73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9

Analysis

max time kernel
175s
max time network
199s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
Size

1016KB
MD5

a1b69e3727d1f0dc5ac1f4343af46ce0
SHA1

d4f1e6febc4d7f60694717cb18396f6ba1abe62c
SHA256

73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9
SHA512

868b4f32754f800e3e9ebb07822d9c8bec05f2e9cc16530d51ed57f014a1b78add332ebaa42a06dd53a3768f110ad03ada33b4b0b35885d31e01d1e92a6a9f18
SSDEEP

6144:LIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUzx84a2lXUW:LIXsgtvm1De5YlOx6lzBH46Uzf7lXUW

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	aehtagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	aehtagm.exe

UAC bypass 3 TTPs 10 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aehtagm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	aehtagm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	aehtagm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	aehtagm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	aehtagm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aehtagm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	aehtagm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	aehtagm.exe

Adds policy Run key to start application 2 TTPs 17 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gmrfowepy = "aqfdwogbukwbjpawame.exe"	aehtagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gmrfowepy = "zmytjynfvirtybjc.exe"	aehtagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqsdjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqfdwogbukwbjpawame.exe"	aehtagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqsdjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\guhdukatkyilrveya.exe"	aehtagm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	iffdguquspp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	aehtagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gmrfowepy = "cullgaurmeszjreciwqiz.exe"	aehtagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqsdjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\neutngzvpgtzipbydqja.exe"	aehtagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gmrfowepy = "pesphypjbqbfmrbwzk.exe"	aehtagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gmrfowepy = "pesphypjbqbfmrbwzk.exe"	aehtagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqsdjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\guhdukatkyilrveya.exe"	aehtagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gmrfowepy = "neutngzvpgtzipbydqja.exe"	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqsdjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\neutngzvpgtzipbydqja.exe"	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqsdjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pesphypjbqbfmrbwzk.exe"	aehtagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gmrfowepy = "cullgaurmeszjreciwqiz.exe"	aehtagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gmrfowepy = "aqfdwogbukwbjpawame.exe"	aehtagm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	aehtagm.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	iffdguquspp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	aehtagm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	aehtagm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	aehtagm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	aehtagm.exe

Executes dropped EXE 3 IoCs

pid	Process
544	iffdguquspp.exe
1292	aehtagm.exe
1080	aehtagm.exe

Loads dropped DLL 6 IoCs

pid	Process
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
544	iffdguquspp.exe
544	iffdguquspp.exe
544	iffdguquspp.exe
544	iffdguquspp.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\puyltahr = "zmytjynfvirtybjc.exe ."	aehtagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qajboamboyedf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\guhdukatkyilrveya.exe"	aehtagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\puyltahr = "neutngzvpgtzipbydqja.exe ."	aehtagm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zgmbludpzg = "zmytjynfvirtybjc.exe"	aehtagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aehtagm = "aqfdwogbukwbjpawame.exe"	aehtagm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zgmbludpzg = "pesphypjbqbfmrbwzk.exe"	aehtagm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ucjzkuercko = "zmytjynfvirtybjc.exe ."	aehtagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aehtagm = "cullgaurmeszjreciwqiz.exe"	iffdguquspp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	aehtagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\puyltahr = "zmytjynfvirtybjc.exe ."	aehtagm.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	aehtagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qajboamboyedf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\neutngzvpgtzipbydqja.exe"	aehtagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\puyltahr = "aqfdwogbukwbjpawame.exe ."	aehtagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\puyltahr = "cullgaurmeszjreciwqiz.exe ."	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\raizlwhvhqvt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\neutngzvpgtzipbydqja.exe ."	aehtagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qajboamboyedf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmytjynfvirtybjc.exe"	aehtagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qajboamboyedf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\neutngzvpgtzipbydqja.exe"	aehtagm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	aehtagm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zgmbludpzg = "neutngzvpgtzipbydqja.exe"	aehtagm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zgmbludpzg = "guhdukatkyilrveya.exe"	aehtagm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zgmbludpzg = "aqfdwogbukwbjpawame.exe"	aehtagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\puyltahr = "aqfdwogbukwbjpawame.exe ."	aehtagm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\puyltahr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pesphypjbqbfmrbwzk.exe ."	aehtagm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\raizlwhvhqvt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cullgaurmeszjreciwqiz.exe ."	iffdguquspp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	aehtagm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ucjzkuercko = "guhdukatkyilrveya.exe ."	aehtagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aehtagm = "cullgaurmeszjreciwqiz.exe"	aehtagm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\puyltahr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cullgaurmeszjreciwqiz.exe ."	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\puyltahr = "cullgaurmeszjreciwqiz.exe ."	aehtagm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\puyltahr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\neutngzvpgtzipbydqja.exe ."	aehtagm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\puyltahr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\guhdukatkyilrveya.exe ."	aehtagm.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	aehtagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\raizlwhvhqvt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cullgaurmeszjreciwqiz.exe ."	aehtagm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ucjzkuercko = "zmytjynfvirtybjc.exe ."	aehtagm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\aehtagm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\neutngzvpgtzipbydqja.exe"	aehtagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aehtagm = "neutngzvpgtzipbydqja.exe"	aehtagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qajboamboyedf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\guhdukatkyilrveya.exe"	aehtagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qajboamboyedf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqfdwogbukwbjpawame.exe"	aehtagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\raizlwhvhqvt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\guhdukatkyilrveya.exe ."	aehtagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\raizlwhvhqvt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmytjynfvirtybjc.exe ."	aehtagm.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	iffdguquspp.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	iffdguquspp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ucjzkuercko = "neutngzvpgtzipbydqja.exe ."	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qajboamboyedf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\neutngzvpgtzipbydqja.exe"	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aehtagm = "neutngzvpgtzipbydqja.exe"	aehtagm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\aehtagm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cullgaurmeszjreciwqiz.exe"	aehtagm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\puyltahr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cullgaurmeszjreciwqiz.exe ."	aehtagm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ucjzkuercko = "pesphypjbqbfmrbwzk.exe ."	aehtagm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ucjzkuercko = "aqfdwogbukwbjpawame.exe ."	aehtagm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\aehtagm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cullgaurmeszjreciwqiz.exe"	aehtagm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\puyltahr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\neutngzvpgtzipbydqja.exe ."	aehtagm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\aehtagm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqfdwogbukwbjpawame.exe"	aehtagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aehtagm = "zmytjynfvirtybjc.exe"	aehtagm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\aehtagm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\neutngzvpgtzipbydqja.exe"	aehtagm.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	aehtagm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\puyltahr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmytjynfvirtybjc.exe ."	aehtagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\puyltahr = "pesphypjbqbfmrbwzk.exe ."	aehtagm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ucjzkuercko = "pesphypjbqbfmrbwzk.exe ."	aehtagm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\puyltahr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqfdwogbukwbjpawame.exe ."	aehtagm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\aehtagm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pesphypjbqbfmrbwzk.exe"	iffdguquspp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	aehtagm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\puyltahr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pesphypjbqbfmrbwzk.exe ."	aehtagm.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aehtagm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	aehtagm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aehtagm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	aehtagm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	iffdguquspp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iffdguquspp.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	www.showmyipaddress.com
5	whatismyip.everdot.org
14	whatismyipaddress.com

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\guhdukatkyilrveya.exe	aehtagm.exe
File opened for modification	C:\Windows\SysWOW64\pesphypjbqbfmrbwzk.exe	aehtagm.exe
File opened for modification	C:\Windows\SysWOW64\aqfdwogbukwbjpawame.exe	aehtagm.exe
File opened for modification	C:\Windows\SysWOW64\tmefbwrpletbmvjipezskl.exe	aehtagm.exe
File opened for modification	C:\Windows\SysWOW64\aqfdwogbukwbjpawame.exe	aehtagm.exe
File opened for modification	C:\Windows\SysWOW64\tmefbwrpletbmvjipezskl.exe	aehtagm.exe
File opened for modification	C:\Windows\SysWOW64\aqfdwogbukwbjpawame.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\cullgaurmeszjreciwqiz.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\guhdukatkyilrveya.exe	aehtagm.exe
File opened for modification	C:\Windows\SysWOW64\neutngzvpgtzipbydqja.exe	aehtagm.exe
File created	C:\Windows\SysWOW64\hgelnoptvupdujdivqrqovxy.dfe	aehtagm.exe
File opened for modification	C:\Windows\SysWOW64\guhdukatkyilrveya.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\zmytjynfvirtybjc.exe	aehtagm.exe
File opened for modification	C:\Windows\SysWOW64\cullgaurmeszjreciwqiz.exe	aehtagm.exe
File opened for modification	C:\Windows\SysWOW64\qajboamboyedffkayeqajboamboyedffkay.qaj	aehtagm.exe
File opened for modification	C:\Windows\SysWOW64\neutngzvpgtzipbydqja.exe	aehtagm.exe
File opened for modification	C:\Windows\SysWOW64\pesphypjbqbfmrbwzk.exe	aehtagm.exe
File opened for modification	C:\Windows\SysWOW64\neutngzvpgtzipbydqja.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\tmefbwrpletbmvjipezskl.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\zmytjynfvirtybjc.exe	aehtagm.exe
File opened for modification	C:\Windows\SysWOW64\cullgaurmeszjreciwqiz.exe	aehtagm.exe
File opened for modification	C:\Windows\SysWOW64\hgelnoptvupdujdivqrqovxy.dfe	aehtagm.exe
File created	C:\Windows\SysWOW64\qajboamboyedffkayeqajboamboyedffkay.qaj	aehtagm.exe
File opened for modification	C:\Windows\SysWOW64\zmytjynfvirtybjc.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\pesphypjbqbfmrbwzk.exe	iffdguquspp.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\qajboamboyedffkayeqajboamboyedffkay.qaj	aehtagm.exe
File created	C:\Program Files (x86)\qajboamboyedffkayeqajboamboyedffkay.qaj	aehtagm.exe
File opened for modification	C:\Program Files (x86)\hgelnoptvupdujdivqrqovxy.dfe	aehtagm.exe
File created	C:\Program Files (x86)\hgelnoptvupdujdivqrqovxy.dfe	aehtagm.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\guhdukatkyilrveya.exe	iffdguquspp.exe
File opened for modification	C:\Windows\neutngzvpgtzipbydqja.exe	aehtagm.exe
File opened for modification	C:\Windows\cullgaurmeszjreciwqiz.exe	aehtagm.exe
File opened for modification	C:\Windows\qajboamboyedffkayeqajboamboyedffkay.qaj	aehtagm.exe
File created	C:\Windows\hgelnoptvupdujdivqrqovxy.dfe	aehtagm.exe
File created	C:\Windows\qajboamboyedffkayeqajboamboyedffkay.qaj	aehtagm.exe
File opened for modification	C:\Windows\neutngzvpgtzipbydqja.exe	iffdguquspp.exe
File opened for modification	C:\Windows\cullgaurmeszjreciwqiz.exe	iffdguquspp.exe
File opened for modification	C:\Windows\tmefbwrpletbmvjipezskl.exe	iffdguquspp.exe
File opened for modification	C:\Windows\aqfdwogbukwbjpawame.exe	aehtagm.exe
File opened for modification	C:\Windows\cullgaurmeszjreciwqiz.exe	aehtagm.exe
File opened for modification	C:\Windows\tmefbwrpletbmvjipezskl.exe	aehtagm.exe
File opened for modification	C:\Windows\aqfdwogbukwbjpawame.exe	aehtagm.exe
File opened for modification	C:\Windows\zmytjynfvirtybjc.exe	iffdguquspp.exe
File opened for modification	C:\Windows\guhdukatkyilrveya.exe	aehtagm.exe
File opened for modification	C:\Windows\pesphypjbqbfmrbwzk.exe	aehtagm.exe
File opened for modification	C:\Windows\tmefbwrpletbmvjipezskl.exe	aehtagm.exe
File opened for modification	C:\Windows\guhdukatkyilrveya.exe	aehtagm.exe
File opened for modification	C:\Windows\pesphypjbqbfmrbwzk.exe	aehtagm.exe
File opened for modification	C:\Windows\pesphypjbqbfmrbwzk.exe	iffdguquspp.exe
File opened for modification	C:\Windows\aqfdwogbukwbjpawame.exe	iffdguquspp.exe
File opened for modification	C:\Windows\zmytjynfvirtybjc.exe	aehtagm.exe
File opened for modification	C:\Windows\neutngzvpgtzipbydqja.exe	aehtagm.exe
File opened for modification	C:\Windows\zmytjynfvirtybjc.exe	aehtagm.exe
File opened for modification	C:\Windows\hgelnoptvupdujdivqrqovxy.dfe	aehtagm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
1080	aehtagm.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
1080	aehtagm.exe
1080	aehtagm.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1080	aehtagm.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 544	900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe	27
PID 900 wrote to memory of 544	900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe	27
PID 900 wrote to memory of 544	900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe	27
PID 900 wrote to memory of 544	900	73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe	27
PID 544 wrote to memory of 1292	544	iffdguquspp.exe	28
PID 544 wrote to memory of 1292	544	iffdguquspp.exe	28
PID 544 wrote to memory of 1292	544	iffdguquspp.exe	28
PID 544 wrote to memory of 1292	544	iffdguquspp.exe	28
PID 544 wrote to memory of 1080	544	iffdguquspp.exe	29
PID 544 wrote to memory of 1080	544	iffdguquspp.exe	29
PID 544 wrote to memory of 1080	544	iffdguquspp.exe	29
PID 544 wrote to memory of 1080	544	iffdguquspp.exe	29

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	aehtagm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	aehtagm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	aehtagm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	aehtagm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	aehtagm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	aehtagm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	aehtagm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	aehtagm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	aehtagm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	aehtagm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	aehtagm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	aehtagm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	aehtagm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	aehtagm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	aehtagm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	aehtagm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	aehtagm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aehtagm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	aehtagm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	aehtagm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	aehtagm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	aehtagm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	aehtagm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	aehtagm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	aehtagm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aehtagm.exe

C:\Users\Admin\AppData\Local\Temp\73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe
"C:\Users\Admin\AppData\Local\Temp\73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:900
- C:\Users\Admin\AppData\Local\Temp\iffdguquspp.exe
  "C:\Users\Admin\AppData\Local\Temp\iffdguquspp.exe" "c:\users\admin\appdata\local\temp\73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:544
- - C:\Users\Admin\AppData\Local\Temp\aehtagm.exe
    "C:\Users\Admin\AppData\Local\Temp\aehtagm.exe" "-C:\Users\Admin\AppData\Local\Temp\zmytjynfvirtybjc.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1292
- - C:\Users\Admin\AppData\Local\Temp\aehtagm.exe
    "C:\Users\Admin\AppData\Local\Temp\aehtagm.exe" "-C:\Users\Admin\AppData\Local\Temp\zmytjynfvirtybjc.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aehtagm.exe

Filesize
712KB

MD5
425197e6aeb755953989d7fb9fe04508

SHA1
8954f74134bc8bd88ca77942f58dde37adf0ef26

SHA256
350d751dce0c55898dd9f1b13bd03385ca42e7e4f00d8c23831694934782eb98

SHA512
4e831d06942f4cf21bc66d5a63d152b3f3d6d1d0a24f93f5c495faa36da090c042c2a63c25210fbd23db57b0884b98b5fb9f8f73b329bf6a78947339c7832a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\aehtagm.exe

Filesize
712KB

MD5
425197e6aeb755953989d7fb9fe04508

SHA1
8954f74134bc8bd88ca77942f58dde37adf0ef26

SHA256
350d751dce0c55898dd9f1b13bd03385ca42e7e4f00d8c23831694934782eb98

SHA512
4e831d06942f4cf21bc66d5a63d152b3f3d6d1d0a24f93f5c495faa36da090c042c2a63c25210fbd23db57b0884b98b5fb9f8f73b329bf6a78947339c7832a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqfdwogbukwbjpawame.exe

Filesize
1016KB

MD5
a1b69e3727d1f0dc5ac1f4343af46ce0

SHA1
d4f1e6febc4d7f60694717cb18396f6ba1abe62c

SHA256
73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9

SHA512
868b4f32754f800e3e9ebb07822d9c8bec05f2e9cc16530d51ed57f014a1b78add332ebaa42a06dd53a3768f110ad03ada33b4b0b35885d31e01d1e92a6a9f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqfdwogbukwbjpawame.exe

Filesize
1016KB

MD5
a1b69e3727d1f0dc5ac1f4343af46ce0

SHA1
d4f1e6febc4d7f60694717cb18396f6ba1abe62c

SHA256
73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9

SHA512
868b4f32754f800e3e9ebb07822d9c8bec05f2e9cc16530d51ed57f014a1b78add332ebaa42a06dd53a3768f110ad03ada33b4b0b35885d31e01d1e92a6a9f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\cullgaurmeszjreciwqiz.exe

Filesize
1016KB

MD5
a1b69e3727d1f0dc5ac1f4343af46ce0

SHA1
d4f1e6febc4d7f60694717cb18396f6ba1abe62c

SHA256
73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9

SHA512
868b4f32754f800e3e9ebb07822d9c8bec05f2e9cc16530d51ed57f014a1b78add332ebaa42a06dd53a3768f110ad03ada33b4b0b35885d31e01d1e92a6a9f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\cullgaurmeszjreciwqiz.exe

Filesize
1016KB

MD5
a1b69e3727d1f0dc5ac1f4343af46ce0

SHA1
d4f1e6febc4d7f60694717cb18396f6ba1abe62c

SHA256
73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9

SHA512
868b4f32754f800e3e9ebb07822d9c8bec05f2e9cc16530d51ed57f014a1b78add332ebaa42a06dd53a3768f110ad03ada33b4b0b35885d31e01d1e92a6a9f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\guhdukatkyilrveya.exe

Filesize
1016KB

MD5
a1b69e3727d1f0dc5ac1f4343af46ce0

SHA1
d4f1e6febc4d7f60694717cb18396f6ba1abe62c

SHA256
73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9

SHA512
868b4f32754f800e3e9ebb07822d9c8bec05f2e9cc16530d51ed57f014a1b78add332ebaa42a06dd53a3768f110ad03ada33b4b0b35885d31e01d1e92a6a9f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\guhdukatkyilrveya.exe

Filesize
1016KB

MD5
a1b69e3727d1f0dc5ac1f4343af46ce0

SHA1
d4f1e6febc4d7f60694717cb18396f6ba1abe62c

SHA256
73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9

SHA512
868b4f32754f800e3e9ebb07822d9c8bec05f2e9cc16530d51ed57f014a1b78add332ebaa42a06dd53a3768f110ad03ada33b4b0b35885d31e01d1e92a6a9f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\iffdguquspp.exe

Filesize
320KB

MD5
708f3d27a1076c1796c97c380e3c5b82

SHA1
6f7d38fce089248480cc7d8ee2136df83855dd78

SHA256
c1bfb4688e1a0791b6627a68f50912fa55ff45832689e9d17a102086ba615fdb

SHA512
5dfa88421ebc89a170f9224b9070ab972c8a831771885ede59f492b1e6feb1d5cf3342805b139fee13f2d94afe0d0f64bb68edceac2b5efb4db63e93c326f9e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\iffdguquspp.exe

Filesize
320KB

MD5
708f3d27a1076c1796c97c380e3c5b82

SHA1
6f7d38fce089248480cc7d8ee2136df83855dd78

SHA256
c1bfb4688e1a0791b6627a68f50912fa55ff45832689e9d17a102086ba615fdb

SHA512
5dfa88421ebc89a170f9224b9070ab972c8a831771885ede59f492b1e6feb1d5cf3342805b139fee13f2d94afe0d0f64bb68edceac2b5efb4db63e93c326f9e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\neutngzvpgtzipbydqja.exe

Filesize
1016KB

MD5
a1b69e3727d1f0dc5ac1f4343af46ce0

SHA1
d4f1e6febc4d7f60694717cb18396f6ba1abe62c

SHA256
73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9

SHA512
868b4f32754f800e3e9ebb07822d9c8bec05f2e9cc16530d51ed57f014a1b78add332ebaa42a06dd53a3768f110ad03ada33b4b0b35885d31e01d1e92a6a9f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\neutngzvpgtzipbydqja.exe

Filesize
1016KB

MD5
a1b69e3727d1f0dc5ac1f4343af46ce0

SHA1
d4f1e6febc4d7f60694717cb18396f6ba1abe62c

SHA256
73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9

SHA512
868b4f32754f800e3e9ebb07822d9c8bec05f2e9cc16530d51ed57f014a1b78add332ebaa42a06dd53a3768f110ad03ada33b4b0b35885d31e01d1e92a6a9f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\pesphypjbqbfmrbwzk.exe

Filesize
1016KB

MD5
a1b69e3727d1f0dc5ac1f4343af46ce0

SHA1
d4f1e6febc4d7f60694717cb18396f6ba1abe62c

SHA256
73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9

SHA512
868b4f32754f800e3e9ebb07822d9c8bec05f2e9cc16530d51ed57f014a1b78add332ebaa42a06dd53a3768f110ad03ada33b4b0b35885d31e01d1e92a6a9f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\pesphypjbqbfmrbwzk.exe

Filesize
1016KB

MD5
a1b69e3727d1f0dc5ac1f4343af46ce0

SHA1
d4f1e6febc4d7f60694717cb18396f6ba1abe62c

SHA256
73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9

SHA512
868b4f32754f800e3e9ebb07822d9c8bec05f2e9cc16530d51ed57f014a1b78add332ebaa42a06dd53a3768f110ad03ada33b4b0b35885d31e01d1e92a6a9f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmefbwrpletbmvjipezskl.exe

Filesize
1016KB

MD5
a1b69e3727d1f0dc5ac1f4343af46ce0

SHA1
d4f1e6febc4d7f60694717cb18396f6ba1abe62c

SHA256
73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9

SHA512
868b4f32754f800e3e9ebb07822d9c8bec05f2e9cc16530d51ed57f014a1b78add332ebaa42a06dd53a3768f110ad03ada33b4b0b35885d31e01d1e92a6a9f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmefbwrpletbmvjipezskl.exe

Filesize
1016KB

MD5
a1b69e3727d1f0dc5ac1f4343af46ce0

SHA1
d4f1e6febc4d7f60694717cb18396f6ba1abe62c

SHA256
73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9

SHA512
868b4f32754f800e3e9ebb07822d9c8bec05f2e9cc16530d51ed57f014a1b78add332ebaa42a06dd53a3768f110ad03ada33b4b0b35885d31e01d1e92a6a9f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\zmytjynfvirtybjc.exe

Filesize
1016KB

MD5
a1b69e3727d1f0dc5ac1f4343af46ce0

SHA1
d4f1e6febc4d7f60694717cb18396f6ba1abe62c

SHA256
73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9

SHA512
868b4f32754f800e3e9ebb07822d9c8bec05f2e9cc16530d51ed57f014a1b78add332ebaa42a06dd53a3768f110ad03ada33b4b0b35885d31e01d1e92a6a9f18

Download Submit
C:\Windows\SysWOW64\aqfdwogbukwbjpawame.exe

Filesize
1016KB

MD5
a1b69e3727d1f0dc5ac1f4343af46ce0

SHA1
d4f1e6febc4d7f60694717cb18396f6ba1abe62c

SHA256
73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9

SHA512
868b4f32754f800e3e9ebb07822d9c8bec05f2e9cc16530d51ed57f014a1b78add332ebaa42a06dd53a3768f110ad03ada33b4b0b35885d31e01d1e92a6a9f18

Download Submit
C:\Windows\SysWOW64\cullgaurmeszjreciwqiz.exe

Filesize
1016KB

MD5
a1b69e3727d1f0dc5ac1f4343af46ce0

SHA1
d4f1e6febc4d7f60694717cb18396f6ba1abe62c

SHA256
73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9

SHA512
868b4f32754f800e3e9ebb07822d9c8bec05f2e9cc16530d51ed57f014a1b78add332ebaa42a06dd53a3768f110ad03ada33b4b0b35885d31e01d1e92a6a9f18

Download Submit
C:\Windows\SysWOW64\guhdukatkyilrveya.exe

Filesize
1016KB

MD5
a1b69e3727d1f0dc5ac1f4343af46ce0

SHA1
d4f1e6febc4d7f60694717cb18396f6ba1abe62c

SHA256
73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9

SHA512
868b4f32754f800e3e9ebb07822d9c8bec05f2e9cc16530d51ed57f014a1b78add332ebaa42a06dd53a3768f110ad03ada33b4b0b35885d31e01d1e92a6a9f18

Download Submit
C:\Windows\SysWOW64\neutngzvpgtzipbydqja.exe

Filesize
1016KB

MD5
a1b69e3727d1f0dc5ac1f4343af46ce0

SHA1
d4f1e6febc4d7f60694717cb18396f6ba1abe62c

SHA256
73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9

SHA512
868b4f32754f800e3e9ebb07822d9c8bec05f2e9cc16530d51ed57f014a1b78add332ebaa42a06dd53a3768f110ad03ada33b4b0b35885d31e01d1e92a6a9f18

Download Submit
C:\Windows\SysWOW64\pesphypjbqbfmrbwzk.exe

Filesize
1016KB

MD5
a1b69e3727d1f0dc5ac1f4343af46ce0

SHA1
d4f1e6febc4d7f60694717cb18396f6ba1abe62c

SHA256
73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9

SHA512
868b4f32754f800e3e9ebb07822d9c8bec05f2e9cc16530d51ed57f014a1b78add332ebaa42a06dd53a3768f110ad03ada33b4b0b35885d31e01d1e92a6a9f18

Download Submit
C:\Windows\SysWOW64\tmefbwrpletbmvjipezskl.exe

Filesize
1016KB

MD5
a1b69e3727d1f0dc5ac1f4343af46ce0

SHA1
d4f1e6febc4d7f60694717cb18396f6ba1abe62c

SHA256
73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9

SHA512
868b4f32754f800e3e9ebb07822d9c8bec05f2e9cc16530d51ed57f014a1b78add332ebaa42a06dd53a3768f110ad03ada33b4b0b35885d31e01d1e92a6a9f18

Download Submit
C:\Windows\SysWOW64\zmytjynfvirtybjc.exe

Filesize
1016KB

MD5
a1b69e3727d1f0dc5ac1f4343af46ce0

SHA1
d4f1e6febc4d7f60694717cb18396f6ba1abe62c

SHA256
73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9

SHA512
868b4f32754f800e3e9ebb07822d9c8bec05f2e9cc16530d51ed57f014a1b78add332ebaa42a06dd53a3768f110ad03ada33b4b0b35885d31e01d1e92a6a9f18

Download Submit
C:\Windows\aqfdwogbukwbjpawame.exe

Filesize
1016KB

MD5
a1b69e3727d1f0dc5ac1f4343af46ce0

SHA1
d4f1e6febc4d7f60694717cb18396f6ba1abe62c

SHA256
73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9

SHA512
868b4f32754f800e3e9ebb07822d9c8bec05f2e9cc16530d51ed57f014a1b78add332ebaa42a06dd53a3768f110ad03ada33b4b0b35885d31e01d1e92a6a9f18

Download Submit
C:\Windows\aqfdwogbukwbjpawame.exe

Filesize
1016KB

MD5
a1b69e3727d1f0dc5ac1f4343af46ce0

SHA1
d4f1e6febc4d7f60694717cb18396f6ba1abe62c

SHA256
73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9

SHA512
868b4f32754f800e3e9ebb07822d9c8bec05f2e9cc16530d51ed57f014a1b78add332ebaa42a06dd53a3768f110ad03ada33b4b0b35885d31e01d1e92a6a9f18

Download Submit
C:\Windows\cullgaurmeszjreciwqiz.exe

Filesize
1016KB

MD5
a1b69e3727d1f0dc5ac1f4343af46ce0

SHA1
d4f1e6febc4d7f60694717cb18396f6ba1abe62c

SHA256
73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9

SHA512
868b4f32754f800e3e9ebb07822d9c8bec05f2e9cc16530d51ed57f014a1b78add332ebaa42a06dd53a3768f110ad03ada33b4b0b35885d31e01d1e92a6a9f18

Download Submit
C:\Windows\cullgaurmeszjreciwqiz.exe

Filesize
1016KB

MD5
a1b69e3727d1f0dc5ac1f4343af46ce0

SHA1
d4f1e6febc4d7f60694717cb18396f6ba1abe62c

SHA256
73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9

SHA512
868b4f32754f800e3e9ebb07822d9c8bec05f2e9cc16530d51ed57f014a1b78add332ebaa42a06dd53a3768f110ad03ada33b4b0b35885d31e01d1e92a6a9f18

Download Submit
C:\Windows\guhdukatkyilrveya.exe

Filesize
1016KB

MD5
a1b69e3727d1f0dc5ac1f4343af46ce0

SHA1
d4f1e6febc4d7f60694717cb18396f6ba1abe62c

SHA256
73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9

SHA512
868b4f32754f800e3e9ebb07822d9c8bec05f2e9cc16530d51ed57f014a1b78add332ebaa42a06dd53a3768f110ad03ada33b4b0b35885d31e01d1e92a6a9f18

Download Submit
C:\Windows\guhdukatkyilrveya.exe

Filesize
1016KB

MD5
a1b69e3727d1f0dc5ac1f4343af46ce0

SHA1
d4f1e6febc4d7f60694717cb18396f6ba1abe62c

SHA256
73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9

SHA512
868b4f32754f800e3e9ebb07822d9c8bec05f2e9cc16530d51ed57f014a1b78add332ebaa42a06dd53a3768f110ad03ada33b4b0b35885d31e01d1e92a6a9f18

Download Submit
C:\Windows\neutngzvpgtzipbydqja.exe

Filesize
1016KB

MD5
a1b69e3727d1f0dc5ac1f4343af46ce0

SHA1
d4f1e6febc4d7f60694717cb18396f6ba1abe62c

SHA256
73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9

SHA512
868b4f32754f800e3e9ebb07822d9c8bec05f2e9cc16530d51ed57f014a1b78add332ebaa42a06dd53a3768f110ad03ada33b4b0b35885d31e01d1e92a6a9f18

Download Submit
C:\Windows\neutngzvpgtzipbydqja.exe

Filesize
1016KB

MD5
a1b69e3727d1f0dc5ac1f4343af46ce0

SHA1
d4f1e6febc4d7f60694717cb18396f6ba1abe62c

SHA256
73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9

SHA512
868b4f32754f800e3e9ebb07822d9c8bec05f2e9cc16530d51ed57f014a1b78add332ebaa42a06dd53a3768f110ad03ada33b4b0b35885d31e01d1e92a6a9f18

Download Submit
C:\Windows\pesphypjbqbfmrbwzk.exe

Filesize
1016KB

MD5
a1b69e3727d1f0dc5ac1f4343af46ce0

SHA1
d4f1e6febc4d7f60694717cb18396f6ba1abe62c

SHA256
73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9

SHA512
868b4f32754f800e3e9ebb07822d9c8bec05f2e9cc16530d51ed57f014a1b78add332ebaa42a06dd53a3768f110ad03ada33b4b0b35885d31e01d1e92a6a9f18

Download Submit
C:\Windows\pesphypjbqbfmrbwzk.exe

Filesize
1016KB

MD5
a1b69e3727d1f0dc5ac1f4343af46ce0

SHA1
d4f1e6febc4d7f60694717cb18396f6ba1abe62c

SHA256
73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9

SHA512
868b4f32754f800e3e9ebb07822d9c8bec05f2e9cc16530d51ed57f014a1b78add332ebaa42a06dd53a3768f110ad03ada33b4b0b35885d31e01d1e92a6a9f18

Download Submit
C:\Windows\tmefbwrpletbmvjipezskl.exe

Filesize
1016KB

MD5
a1b69e3727d1f0dc5ac1f4343af46ce0

SHA1
d4f1e6febc4d7f60694717cb18396f6ba1abe62c

SHA256
73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9

SHA512
868b4f32754f800e3e9ebb07822d9c8bec05f2e9cc16530d51ed57f014a1b78add332ebaa42a06dd53a3768f110ad03ada33b4b0b35885d31e01d1e92a6a9f18

Download Submit
C:\Windows\tmefbwrpletbmvjipezskl.exe

Filesize
1016KB

MD5
a1b69e3727d1f0dc5ac1f4343af46ce0

SHA1
d4f1e6febc4d7f60694717cb18396f6ba1abe62c

SHA256
73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9

SHA512
868b4f32754f800e3e9ebb07822d9c8bec05f2e9cc16530d51ed57f014a1b78add332ebaa42a06dd53a3768f110ad03ada33b4b0b35885d31e01d1e92a6a9f18

Download Submit
C:\Windows\zmytjynfvirtybjc.exe

Filesize
1016KB

MD5
a1b69e3727d1f0dc5ac1f4343af46ce0

SHA1
d4f1e6febc4d7f60694717cb18396f6ba1abe62c

SHA256
73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9

SHA512
868b4f32754f800e3e9ebb07822d9c8bec05f2e9cc16530d51ed57f014a1b78add332ebaa42a06dd53a3768f110ad03ada33b4b0b35885d31e01d1e92a6a9f18

Download Submit
C:\Windows\zmytjynfvirtybjc.exe

Filesize
1016KB

MD5
a1b69e3727d1f0dc5ac1f4343af46ce0

SHA1
d4f1e6febc4d7f60694717cb18396f6ba1abe62c

SHA256
73f7a6a2a02061e5bc023e691fecc5c676a37a211ad5d58268a6cc6a289462c9

SHA512
868b4f32754f800e3e9ebb07822d9c8bec05f2e9cc16530d51ed57f014a1b78add332ebaa42a06dd53a3768f110ad03ada33b4b0b35885d31e01d1e92a6a9f18

Download Submit
\Users\Admin\AppData\Local\Temp\aehtagm.exe

Filesize
712KB

MD5
425197e6aeb755953989d7fb9fe04508

SHA1
8954f74134bc8bd88ca77942f58dde37adf0ef26

SHA256
350d751dce0c55898dd9f1b13bd03385ca42e7e4f00d8c23831694934782eb98

SHA512
4e831d06942f4cf21bc66d5a63d152b3f3d6d1d0a24f93f5c495faa36da090c042c2a63c25210fbd23db57b0884b98b5fb9f8f73b329bf6a78947339c7832a53

Download Submit
\Users\Admin\AppData\Local\Temp\aehtagm.exe

Filesize
712KB

MD5
425197e6aeb755953989d7fb9fe04508

SHA1
8954f74134bc8bd88ca77942f58dde37adf0ef26

SHA256
350d751dce0c55898dd9f1b13bd03385ca42e7e4f00d8c23831694934782eb98

SHA512
4e831d06942f4cf21bc66d5a63d152b3f3d6d1d0a24f93f5c495faa36da090c042c2a63c25210fbd23db57b0884b98b5fb9f8f73b329bf6a78947339c7832a53

Download Submit
\Users\Admin\AppData\Local\Temp\aehtagm.exe

Filesize
712KB

MD5
425197e6aeb755953989d7fb9fe04508

SHA1
8954f74134bc8bd88ca77942f58dde37adf0ef26

SHA256
350d751dce0c55898dd9f1b13bd03385ca42e7e4f00d8c23831694934782eb98

SHA512
4e831d06942f4cf21bc66d5a63d152b3f3d6d1d0a24f93f5c495faa36da090c042c2a63c25210fbd23db57b0884b98b5fb9f8f73b329bf6a78947339c7832a53

Download Submit
\Users\Admin\AppData\Local\Temp\aehtagm.exe

Filesize
712KB

MD5
425197e6aeb755953989d7fb9fe04508

SHA1
8954f74134bc8bd88ca77942f58dde37adf0ef26

SHA256
350d751dce0c55898dd9f1b13bd03385ca42e7e4f00d8c23831694934782eb98

SHA512
4e831d06942f4cf21bc66d5a63d152b3f3d6d1d0a24f93f5c495faa36da090c042c2a63c25210fbd23db57b0884b98b5fb9f8f73b329bf6a78947339c7832a53

Download Submit
\Users\Admin\AppData\Local\Temp\iffdguquspp.exe

Filesize
320KB

MD5
708f3d27a1076c1796c97c380e3c5b82

SHA1
6f7d38fce089248480cc7d8ee2136df83855dd78

SHA256
c1bfb4688e1a0791b6627a68f50912fa55ff45832689e9d17a102086ba615fdb

SHA512
5dfa88421ebc89a170f9224b9070ab972c8a831771885ede59f492b1e6feb1d5cf3342805b139fee13f2d94afe0d0f64bb68edceac2b5efb4db63e93c326f9e2

Download Submit
\Users\Admin\AppData\Local\Temp\iffdguquspp.exe

Filesize
320KB

MD5
708f3d27a1076c1796c97c380e3c5b82

SHA1
6f7d38fce089248480cc7d8ee2136df83855dd78

SHA256
c1bfb4688e1a0791b6627a68f50912fa55ff45832689e9d17a102086ba615fdb

SHA512
5dfa88421ebc89a170f9224b9070ab972c8a831771885ede59f492b1e6feb1d5cf3342805b139fee13f2d94afe0d0f64bb68edceac2b5efb4db63e93c326f9e2

Download Submit
memory/900-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download