044 wrote to memory of 2872	2044	hkaqkpraruk.exe	87

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	hkaqkpraruk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	hkaqkpraruk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	hkaqkpraruk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gnbhjr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	gnbhjr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	gnbhjr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gnbhjr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	gnbhjr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	hkaqkpraruk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gnbhjr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gnbhjr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	hkaqkpraruk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	gnbhjr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	gnbhjr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	gnbhjr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	gnbhjr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hkaqkpraruk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	hkaqkpraruk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	hkaqkpraruk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gnbhjr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	gnbhjr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	gnbhjr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hkaqkpraruk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	hkaqkpraruk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gnbhjr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gnbhjr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	gnbhjr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	gnbhjr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	gnbhjr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gnbhjr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	gnbhjr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	gnbhjr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	gnbhjr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	gnbhjr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	hkaqkpraruk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	hkaqkpraruk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	hkaqkpraruk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	gnbhjr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	gnbhjr.exe

C:\Users\Admin\AppData\Local\Temp\da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe
"C:\Users\Admin\AppData\Local\Temp\da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Users\Admin\AppData\Local\Temp\hkaqkpraruk.exe
  "C:\Users\Admin\AppData\Local\Temp\hkaqkpraruk.exe" "c:\users\admin\appdata\local\temp\da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2044
- - C:\Users\Admin\AppData\Local\Temp\gnbhjr.exe
    "C:\Users\Admin\AppData\Local\Temp\gnbhjr.exe" "-C:\Users\Admin\AppData\Local\Temp\sjhxjbqcziqytonx.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:3096
- - C:\Users\Admin\AppData\Local\Temp\gnbhjr.exe
    "C:\Users\Admin\AppData\Local\Temp\gnbhjr.exe" "-C:\Users\Admin\AppData\Local\Temp\sjhxjbqcziqytonx.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gbdxnjcstgsedcftewcx.exe

Filesize
1016KB

MD5
a18c15eec6f29f6068ad2233ed5f3b20

SHA1
c27c3f1aba2e08de4bc97ea415c38c5c71e81a12

SHA256
da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2

SHA512
962cc663c7f6f352788ad8c34c10c2229e95503afa703a6298900203e078a3e22de207c887bd39a3eb257d90977cc9f98761cc660de9cf065496261bf50e2d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\gnbhjr.exe

Filesize
720KB

MD5
4bb0af1bfbadc05efa26f9a989d1557e

SHA1
7b4351a5b9ff4983e481dea5c63c1a2e1204d4b5

SHA256
ec6823c068bfb1547d4ca27bb90c2c22fd1a1d4c5636affb850a4f7773d26677

SHA512
a8d36a86911aee7a50dec9965f5861d03e74a46d1a78f7c435855ed4794eb8c1aaf9fe1066d93767dfaa5ee80ccbbade0aac0f25d74a268a9aea9e84de2f4019

Download Submit
C:\Users\Admin\AppData\Local\Temp\gnbhjr.exe

Filesize
720KB

MD5
4bb0af1bfbadc05efa26f9a989d1557e

SHA1
7b4351a5b9ff4983e481dea5c63c1a2e1204d4b5

SHA256
ec6823c068bfb1547d4ca27bb90c2c22fd1a1d4c5636affb850a4f7773d26677

SHA512
a8d36a86911aee7a50dec9965f5861d03e74a46d1a78f7c435855ed4794eb8c1aaf9fe1066d93767dfaa5ee80ccbbade0aac0f25d74a268a9aea9e84de2f4019

Download Submit
C:\Users\Admin\AppData\Local\Temp\gnbhjr.exe

Filesize
720KB

MD5
4bb0af1bfbadc05efa26f9a989d1557e

SHA1
7b4351a5b9ff4983e481dea5c63c1a2e1204d4b5

SHA256
ec6823c068bfb1547d4ca27bb90c2c22fd1a1d4c5636affb850a4f7773d26677

SHA512
a8d36a86911aee7a50dec9965f5861d03e74a46d1a78f7c435855ed4794eb8c1aaf9fe1066d93767dfaa5ee80ccbbade0aac0f25d74a268a9aea9e84de2f4019

Download Submit
C:\Users\Admin\AppData\Local\Temp\hkaqkpraruk.exe

Filesize
320KB

MD5
b8437b8b6da35376a8b946a6fc9a9af8

SHA1
0a6df2e53fb0ead378abab962894cc8513fe1aa1

SHA256
70375005646e541ae422a1d413df94c2310a82781112d482fed68780835e2188

SHA512
bbba92fabb8958f3b6ab53c322cc96aafa282ddb31e02ee6d12b6192df04ee8b75805c5f55bf4efdabb837c70b001bfdca2e09061d1a5d61e1abf364bdeda9b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hkaqkpraruk.exe

Filesize
320KB

MD5
b8437b8b6da35376a8b946a6fc9a9af8

SHA1
0a6df2e53fb0ead378abab962894cc8513fe1aa1

SHA256
70375005646e541ae422a1d413df94c2310a82781112d482fed68780835e2188

SHA512
bbba92fabb8958f3b6ab53c322cc96aafa282ddb31e02ee6d12b6192df04ee8b75805c5f55bf4efdabb837c70b001bfdca2e09061d1a5d61e1abf364bdeda9b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ibbthbsgfqakhefraq.exe

Filesize
1016KB

MD5
a18c15eec6f29f6068ad2233ed5f3b20

SHA1
c27c3f1aba2e08de4bc97ea415c38c5c71e81a12

SHA256
da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2

SHA512
962cc663c7f6f352788ad8c34c10c2229e95503afa703a6298900203e078a3e22de207c887bd39a3eb257d90977cc9f98761cc660de9cf065496261bf50e2d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\mjnjbzumpesghindqksptp.exe

Filesize
1016KB

MD5
a18c15eec6f29f6068ad2233ed5f3b20

SHA1
c27c3f1aba2e08de4bc97ea415c38c5c71e81a12

SHA256
da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2

SHA512
962cc663c7f6f352788ad8c34c10c2229e95503afa703a6298900203e078a3e22de207c887bd39a3eb257d90977cc9f98761cc660de9cf065496261bf50e2d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\sjhxjbqcziqytonx.exe

Filesize
1016KB

MD5
a18c15eec6f29f6068ad2233ed5f3b20

SHA1
c27c3f1aba2e08de4bc97ea415c38c5c71e81a12

SHA256
da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2

SHA512
962cc663c7f6f352788ad8c34c10c2229e95503afa703a6298900203e078a3e22de207c887bd39a3eb257d90977cc9f98761cc660de9cf065496261bf50e2d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\tnohwrjyykvgecerbsx.exe

Filesize
1016KB

MD5
a18c15eec6f29f6068ad2233ed5f3b20

SHA1
c27c3f1aba2e08de4bc97ea415c38c5c71e81a12

SHA256
da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2

SHA512
962cc663c7f6f352788ad8c34c10c2229e95503afa703a6298900203e078a3e22de207c887bd39a3eb257d90977cc9f98761cc660de9cf065496261bf50e2d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\vrupgdxoqereeeixjcjfi.exe

Filesize
1016KB

MD5
a18c15eec6f29f6068ad2233ed5f3b20

SHA1
c27c3f1aba2e08de4bc97ea415c38c5c71e81a12

SHA256
da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2

SHA512
962cc663c7f6f352788ad8c34c10c2229e95503afa703a6298900203e078a3e22de207c887bd39a3eb257d90977cc9f98761cc660de9cf065496261bf50e2d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\zrqhundqoyhqmiitb.exe

Filesize
1016KB

MD5
a18c15eec6f29f6068ad2233ed5f3b20

SHA1
c27c3f1aba2e08de4bc97ea415c38c5c71e81a12

SHA256
da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2

SHA512
962cc663c7f6f352788ad8c34c10c2229e95503afa703a6298900203e078a3e22de207c887bd39a3eb257d90977cc9f98761cc660de9cf065496261bf50e2d24

Download Submit
C:\Windows\SysWOW64\gbdxnjcstgsedcftewcx.exe

Filesize
1016KB

MD5
a18c15eec6f29f6068ad2233ed5f3b20

SHA1
c27c3f1aba2e08de4bc97ea415c38c5c71e81a12

SHA256
da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2

SHA512
962cc663c7f6f352788ad8c34c10c2229e95503afa703a6298900203e078a3e22de207c887bd39a3eb257d90977cc9f98761cc660de9cf065496261bf50e2d24

Download Submit
C:\Windows\SysWOW64\ibbthbsgfqakhefraq.exe

Filesize
1016KB

MD5
a18c15eec6f29f6068ad2233ed5f3b20

SHA1
c27c3f1aba2e08de4bc97ea415c38c5c71e81a12

SHA256
da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2

SHA512
962cc663c7f6f352788ad8c34c10c2229e95503afa703a6298900203e078a3e22de207c887bd39a3eb257d90977cc9f98761cc660de9cf065496261bf50e2d24

Download Submit
C:\Windows\SysWOW64\mjnjbzumpesghindqksptp.exe

Filesize
1016KB

MD5
a18c15eec6f29f6068ad2233ed5f3b20

SHA1
c27c3f1aba2e08de4bc97ea415c38c5c71e81a12

SHA256
da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2

SHA512
962cc663c7f6f352788ad8c34c10c2229e95503afa703a6298900203e078a3e22de207c887bd39a3eb257d90977cc9f98761cc660de9cf065496261bf50e2d24

Download Submit
C:\Windows\SysWOW64\sjhxjbqcziqytonx.exe

Filesize
1016KB

MD5
a18c15eec6f29f6068ad2233ed5f3b20

SHA1
c27c3f1aba2e08de4bc97ea415c38c5c71e81a12

SHA256
da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2

SHA512
962cc663c7f6f352788ad8c34c10c2229e95503afa703a6298900203e078a3e22de207c887bd39a3eb257d90977cc9f98761cc660de9cf065496261bf50e2d24

Download Submit
C:\Windows\SysWOW64\tnohwrjyykvgecerbsx.exe

Filesize
1016KB

MD5
a18c15eec6f29f6068ad2233ed5f3b20

SHA1
c27c3f1aba2e08de4bc97ea415c38c5c71e81a12

SHA256
da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2

SHA512
962cc663c7f6f352788ad8c34c10c2229e95503afa703a6298900203e078a3e22de207c887bd39a3eb257d90977cc9f98761cc660de9cf065496261bf50e2d24

Download Submit
C:\Windows\SysWOW64\vrupgdxoqereeeixjcjfi.exe

Filesize
1016KB

MD5
a18c15eec6f29f6068ad2233ed5f3b20

SHA1
c27c3f1aba2e08de4bc97ea415c38c5c71e81a12

SHA256
da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2

SHA512
962cc663c7f6f352788ad8c34c10c2229e95503afa703a6298900203e078a3e22de207c887bd39a3eb257d90977cc9f98761cc660de9cf065496261bf50e2d24

Download Submit
C:\Windows\SysWOW64\zrqhundqoyhqmiitb.exe

Filesize
1016KB

MD5
a18c15eec6f29f6068ad2233ed5f3b20

SHA1
c27c3f1aba2e08de4bc97ea415c38c5c71e81a12

SHA256
da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2

SHA512
962cc663c7f6f352788ad8c34c10c2229e95503afa703a6298900203e078a3e22de207c887bd39a3eb257d90977cc9f98761cc660de9cf065496261bf50e2d24

Download Submit
C:\Windows\gbdxnjcstgsedcftewcx.exe

Filesize
1016KB

MD5
a18c15eec6f29f6068ad2233ed5f3b20

SHA1
c27c3f1aba2e08de4bc97ea415c38c5c71e81a12

SHA256
da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2

SHA512
962cc663c7f6f352788ad8c34c10c2229e95503afa703a6298900203e078a3e22de207c887bd39a3eb257d90977cc9f98761cc660de9cf065496261bf50e2d24

Download Submit
C:\Windows\gbdxnjcstgsedcftewcx.exe

Filesize
1016KB

MD5
a18c15eec6f29f6068ad2233ed5f3b20

SHA1
c27c3f1aba2e08de4bc97ea415c38c5c71e81a12

SHA256
da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2

SHA512
962cc663c7f6f352788ad8c34c10c2229e95503afa703a6298900203e078a3e22de207c887bd39a3eb257d90977cc9f98761cc660de9cf065496261bf50e2d24

Download Submit
C:\Windows\ibbthbsgfqakhefraq.exe

Filesize
1016KB

MD5
a18c15eec6f29f6068ad2233ed5f3b20

SHA1
c27c3f1aba2e08de4bc97ea415c38c5c71e81a12

SHA256
da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2

SHA512
962cc663c7f6f352788ad8c34c10c2229e95503afa703a6298900203e078a3e22de207c887bd39a3eb257d90977cc9f98761cc660de9cf065496261bf50e2d24

Download Submit
C:\Windows\ibbthbsgfqakhefraq.exe

Filesize
1016KB

MD5
a18c15eec6f29f6068ad2233ed5f3b20

SHA1
c27c3f1aba2e08de4bc97ea415c38c5c71e81a12

SHA256
da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2

SHA512
962cc663c7f6f352788ad8c34c10c2229e95503afa703a6298900203e078a3e22de207c887bd39a3eb257d90977cc9f98761cc660de9cf065496261bf50e2d24

Download Submit
C:\Windows\mjnjbzumpesghindqksptp.exe

Filesize
1016KB

MD5
a18c15eec6f29f6068ad2233ed5f3b20

SHA1
c27c3f1aba2e08de4bc97ea415c38c5c71e81a12

SHA256
da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2

SHA512
962cc663c7f6f352788ad8c34c10c2229e95503afa703a6298900203e078a3e22de207c887bd39a3eb257d90977cc9f98761cc660de9cf065496261bf50e2d24

Download Submit
C:\Windows\mjnjbzumpesghindqksptp.exe

Filesize
1016KB

MD5
a18c15eec6f29f6068ad2233ed5f3b20

SHA1
c27c3f1aba2e08de4bc97ea415c38c5c71e81a12

SHA256
da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2

SHA512
962cc663c7f6f352788ad8c34c10c2229e95503afa703a6298900203e078a3e22de207c887bd39a3eb257d90977cc9f98761cc660de9cf065496261bf50e2d24

Download Submit
C:\Windows\sjhxjbqcziqytonx.exe

Filesize
1016KB

MD5
a18c15eec6f29f6068ad2233ed5f3b20

SHA1
c27c3f1aba2e08de4bc97ea415c38c5c71e81a12

SHA256
da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2

SHA512
962cc663c7f6f352788ad8c34c10c2229e95503afa703a6298900203e078a3e22de207c887bd39a3eb257d90977cc9f98761cc660de9cf065496261bf50e2d24

Download Submit
C:\Windows\sjhxjbqcziqytonx.exe

Filesize
1016KB

MD5
a18c15eec6f29f6068ad2233ed5f3b20

SHA1
c27c3f1aba2e08de4bc97ea415c38c5c71e81a12

SHA256
da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2

SHA512
962cc663c7f6f352788ad8c34c10c2229e95503afa703a6298900203e078a3e22de207c887bd39a3eb257d90977cc9f98761cc660de9cf065496261bf50e2d24

Download Submit
C:\Windows\tnohwrjyykvgecerbsx.exe

Filesize
1016KB

MD5
a18c15eec6f29f6068ad2233ed5f3b20

SHA1
c27c3f1aba2e08de4bc97ea415c38c5c71e81a12

SHA256
da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2

SHA512
962cc663c7f6f352788ad8c34c10c2229e95503afa703a6298900203e078a3e22de207c887bd39a3eb257d90977cc9f98761cc660de9cf065496261bf50e2d24

Download Submit
C:\Windows\tnohwrjyykvgecerbsx.exe

Filesize
1016KB

MD5
a18c15eec6f29f6068ad2233ed5f3b20

SHA1
c27c3f1aba2e08de4bc97ea415c38c5c71e81a12

SHA256
da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2

SHA512
962cc663c7f6f352788ad8c34c10c2229e95503afa703a6298900203e078a3e22de207c887bd39a3eb257d90977cc9f98761cc660de9cf065496261bf50e2d24

Download Submit
C:\Windows\vrupgdxoqereeeixjcjfi.exe

Filesize
1016KB

MD5
a18c15eec6f29f6068ad2233ed5f3b20

SHA1
c27c3f1aba2e08de4bc97ea415c38c5c71e81a12

SHA256
da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2

SHA512
962cc663c7f6f352788ad8c34c10c2229e95503afa703a6298900203e078a3e22de207c887bd39a3eb257d90977cc9f98761cc660de9cf065496261bf50e2d24

Download Submit
C:\Windows\vrupgdxoqereeeixjcjfi.exe

Filesize
1016KB

MD5
a18c15eec6f29f6068ad2233ed5f3b20

SHA1
c27c3f1aba2e08de4bc97ea415c38c5c71e81a12

SHA256
da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2

SHA512
962cc663c7f6f352788ad8c34c10c2229e95503afa703a6298900203e078a3e22de207c887bd39a3eb257d90977cc9f98761cc660de9cf065496261bf50e2d24

Download Submit
C:\Windows\zrqhundqoyhqmiitb.exe

Filesize
1016KB

MD5
a18c15eec6f29f6068ad2233ed5f3b20

SHA1
c27c3f1aba2e08de4bc97ea415c38c5c71e81a12

SHA256
da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2

SHA512
962cc663c7f6f352788ad8c34c10c2229e95503afa703a6298900203e078a3e22de207c887bd39a3eb257d90977cc9f98761cc660de9cf065496261bf50e2d24

Download Submit
C:\Windows\zrqhundqoyhqmiitb.exe

Filesize
1016KB

MD5
a18c15eec6f29f6068ad2233ed5f3b20

SHA1
c27c3f1aba2e08de4bc97ea415c38c5c71e81a12

SHA256
da0fc5eb01f33f52e93c33351efd25dfc13a8ac1867cb54ef607bb243aa4afd2

SHA512
962cc663c7f6f352788ad8c34c10c2229e95503afa703a6298900203e078a3e22de207c887bd39a3eb257d90977cc9f98761cc660de9cf065496261bf50e2d24

Download Submit