d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41

Analysis

max time kernel
173s
max time network
175s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 14:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
Size

1016KB
MD5

a15ddb37241f6e4c6453bf3444da7e80
SHA1

eb5aa2ed8cdf93bdab7f66ecaf36e1ca98ba109a
SHA256

d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41
SHA512

4952e4b2f912446877bd3a330f5c4e7b29a2113ff48b85416e3cf401e341e68f074c44b242a7fb7da251dd61eba03f37f266c87b23382468d37dc297bfb61e3a
SSDEEP

6144:0mIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHU:0mIXsgtvm1De5YlOx6lzBH46U

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ovwcen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ovwcen.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ovwcen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ovwcen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ovwcen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ovwcen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ovwcen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ovwcen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ovwcen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ovwcen.exe

Adds policy Run key to start application 2 TTPs 17 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ovwcen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\djjop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qjwocxmlzpostldafs.exe"	ovwcen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ovwcen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzckozet = "arcsexkhthegfvlg.exe"	ovwcen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzckozet = "hzlcpjxvixvyypgcg.exe"	ovwcen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzckozet = "qjwocxmlzpostldafs.exe"	ovwcen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\djjop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arcsexkhthegfvlg.exe"	ovwcen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\djjop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hzlcpjxvixvyypgcg.exe"	ovwcen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\djjop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dzpkbzrtkdfmqlggoernd.exe"	ovwcen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzckozet = "qjwocxmlzpostldafs.exe"	ovwcen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\djjop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojysifwxnfgmpjdcjykf.exe"	ovwcen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\djjop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojysifwxnfgmpjdcjykf.exe"	ovwcen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzckozet = "arcsexkhthegfvlg.exe"	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\djjop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arcsexkhthegfvlg.exe"	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzckozet = "bvjcrnddsjjoqjcaguf.exe"	ovwcen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzckozet = "ojysifwxnfgmpjdcjykf.exe"	ovwcen.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ovwcen.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ovwcen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ovwcen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ovwcen.exe

Executes dropped EXE 3 IoCs

pid	Process
888	vsmxiywcfcw.exe
848	ovwcen.exe
1732	ovwcen.exe

Loads dropped DLL 6 IoCs

pid	Process
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
888	vsmxiywcfcw.exe
888	vsmxiywcfcw.exe
888	vsmxiywcfcw.exe
888	vsmxiywcfcw.exe

Adds Run key to start application 2 TTPs 61 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ovwcen = "bvjcrnddsjjoqjcaguf.exe"	ovwcen.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	ovwcen.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	ovwcen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\alqagtarxf = "hzlcpjxvixvyypgcg.exe ."	ovwcen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhnyftbtajb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojysifwxnfgmpjdcjykf.exe ."	ovwcen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ovwcen = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qjwocxmlzpostldafs.exe"	ovwcen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhnyftbtajb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dzpkbzrtkdfmqlggoernd.exe ."	ovwcen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hrvejvbrw = "dzpkbzrtkdfmqlggoernd.exe"	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bjlsvfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bvjcrnddsjjoqjcaguf.exe ."	ovwcen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\alqagtarxf = "ojysifwxnfgmpjdcjykf.exe ."	ovwcen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhnyftbtajb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qjwocxmlzpostldafs.exe ."	ovwcen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ovwcen = "hzlcpjxvixvyypgcg.exe"	ovwcen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sfmygvexfpig = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojysifwxnfgmpjdcjykf.exe"	ovwcen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjlsvfj = "hzlcpjxvixvyypgcg.exe ."	ovwcen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjlsvfj = "arcsexkhthegfvlg.exe ."	ovwcen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ovwcen = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bvjcrnddsjjoqjcaguf.exe"	ovwcen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\alqagtarxf = "arcsexkhthegfvlg.exe ."	ovwcen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ovwcen = "hzlcpjxvixvyypgcg.exe"	ovwcen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ovwcen = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dzpkbzrtkdfmqlggoernd.exe"	ovwcen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bjlsvfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qjwocxmlzpostldafs.exe ."	ovwcen.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	vsmxiywcfcw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ovwcen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\alqagtarxf = "ojysifwxnfgmpjdcjykf.exe ."	ovwcen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sfmygvexfpig = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojysifwxnfgmpjdcjykf.exe"	ovwcen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhnyftbtajb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bvjcrnddsjjoqjcaguf.exe ."	ovwcen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ovwcen = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arcsexkhthegfvlg.exe"	ovwcen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bjlsvfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qjwocxmlzpostldafs.exe ."	ovwcen.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	ovwcen.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	ovwcen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bjlsvfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hzlcpjxvixvyypgcg.exe ."	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ovwcen = "arcsexkhthegfvlg.exe"	ovwcen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sfmygvexfpig = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bvjcrnddsjjoqjcaguf.exe"	ovwcen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hrvejvbrw = "ojysifwxnfgmpjdcjykf.exe"	ovwcen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sfmygvexfpig = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qjwocxmlzpostldafs.exe"	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhnyftbtajb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arcsexkhthegfvlg.exe ."	vsmxiywcfcw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ovwcen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sfmygvexfpig = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qjwocxmlzpostldafs.exe"	ovwcen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjlsvfj = "qjwocxmlzpostldafs.exe ."	ovwcen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjlsvfj = "ojysifwxnfgmpjdcjykf.exe ."	ovwcen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hrvejvbrw = "bvjcrnddsjjoqjcaguf.exe"	ovwcen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hrvejvbrw = "bvjcrnddsjjoqjcaguf.exe"	ovwcen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\alqagtarxf = "qjwocxmlzpostldafs.exe ."	ovwcen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sfmygvexfpig = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arcsexkhthegfvlg.exe"	ovwcen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ovwcen = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojysifwxnfgmpjdcjykf.exe"	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhnyftbtajb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojysifwxnfgmpjdcjykf.exe ."	ovwcen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjlsvfj = "bvjcrnddsjjoqjcaguf.exe ."	ovwcen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bjlsvfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bvjcrnddsjjoqjcaguf.exe ."	ovwcen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sfmygvexfpig = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arcsexkhthegfvlg.exe"	ovwcen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hrvejvbrw = "qjwocxmlzpostldafs.exe"	ovwcen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhnyftbtajb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bvjcrnddsjjoqjcaguf.exe ."	ovwcen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\alqagtarxf = "bvjcrnddsjjoqjcaguf.exe ."	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bjlsvfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hzlcpjxvixvyypgcg.exe ."	ovwcen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjlsvfj = "dzpkbzrtkdfmqlggoernd.exe ."	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ovwcen = "ojysifwxnfgmpjdcjykf.exe"	ovwcen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ovwcen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ovwcen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ovwcen = "qjwocxmlzpostldafs.exe"	ovwcen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ovwcen = "ojysifwxnfgmpjdcjykf.exe"	vsmxiywcfcw.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	vsmxiywcfcw.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ovwcen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ovwcen.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ovwcen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vsmxiywcfcw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ovwcen.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	whatismyipaddress.com
7	whatismyip.everdot.org
10	www.showmyipaddress.com

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\uriewvorjdgotplmvmaxok.exe	ovwcen.exe
File opened for modification	C:\Windows\SysWOW64\arcsexkhthegfvlg.exe	ovwcen.exe
File opened for modification	C:\Windows\SysWOW64\hzlcpjxvixvyypgcg.exe	ovwcen.exe
File opened for modification	C:\Windows\SysWOW64\qjwocxmlzpostldafs.exe	ovwcen.exe
File opened for modification	C:\Windows\SysWOW64\ojysifwxnfgmpjdcjykf.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\SysWOW64\hzlcpjxvixvyypgcg.exe	ovwcen.exe
File opened for modification	C:\Windows\SysWOW64\ojysifwxnfgmpjdcjykf.exe	ovwcen.exe
File opened for modification	C:\Windows\SysWOW64\uriewvorjdgotplmvmaxok.exe	ovwcen.exe
File created	C:\Windows\SysWOW64\efaawzwdzxeqzzzermefaa.zwd	ovwcen.exe
File opened for modification	C:\Windows\SysWOW64\vhnyftbtajbysdoecilxdovjrjqzroite.syb	ovwcen.exe
File opened for modification	C:\Windows\SysWOW64\arcsexkhthegfvlg.exe	ovwcen.exe
File opened for modification	C:\Windows\SysWOW64\bvjcrnddsjjoqjcaguf.exe	ovwcen.exe
File opened for modification	C:\Windows\SysWOW64\dzpkbzrtkdfmqlggoernd.exe	ovwcen.exe
File opened for modification	C:\Windows\SysWOW64\dzpkbzrtkdfmqlggoernd.exe	ovwcen.exe
File opened for modification	C:\Windows\SysWOW64\dzpkbzrtkdfmqlggoernd.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\SysWOW64\uriewvorjdgotplmvmaxok.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\SysWOW64\qjwocxmlzpostldafs.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\SysWOW64\bvjcrnddsjjoqjcaguf.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\SysWOW64\qjwocxmlzpostldafs.exe	ovwcen.exe
File opened for modification	C:\Windows\SysWOW64\bvjcrnddsjjoqjcaguf.exe	ovwcen.exe
File opened for modification	C:\Windows\SysWOW64\ojysifwxnfgmpjdcjykf.exe	ovwcen.exe
File opened for modification	C:\Windows\SysWOW64\efaawzwdzxeqzzzermefaa.zwd	ovwcen.exe
File opened for modification	C:\Windows\SysWOW64\arcsexkhthegfvlg.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\SysWOW64\hzlcpjxvixvyypgcg.exe	vsmxiywcfcw.exe
File created	C:\Windows\SysWOW64\vhnyftbtajbysdoecilxdovjrjqzroite.syb	ovwcen.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\efaawzwdzxeqzzzermefaa.zwd	ovwcen.exe
File opened for modification	C:\Program Files (x86)\vhnyftbtajbysdoecilxdovjrjqzroite.syb	ovwcen.exe
File created	C:\Program Files (x86)\vhnyftbtajbysdoecilxdovjrjqzroite.syb	ovwcen.exe
File opened for modification	C:\Program Files (x86)\efaawzwdzxeqzzzermefaa.zwd	ovwcen.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\qjwocxmlzpostldafs.exe	ovwcen.exe
File opened for modification	C:\Windows\ojysifwxnfgmpjdcjykf.exe	ovwcen.exe
File opened for modification	C:\Windows\dzpkbzrtkdfmqlggoernd.exe	ovwcen.exe
File opened for modification	C:\Windows\qjwocxmlzpostldafs.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\ojysifwxnfgmpjdcjykf.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\uriewvorjdgotplmvmaxok.exe	ovwcen.exe
File opened for modification	C:\Windows\hzlcpjxvixvyypgcg.exe	ovwcen.exe
File opened for modification	C:\Windows\dzpkbzrtkdfmqlggoernd.exe	ovwcen.exe
File opened for modification	C:\Windows\efaawzwdzxeqzzzermefaa.zwd	ovwcen.exe
File opened for modification	C:\Windows\hzlcpjxvixvyypgcg.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\dzpkbzrtkdfmqlggoernd.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\uriewvorjdgotplmvmaxok.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\arcsexkhthegfvlg.exe	ovwcen.exe
File opened for modification	C:\Windows\bvjcrnddsjjoqjcaguf.exe	ovwcen.exe
File opened for modification	C:\Windows\ojysifwxnfgmpjdcjykf.exe	ovwcen.exe
File opened for modification	C:\Windows\uriewvorjdgotplmvmaxok.exe	ovwcen.exe
File created	C:\Windows\efaawzwdzxeqzzzermefaa.zwd	ovwcen.exe
File opened for modification	C:\Windows\arcsexkhthegfvlg.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\bvjcrnddsjjoqjcaguf.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\hzlcpjxvixvyypgcg.exe	ovwcen.exe
File opened for modification	C:\Windows\qjwocxmlzpostldafs.exe	ovwcen.exe
File opened for modification	C:\Windows\vhnyftbtajbysdoecilxdovjrjqzroite.syb	ovwcen.exe
File created	C:\Windows\vhnyftbtajbysdoecilxdovjrjqzroite.syb	ovwcen.exe
File opened for modification	C:\Windows\arcsexkhthegfvlg.exe	ovwcen.exe
File opened for modification	C:\Windows\bvjcrnddsjjoqjcaguf.exe	ovwcen.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
1732	ovwcen.exe
1732	ovwcen.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1732	ovwcen.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 888	2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe	28
PID 2012 wrote to memory of 888	2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe	28
PID 2012 wrote to memory of 888	2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe	28
PID 2012 wrote to memory of 888	2012	d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe	28
PID 888 wrote to memory of 848	888	vsmxiywcfcw.exe	29
PID 888 wrote to memory of 848	888	vsmxiywcfcw.exe	29
PID 888 wrote to memory of 848	888	vsmxiywcfcw.exe	29
PID 888 wrote to memory of 848	888	vsmxiywcfcw.exe	29
PID 888 wrote to memory of 1732	888	vsmxiywcfcw.exe	30
PID 888 wrote to memory of 1732	888	vsmxiywcfcw.exe	30
PID 888 wrote to memory of 1732	888	vsmxiywcfcw.exe	30
PID 888 wrote to memory of 1732	888	vsmxiywcfcw.exe	30

System policy modification 1 TTPs 37 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ovwcen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ovwcen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ovwcen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ovwcen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ovwcen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ovwcen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ovwcen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ovwcen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ovwcen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ovwcen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ovwcen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ovwcen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ovwcen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ovwcen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ovwcen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vsmxiywcfcw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ovwcen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ovwcen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ovwcen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ovwcen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ovwcen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ovwcen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ovwcen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ovwcen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ovwcen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ovwcen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ovwcen.exe

C:\Users\Admin\AppData\Local\Temp\d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe
"C:\Users\Admin\AppData\Local\Temp\d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\vsmxiywcfcw.exe
  "C:\Users\Admin\AppData\Local\Temp\vsmxiywcfcw.exe" "c:\users\admin\appdata\local\temp\d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:888
- - C:\Users\Admin\AppData\Local\Temp\ovwcen.exe
    "C:\Users\Admin\AppData\Local\Temp\ovwcen.exe" "-C:\Users\Admin\AppData\Local\Temp\arcsexkhthegfvlg.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:848
- - C:\Users\Admin\AppData\Local\Temp\ovwcen.exe
    "C:\Users\Admin\AppData\Local\Temp\ovwcen.exe" "-C:\Users\Admin\AppData\Local\Temp\arcsexkhthegfvlg.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\arcsexkhthegfvlg.exe

Filesize
1016KB

MD5
a15ddb37241f6e4c6453bf3444da7e80

SHA1
eb5aa2ed8cdf93bdab7f66ecaf36e1ca98ba109a

SHA256
d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41

SHA512
4952e4b2f912446877bd3a330f5c4e7b29a2113ff48b85416e3cf401e341e68f074c44b242a7fb7da251dd61eba03f37f266c87b23382468d37dc297bfb61e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bvjcrnddsjjoqjcaguf.exe

Filesize
1016KB

MD5
a15ddb37241f6e4c6453bf3444da7e80

SHA1
eb5aa2ed8cdf93bdab7f66ecaf36e1ca98ba109a

SHA256
d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41

SHA512
4952e4b2f912446877bd3a330f5c4e7b29a2113ff48b85416e3cf401e341e68f074c44b242a7fb7da251dd61eba03f37f266c87b23382468d37dc297bfb61e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dzpkbzrtkdfmqlggoernd.exe

Filesize
1016KB

MD5
a15ddb37241f6e4c6453bf3444da7e80

SHA1
eb5aa2ed8cdf93bdab7f66ecaf36e1ca98ba109a

SHA256
d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41

SHA512
4952e4b2f912446877bd3a330f5c4e7b29a2113ff48b85416e3cf401e341e68f074c44b242a7fb7da251dd61eba03f37f266c87b23382468d37dc297bfb61e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dzpkbzrtkdfmqlggoernd.exe

Filesize
1016KB

MD5
a15ddb37241f6e4c6453bf3444da7e80

SHA1
eb5aa2ed8cdf93bdab7f66ecaf36e1ca98ba109a

SHA256
d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41

SHA512
4952e4b2f912446877bd3a330f5c4e7b29a2113ff48b85416e3cf401e341e68f074c44b242a7fb7da251dd61eba03f37f266c87b23382468d37dc297bfb61e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dzpkbzrtkdfmqlggoernd.exe

Filesize
1016KB

MD5
a15ddb37241f6e4c6453bf3444da7e80

SHA1
eb5aa2ed8cdf93bdab7f66ecaf36e1ca98ba109a

SHA256
d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41

SHA512
4952e4b2f912446877bd3a330f5c4e7b29a2113ff48b85416e3cf401e341e68f074c44b242a7fb7da251dd61eba03f37f266c87b23382468d37dc297bfb61e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hzlcpjxvixvyypgcg.exe

Filesize
1016KB

MD5
a15ddb37241f6e4c6453bf3444da7e80

SHA1
eb5aa2ed8cdf93bdab7f66ecaf36e1ca98ba109a

SHA256
d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41

SHA512
4952e4b2f912446877bd3a330f5c4e7b29a2113ff48b85416e3cf401e341e68f074c44b242a7fb7da251dd61eba03f37f266c87b23382468d37dc297bfb61e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ojysifwxnfgmpjdcjykf.exe

Filesize
1016KB

MD5
a15ddb37241f6e4c6453bf3444da7e80

SHA1
eb5aa2ed8cdf93bdab7f66ecaf36e1ca98ba109a

SHA256
d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41

SHA512
4952e4b2f912446877bd3a330f5c4e7b29a2113ff48b85416e3cf401e341e68f074c44b242a7fb7da251dd61eba03f37f266c87b23382468d37dc297bfb61e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ojysifwxnfgmpjdcjykf.exe

Filesize
1016KB

MD5
a15ddb37241f6e4c6453bf3444da7e80

SHA1
eb5aa2ed8cdf93bdab7f66ecaf36e1ca98ba109a

SHA256
d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41

SHA512
4952e4b2f912446877bd3a330f5c4e7b29a2113ff48b85416e3cf401e341e68f074c44b242a7fb7da251dd61eba03f37f266c87b23382468d37dc297bfb61e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovwcen.exe

Filesize
716KB

MD5
60c7ba80221762b54df38ba343c0fda4

SHA1
90ef63924607e849112c1bad71ac4238f94a6ede

SHA256
54e1fdc62a44fbd1e678de310070e2d67541aa957d80f8d1b4533da44bea0184

SHA512
58e10ca02db2f9dcbbea6f3db3490281407baafc8cac0b73dff33d937e8017fca5ff74a11502988519cfa1173d67b708d174abb348af771eef1e49ed3be07925

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovwcen.exe

Filesize
716KB

MD5
60c7ba80221762b54df38ba343c0fda4

SHA1
90ef63924607e849112c1bad71ac4238f94a6ede

SHA256
54e1fdc62a44fbd1e678de310070e2d67541aa957d80f8d1b4533da44bea0184

SHA512
58e10ca02db2f9dcbbea6f3db3490281407baafc8cac0b73dff33d937e8017fca5ff74a11502988519cfa1173d67b708d174abb348af771eef1e49ed3be07925

Download Submit
C:\Users\Admin\AppData\Local\Temp\qjwocxmlzpostldafs.exe

Filesize
1016KB

MD5
a15ddb37241f6e4c6453bf3444da7e80

SHA1
eb5aa2ed8cdf93bdab7f66ecaf36e1ca98ba109a

SHA256
d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41

SHA512
4952e4b2f912446877bd3a330f5c4e7b29a2113ff48b85416e3cf401e341e68f074c44b242a7fb7da251dd61eba03f37f266c87b23382468d37dc297bfb61e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uriewvorjdgotplmvmaxok.exe

Filesize
1016KB

MD5
a15ddb37241f6e4c6453bf3444da7e80

SHA1
eb5aa2ed8cdf93bdab7f66ecaf36e1ca98ba109a

SHA256
d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41

SHA512
4952e4b2f912446877bd3a330f5c4e7b29a2113ff48b85416e3cf401e341e68f074c44b242a7fb7da251dd61eba03f37f266c87b23382468d37dc297bfb61e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uriewvorjdgotplmvmaxok.exe

Filesize
1016KB

MD5
a15ddb37241f6e4c6453bf3444da7e80

SHA1
eb5aa2ed8cdf93bdab7f66ecaf36e1ca98ba109a

SHA256
d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41

SHA512
4952e4b2f912446877bd3a330f5c4e7b29a2113ff48b85416e3cf401e341e68f074c44b242a7fb7da251dd61eba03f37f266c87b23382468d37dc297bfb61e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsmxiywcfcw.exe

Filesize
320KB

MD5
6fb8381734c84677258c0af5c27bccd7

SHA1
738abfcb95a37f5d87c93a00d36889130ec9817f

SHA256
32fd27a34ab81bba5e50c1a60bc2a19d3714c91c983e5da7dbd7af260ba1d489

SHA512
fd2c5e980e043a9e75a45e2bd4ef69340dc1f34af4afda53e378dc1667229e69a74a2db5aad613372270ebb30439eb53dbc0ad3b2123cc743618271abf462119

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsmxiywcfcw.exe

Filesize
320KB

MD5
6fb8381734c84677258c0af5c27bccd7

SHA1
738abfcb95a37f5d87c93a00d36889130ec9817f

SHA256
32fd27a34ab81bba5e50c1a60bc2a19d3714c91c983e5da7dbd7af260ba1d489

SHA512
fd2c5e980e043a9e75a45e2bd4ef69340dc1f34af4afda53e378dc1667229e69a74a2db5aad613372270ebb30439eb53dbc0ad3b2123cc743618271abf462119

Download Submit
C:\Windows\SysWOW64\arcsexkhthegfvlg.exe

Filesize
1016KB

MD5
a15ddb37241f6e4c6453bf3444da7e80

SHA1
eb5aa2ed8cdf93bdab7f66ecaf36e1ca98ba109a

SHA256
d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41

SHA512
4952e4b2f912446877bd3a330f5c4e7b29a2113ff48b85416e3cf401e341e68f074c44b242a7fb7da251dd61eba03f37f266c87b23382468d37dc297bfb61e3a

Download Submit
C:\Windows\SysWOW64\bvjcrnddsjjoqjcaguf.exe

Filesize
1016KB

MD5
a15ddb37241f6e4c6453bf3444da7e80

SHA1
eb5aa2ed8cdf93bdab7f66ecaf36e1ca98ba109a

SHA256
d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41

SHA512
4952e4b2f912446877bd3a330f5c4e7b29a2113ff48b85416e3cf401e341e68f074c44b242a7fb7da251dd61eba03f37f266c87b23382468d37dc297bfb61e3a

Download Submit
C:\Windows\SysWOW64\dzpkbzrtkdfmqlggoernd.exe

Filesize
1016KB

MD5
a15ddb37241f6e4c6453bf3444da7e80

SHA1
eb5aa2ed8cdf93bdab7f66ecaf36e1ca98ba109a

SHA256
d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41

SHA512
4952e4b2f912446877bd3a330f5c4e7b29a2113ff48b85416e3cf401e341e68f074c44b242a7fb7da251dd61eba03f37f266c87b23382468d37dc297bfb61e3a

Download Submit
C:\Windows\SysWOW64\hzlcpjxvixvyypgcg.exe

Filesize
1016KB

MD5
a15ddb37241f6e4c6453bf3444da7e80

SHA1
eb5aa2ed8cdf93bdab7f66ecaf36e1ca98ba109a

SHA256
d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41

SHA512
4952e4b2f912446877bd3a330f5c4e7b29a2113ff48b85416e3cf401e341e68f074c44b242a7fb7da251dd61eba03f37f266c87b23382468d37dc297bfb61e3a

Download Submit
C:\Windows\SysWOW64\ojysifwxnfgmpjdcjykf.exe

Filesize
1016KB

MD5
a15ddb37241f6e4c6453bf3444da7e80

SHA1
eb5aa2ed8cdf93bdab7f66ecaf36e1ca98ba109a

SHA256
d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41

SHA512
4952e4b2f912446877bd3a330f5c4e7b29a2113ff48b85416e3cf401e341e68f074c44b242a7fb7da251dd61eba03f37f266c87b23382468d37dc297bfb61e3a

Download Submit
C:\Windows\SysWOW64\qjwocxmlzpostldafs.exe

Filesize
1016KB

MD5
a15ddb37241f6e4c6453bf3444da7e80

SHA1
eb5aa2ed8cdf93bdab7f66ecaf36e1ca98ba109a

SHA256
d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41

SHA512
4952e4b2f912446877bd3a330f5c4e7b29a2113ff48b85416e3cf401e341e68f074c44b242a7fb7da251dd61eba03f37f266c87b23382468d37dc297bfb61e3a

Download Submit
C:\Windows\SysWOW64\uriewvorjdgotplmvmaxok.exe

Filesize
1016KB

MD5
a15ddb37241f6e4c6453bf3444da7e80

SHA1
eb5aa2ed8cdf93bdab7f66ecaf36e1ca98ba109a

SHA256
d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41

SHA512
4952e4b2f912446877bd3a330f5c4e7b29a2113ff48b85416e3cf401e341e68f074c44b242a7fb7da251dd61eba03f37f266c87b23382468d37dc297bfb61e3a

Download Submit
C:\Windows\arcsexkhthegfvlg.exe

Filesize
1016KB

MD5
a15ddb37241f6e4c6453bf3444da7e80

SHA1
eb5aa2ed8cdf93bdab7f66ecaf36e1ca98ba109a

SHA256
d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41

SHA512
4952e4b2f912446877bd3a330f5c4e7b29a2113ff48b85416e3cf401e341e68f074c44b242a7fb7da251dd61eba03f37f266c87b23382468d37dc297bfb61e3a

Download Submit
C:\Windows\arcsexkhthegfvlg.exe

Filesize
1016KB

MD5
a15ddb37241f6e4c6453bf3444da7e80

SHA1
eb5aa2ed8cdf93bdab7f66ecaf36e1ca98ba109a

SHA256
d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41

SHA512
4952e4b2f912446877bd3a330f5c4e7b29a2113ff48b85416e3cf401e341e68f074c44b242a7fb7da251dd61eba03f37f266c87b23382468d37dc297bfb61e3a

Download Submit
C:\Windows\bvjcrnddsjjoqjcaguf.exe

Filesize
1016KB

MD5
a15ddb37241f6e4c6453bf3444da7e80

SHA1
eb5aa2ed8cdf93bdab7f66ecaf36e1ca98ba109a

SHA256
d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41

SHA512
4952e4b2f912446877bd3a330f5c4e7b29a2113ff48b85416e3cf401e341e68f074c44b242a7fb7da251dd61eba03f37f266c87b23382468d37dc297bfb61e3a

Download Submit
C:\Windows\bvjcrnddsjjoqjcaguf.exe

Filesize
1016KB

MD5
a15ddb37241f6e4c6453bf3444da7e80

SHA1
eb5aa2ed8cdf93bdab7f66ecaf36e1ca98ba109a

SHA256
d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41

SHA512
4952e4b2f912446877bd3a330f5c4e7b29a2113ff48b85416e3cf401e341e68f074c44b242a7fb7da251dd61eba03f37f266c87b23382468d37dc297bfb61e3a

Download Submit
C:\Windows\dzpkbzrtkdfmqlggoernd.exe

Filesize
1016KB

MD5
a15ddb37241f6e4c6453bf3444da7e80

SHA1
eb5aa2ed8cdf93bdab7f66ecaf36e1ca98ba109a

SHA256
d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41

SHA512
4952e4b2f912446877bd3a330f5c4e7b29a2113ff48b85416e3cf401e341e68f074c44b242a7fb7da251dd61eba03f37f266c87b23382468d37dc297bfb61e3a

Download Submit
C:\Windows\dzpkbzrtkdfmqlggoernd.exe

Filesize
1016KB

MD5
a15ddb37241f6e4c6453bf3444da7e80

SHA1
eb5aa2ed8cdf93bdab7f66ecaf36e1ca98ba109a

SHA256
d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41

SHA512
4952e4b2f912446877bd3a330f5c4e7b29a2113ff48b85416e3cf401e341e68f074c44b242a7fb7da251dd61eba03f37f266c87b23382468d37dc297bfb61e3a

Download Submit
C:\Windows\hzlcpjxvixvyypgcg.exe

Filesize
1016KB

MD5
a15ddb37241f6e4c6453bf3444da7e80

SHA1
eb5aa2ed8cdf93bdab7f66ecaf36e1ca98ba109a

SHA256
d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41

SHA512
4952e4b2f912446877bd3a330f5c4e7b29a2113ff48b85416e3cf401e341e68f074c44b242a7fb7da251dd61eba03f37f266c87b23382468d37dc297bfb61e3a

Download Submit
C:\Windows\hzlcpjxvixvyypgcg.exe

Filesize
1016KB

MD5
a15ddb37241f6e4c6453bf3444da7e80

SHA1
eb5aa2ed8cdf93bdab7f66ecaf36e1ca98ba109a

SHA256
d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41

SHA512
4952e4b2f912446877bd3a330f5c4e7b29a2113ff48b85416e3cf401e341e68f074c44b242a7fb7da251dd61eba03f37f266c87b23382468d37dc297bfb61e3a

Download Submit
C:\Windows\ojysifwxnfgmpjdcjykf.exe

Filesize
1016KB

MD5
a15ddb37241f6e4c6453bf3444da7e80

SHA1
eb5aa2ed8cdf93bdab7f66ecaf36e1ca98ba109a

SHA256
d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41

SHA512
4952e4b2f912446877bd3a330f5c4e7b29a2113ff48b85416e3cf401e341e68f074c44b242a7fb7da251dd61eba03f37f266c87b23382468d37dc297bfb61e3a

Download Submit
C:\Windows\ojysifwxnfgmpjdcjykf.exe

Filesize
1016KB

MD5
a15ddb37241f6e4c6453bf3444da7e80

SHA1
eb5aa2ed8cdf93bdab7f66ecaf36e1ca98ba109a

SHA256
d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41

SHA512
4952e4b2f912446877bd3a330f5c4e7b29a2113ff48b85416e3cf401e341e68f074c44b242a7fb7da251dd61eba03f37f266c87b23382468d37dc297bfb61e3a

Download Submit
C:\Windows\qjwocxmlzpostldafs.exe

Filesize
1016KB

MD5
a15ddb37241f6e4c6453bf3444da7e80

SHA1
eb5aa2ed8cdf93bdab7f66ecaf36e1ca98ba109a

SHA256
d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41

SHA512
4952e4b2f912446877bd3a330f5c4e7b29a2113ff48b85416e3cf401e341e68f074c44b242a7fb7da251dd61eba03f37f266c87b23382468d37dc297bfb61e3a

Download Submit
C:\Windows\qjwocxmlzpostldafs.exe

Filesize
1016KB

MD5
a15ddb37241f6e4c6453bf3444da7e80

SHA1
eb5aa2ed8cdf93bdab7f66ecaf36e1ca98ba109a

SHA256
d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41

SHA512
4952e4b2f912446877bd3a330f5c4e7b29a2113ff48b85416e3cf401e341e68f074c44b242a7fb7da251dd61eba03f37f266c87b23382468d37dc297bfb61e3a

Download Submit
C:\Windows\uriewvorjdgotplmvmaxok.exe

Filesize
1016KB

MD5
a15ddb37241f6e4c6453bf3444da7e80

SHA1
eb5aa2ed8cdf93bdab7f66ecaf36e1ca98ba109a

SHA256
d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41

SHA512
4952e4b2f912446877bd3a330f5c4e7b29a2113ff48b85416e3cf401e341e68f074c44b242a7fb7da251dd61eba03f37f266c87b23382468d37dc297bfb61e3a

Download Submit
C:\Windows\uriewvorjdgotplmvmaxok.exe

Filesize
1016KB

MD5
a15ddb37241f6e4c6453bf3444da7e80

SHA1
eb5aa2ed8cdf93bdab7f66ecaf36e1ca98ba109a

SHA256
d5803b050f5c49d93f1304781b2081d89fa2e7628105c8ca70ce7112e63e7c41

SHA512
4952e4b2f912446877bd3a330f5c4e7b29a2113ff48b85416e3cf401e341e68f074c44b242a7fb7da251dd61eba03f37f266c87b23382468d37dc297bfb61e3a

Download Submit
\Users\Admin\AppData\Local\Temp\ovwcen.exe

Filesize
716KB

MD5
60c7ba80221762b54df38ba343c0fda4

SHA1
90ef63924607e849112c1bad71ac4238f94a6ede

SHA256
54e1fdc62a44fbd1e678de310070e2d67541aa957d80f8d1b4533da44bea0184

SHA512
58e10ca02db2f9dcbbea6f3db3490281407baafc8cac0b73dff33d937e8017fca5ff74a11502988519cfa1173d67b708d174abb348af771eef1e49ed3be07925

Download Submit
\Users\Admin\AppData\Local\Temp\ovwcen.exe

Filesize
716KB

MD5
60c7ba80221762b54df38ba343c0fda4

SHA1
90ef63924607e849112c1bad71ac4238f94a6ede

SHA256
54e1fdc62a44fbd1e678de310070e2d67541aa957d80f8d1b4533da44bea0184

SHA512
58e10ca02db2f9dcbbea6f3db3490281407baafc8cac0b73dff33d937e8017fca5ff74a11502988519cfa1173d67b708d174abb348af771eef1e49ed3be07925

Download Submit
\Users\Admin\AppData\Local\Temp\ovwcen.exe

Filesize
716KB

MD5
60c7ba80221762b54df38ba343c0fda4

SHA1
90ef63924607e849112c1bad71ac4238f94a6ede

SHA256
54e1fdc62a44fbd1e678de310070e2d67541aa957d80f8d1b4533da44bea0184

SHA512
58e10ca02db2f9dcbbea6f3db3490281407baafc8cac0b73dff33d937e8017fca5ff74a11502988519cfa1173d67b708d174abb348af771eef1e49ed3be07925

Download Submit
\Users\Admin\AppData\Local\Temp\ovwcen.exe

Filesize
716KB

MD5
60c7ba80221762b54df38ba343c0fda4

SHA1
90ef63924607e849112c1bad71ac4238f94a6ede

SHA256
54e1fdc62a44fbd1e678de310070e2d67541aa957d80f8d1b4533da44bea0184

SHA512
58e10ca02db2f9dcbbea6f3db3490281407baafc8cac0b73dff33d937e8017fca5ff74a11502988519cfa1173d67b708d174abb348af771eef1e49ed3be07925

Download Submit
\Users\Admin\AppData\Local\Temp\vsmxiywcfcw.exe

Filesize
320KB

MD5
6fb8381734c84677258c0af5c27bccd7

SHA1
738abfcb95a37f5d87c93a00d36889130ec9817f

SHA256
32fd27a34ab81bba5e50c1a60bc2a19d3714c91c983e5da7dbd7af260ba1d489

SHA512
fd2c5e980e043a9e75a45e2bd4ef69340dc1f34af4afda53e378dc1667229e69a74a2db5aad613372270ebb30439eb53dbc0ad3b2123cc743618271abf462119

Download Submit
\Users\Admin\AppData\Local\Temp\vsmxiywcfcw.exe

Filesize
320KB

MD5
6fb8381734c84677258c0af5c27bccd7

SHA1
738abfcb95a37f5d87c93a00d36889130ec9817f

SHA256
32fd27a34ab81bba5e50c1a60bc2a19d3714c91c983e5da7dbd7af260ba1d489

SHA512
fd2c5e980e043a9e75a45e2bd4ef69340dc1f34af4afda53e378dc1667229e69a74a2db5aad613372270ebb30439eb53dbc0ad3b2123cc743618271abf462119

Download Submit
memory/2012-54-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download