0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb

Analysis

max time kernel
207s
max time network
213s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 15:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
Size

1016KB
MD5

969823c040794294347f1453b53a1940
SHA1

9e1161c7ea8d5a02f6d223cd24d7915cc8b772ac
SHA256

0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb
SHA512

917946890ca60ade50afb3bc26eb8cb7db1e27927156fd808ae0dba9844da4dce8cf75f38d50d13bcc923e17267c44a8e405edd0948d05a98412e46205b70a48
SSDEEP

6144:yIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHU:yIXsgtvm1De5YlOx6lzBH46U

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	yfhnw.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yfhnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yfhnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	yfhnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	yfhnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	yfhnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	yfhnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	yfhnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	yfhnw.exe

Adds policy Run key to start application 2 TTPs 25 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfjrceo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnarlwpfzjpfkdgf.exe"	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vhoznsfpdh = "yvnjiywrqfqlvtbfllmjb.exe"	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfjrceo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvjbwictozgxdxbbd.exe"	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vhoznsfpdh = "vnarlwpfzjpfkdgf.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfjrceo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrhbymibylunvrxzdba.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vhoznsfpdh = "wrhbymibylunvrxzdba.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfjrceo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvjbwictozgxdxbbd.exe"	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vhoznsfpdh = "vnarlwpfzjpfkdgf.exe"	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfjrceo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jfwrpebvthrlurybgffb.exe"	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfjrceo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfunjwrjfrzrytyzcz.exe"	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfjrceo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jfwrpebvthrlurybgffb.exe"	yfhnw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vhoznsfpdh = "cvjbwictozgxdxbbd.exe"	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vhoznsfpdh = "wrhbymibylunvrxzdba.exe"	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfjrceo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnarlwpfzjpfkdgf.exe"	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vhoznsfpdh = "vnarlwpfzjpfkdgf.exe"	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vhoznsfpdh = "jfwrpebvthrlurybgffb.exe"	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfjrceo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrhbymibylunvrxzdba.exe"	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfjrceo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvnjiywrqfqlvtbfllmjb.exe"	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vhoznsfpdh = "yvnjiywrqfqlvtbfllmjb.exe"	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vhoznsfpdh = "cvjbwictozgxdxbbd.exe"	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfjrceo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jfwrpebvthrlurybgffb.exe"	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vhoznsfpdh = "lfunjwrjfrzrytyzcz.exe"	yfhnw.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yfhnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yfhnw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yfhnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yfhnw.exe

Executes dropped EXE 3 IoCs

pid	Process
208	grrfdxtjqbb.exe
1980	yfhnw.exe
1448	yfhnw.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	grrfdxtjqbb.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nbkxnujvlrtf = "vnarlwpfzjpfkdgf.exe ."	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ndodvevjbjnbev = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnarlwpfzjpfkdgf.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lvajvyjr = "yvnjiywrqfqlvtbfllmjb.exe"	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lvajvyjr = "lfunjwrjfrzrytyzcz.exe"	yfhnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nbkxnujvlrtf = "wrhbymibylunvrxzdba.exe ."	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mblzqyobszcpr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfunjwrjfrzrytyzcz.exe ."	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cntdqugpc = "yvnjiywrqfqlvtbfllmjb.exe ."	yfhnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvajvyjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvnjiywrqfqlvtbfllmjb.exe"	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cntdqugpc = "cvjbwictozgxdxbbd.exe ."	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lvajvyjr = "jfwrpebvthrlurybgffb.exe"	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cntdqugpc = "wrhbymibylunvrxzdba.exe ."	yfhnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cntdqugpc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvjbwictozgxdxbbd.exe ."	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ndodvevjbjnbev = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvnjiywrqfqlvtbfllmjb.exe"	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mblzqyobszcpr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvjbwictozgxdxbbd.exe ."	yfhnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cntdqugpc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrhbymibylunvrxzdba.exe ."	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mblzqyobszcpr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jfwrpebvthrlurybgffb.exe ."	yfhnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cntdqugpc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfunjwrjfrzrytyzcz.exe ."	yfhnw.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	yfhnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvajvyjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrhbymibylunvrxzdba.exe"	yfhnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qdlxmsgrglm = "jfwrpebvthrlurybgffb.exe"	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mblzqyobszcpr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnarlwpfzjpfkdgf.exe ."	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cntdqugpc = "lfunjwrjfrzrytyzcz.exe ."	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mblzqyobszcpr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnarlwpfzjpfkdgf.exe ."	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mblzqyobszcpr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvnjiywrqfqlvtbfllmjb.exe ."	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mblzqyobszcpr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnarlwpfzjpfkdgf.exe ."	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mblzqyobszcpr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrhbymibylunvrxzdba.exe ."	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ndodvevjbjnbev = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvnjiywrqfqlvtbfllmjb.exe"	yfhnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qdlxmsgrglm = "yvnjiywrqfqlvtbfllmjb.exe"	yfhnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nbkxnujvlrtf = "cvjbwictozgxdxbbd.exe ."	yfhnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nbkxnujvlrtf = "lfunjwrjfrzrytyzcz.exe ."	yfhnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nbkxnujvlrtf = "yvnjiywrqfqlvtbfllmjb.exe ."	yfhnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvajvyjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvnjiywrqfqlvtbfllmjb.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cntdqugpc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jfwrpebvthrlurybgffb.exe ."	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cntdqugpc = "yvnjiywrqfqlvtbfllmjb.exe ."	yfhnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nbkxnujvlrtf = "jfwrpebvthrlurybgffb.exe ."	yfhnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cntdqugpc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrhbymibylunvrxzdba.exe ."	yfhnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qdlxmsgrglm = "cvjbwictozgxdxbbd.exe"	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cntdqugpc = "yvnjiywrqfqlvtbfllmjb.exe ."	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvajvyjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jfwrpebvthrlurybgffb.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qdlxmsgrglm = "vnarlwpfzjpfkdgf.exe"	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lvajvyjr = "jfwrpebvthrlurybgffb.exe"	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lvajvyjr = "vnarlwpfzjpfkdgf.exe"	yfhnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvajvyjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfunjwrjfrzrytyzcz.exe"	yfhnw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nbkxnujvlrtf = "vnarlwpfzjpfkdgf.exe ."	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ndodvevjbjnbev = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvnjiywrqfqlvtbfllmjb.exe"	grrfdxtjqbb.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ndodvevjbjnbev = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfunjwrjfrzrytyzcz.exe"	yfhnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvajvyjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrhbymibylunvrxzdba.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lvajvyjr = "jfwrpebvthrlurybgffb.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ndodvevjbjnbev = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvjbwictozgxdxbbd.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cntdqugpc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jfwrpebvthrlurybgffb.exe ."	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lvajvyjr = "wrhbymibylunvrxzdba.exe"	yfhnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cntdqugpc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvnjiywrqfqlvtbfllmjb.exe ."	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mblzqyobszcpr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvnjiywrqfqlvtbfllmjb.exe ."	yfhnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lvajvyjr = "vnarlwpfzjpfkdgf.exe"	yfhnw.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qdlxmsgrglm = "wrhbymibylunvrxzdba.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cntdqugpc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnarlwpfzjpfkdgf.exe ."	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ndodvevjbjnbev = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrhbymibylunvrxzdba.exe"	yfhnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvajvyjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvnjiywrqfqlvtbfllmjb.exe"	yfhnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qdlxmsgrglm = "wrhbymibylunvrxzdba.exe"	yfhnw.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	yfhnw.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	yfhnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	grrfdxtjqbb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yfhnw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	yfhnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yfhnw.exe

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
37	www.showmyipaddress.com
41	whatismyipaddress.com
55	whatismyip.everdot.org
57	whatismyipaddress.com
63	whatismyip.everdot.org

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wrhbymibylunvrxzdba.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\vnarlwpfzjpfkdgf.exe	yfhnw.exe
File opened for modification	C:\Windows\SysWOW64\lfunjwrjfrzrytyzcz.exe	yfhnw.exe
File opened for modification	C:\Windows\SysWOW64\abxxauwvyrgftvhpzdijf.ice	yfhnw.exe
File created	C:\Windows\SysWOW64\vhoznsfpdhhrqdatodtfmxlqdnbffpob.rmb	yfhnw.exe
File opened for modification	C:\Windows\SysWOW64\lfunjwrjfrzrytyzcz.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\yvnjiywrqfqlvtbfllmjb.exe	yfhnw.exe
File opened for modification	C:\Windows\SysWOW64\pngddutppfrnyxglstvtmj.exe	yfhnw.exe
File opened for modification	C:\Windows\SysWOW64\cvjbwictozgxdxbbd.exe	yfhnw.exe
File opened for modification	C:\Windows\SysWOW64\lfunjwrjfrzrytyzcz.exe	yfhnw.exe
File opened for modification	C:\Windows\SysWOW64\wrhbymibylunvrxzdba.exe	yfhnw.exe
File opened for modification	C:\Windows\SysWOW64\jfwrpebvthrlurybgffb.exe	yfhnw.exe
File opened for modification	C:\Windows\SysWOW64\pngddutppfrnyxglstvtmj.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\wrhbymibylunvrxzdba.exe	yfhnw.exe
File opened for modification	C:\Windows\SysWOW64\jfwrpebvthrlurybgffb.exe	yfhnw.exe
File opened for modification	C:\Windows\SysWOW64\vnarlwpfzjpfkdgf.exe	yfhnw.exe
File opened for modification	C:\Windows\SysWOW64\pngddutppfrnyxglstvtmj.exe	yfhnw.exe
File opened for modification	C:\Windows\SysWOW64\vhoznsfpdhhrqdatodtfmxlqdnbffpob.rmb	yfhnw.exe
File opened for modification	C:\Windows\SysWOW64\vnarlwpfzjpfkdgf.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\cvjbwictozgxdxbbd.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\jfwrpebvthrlurybgffb.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\yvnjiywrqfqlvtbfllmjb.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\cvjbwictozgxdxbbd.exe	yfhnw.exe
File opened for modification	C:\Windows\SysWOW64\yvnjiywrqfqlvtbfllmjb.exe	yfhnw.exe
File created	C:\Windows\SysWOW64\abxxauwvyrgftvhpzdijf.ice	yfhnw.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\abxxauwvyrgftvhpzdijf.ice	yfhnw.exe
File created	C:\Program Files (x86)\abxxauwvyrgftvhpzdijf.ice	yfhnw.exe
File opened for modification	C:\Program Files (x86)\vhoznsfpdhhrqdatodtfmxlqdnbffpob.rmb	yfhnw.exe
File created	C:\Program Files (x86)\vhoznsfpdhhrqdatodtfmxlqdnbffpob.rmb	yfhnw.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\vnarlwpfzjpfkdgf.exe	yfhnw.exe
File opened for modification	C:\Windows\wrhbymibylunvrxzdba.exe	yfhnw.exe
File opened for modification	C:\Windows\abxxauwvyrgftvhpzdijf.ice	yfhnw.exe
File opened for modification	C:\Windows\lfunjwrjfrzrytyzcz.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\vnarlwpfzjpfkdgf.exe	yfhnw.exe
File opened for modification	C:\Windows\pngddutppfrnyxglstvtmj.exe	yfhnw.exe
File opened for modification	C:\Windows\yvnjiywrqfqlvtbfllmjb.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\cvjbwictozgxdxbbd.exe	yfhnw.exe
File opened for modification	C:\Windows\lfunjwrjfrzrytyzcz.exe	yfhnw.exe
File opened for modification	C:\Windows\wrhbymibylunvrxzdba.exe	yfhnw.exe
File opened for modification	C:\Windows\lfunjwrjfrzrytyzcz.exe	yfhnw.exe
File opened for modification	C:\Windows\vnarlwpfzjpfkdgf.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\wrhbymibylunvrxzdba.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\jfwrpebvthrlurybgffb.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\jfwrpebvthrlurybgffb.exe	yfhnw.exe
File opened for modification	C:\Windows\yvnjiywrqfqlvtbfllmjb.exe	yfhnw.exe
File created	C:\Windows\vhoznsfpdhhrqdatodtfmxlqdnbffpob.rmb	yfhnw.exe
File opened for modification	C:\Windows\pngddutppfrnyxglstvtmj.exe	yfhnw.exe
File opened for modification	C:\Windows\cvjbwictozgxdxbbd.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\pngddutppfrnyxglstvtmj.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\yvnjiywrqfqlvtbfllmjb.exe	yfhnw.exe
File opened for modification	C:\Windows\vhoznsfpdhhrqdatodtfmxlqdnbffpob.rmb	yfhnw.exe
File opened for modification	C:\Windows\jfwrpebvthrlurybgffb.exe	yfhnw.exe
File opened for modification	C:\Windows\cvjbwictozgxdxbbd.exe	yfhnw.exe
File created	C:\Windows\abxxauwvyrgftvhpzdijf.ice	yfhnw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1980	yfhnw.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 208	956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe	80
PID 956 wrote to memory of 208	956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe	80
PID 956 wrote to memory of 208	956	0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe	80
PID 208 wrote to memory of 1980	208	grrfdxtjqbb.exe	81
PID 208 wrote to memory of 1980	208	grrfdxtjqbb.exe	81
PID 208 wrote to memory of 1980	208	grrfdxtjqbb.exe	81
PID 208 wrote to memory of 1448	208	grrfdxtjqbb.exe	82
PID 208 wrote to memory of 1448	208	grrfdxtjqbb.exe	82
PID 208 wrote to memory of 1448	208	grrfdxtjqbb.exe	82

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	yfhnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	yfhnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yfhnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	yfhnw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yfhnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yfhnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	yfhnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	yfhnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	yfhnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	yfhnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yfhnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	yfhnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	yfhnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	yfhnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	yfhnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	yfhnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	yfhnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	yfhnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	yfhnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	yfhnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	yfhnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	yfhnw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	yfhnw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	yfhnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	yfhnw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	yfhnw.exe

C:\Users\Admin\AppData\Local\Temp\0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe
"C:\Users\Admin\AppData\Local\Temp\0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:956
- C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe
  "C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe" "c:\users\admin\appdata\local\temp\0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:208
- - C:\Users\Admin\AppData\Local\Temp\yfhnw.exe
    "C:\Users\Admin\AppData\Local\Temp\yfhnw.exe" "-C:\Users\Admin\AppData\Local\Temp\vnarlwpfzjpfkdgf.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1980
- - C:\Users\Admin\AppData\Local\Temp\yfhnw.exe
    "C:\Users\Admin\AppData\Local\Temp\yfhnw.exe" "-C:\Users\Admin\AppData\Local\Temp\vnarlwpfzjpfkdgf.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cvjbwictozgxdxbbd.exe

Filesize
1016KB

MD5
969823c040794294347f1453b53a1940

SHA1
9e1161c7ea8d5a02f6d223cd24d7915cc8b772ac

SHA256
0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb

SHA512
917946890ca60ade50afb3bc26eb8cb7db1e27927156fd808ae0dba9844da4dce8cf75f38d50d13bcc923e17267c44a8e405edd0948d05a98412e46205b70a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe

Filesize
320KB

MD5
8f07e621f4e75519b143f0727974517f

SHA1
42d590021f9c9bfdf3d7c8bf62e4bf9ffed38e24

SHA256
72332573d4fd88455c3fd5ccdd6f13b0728b5e49c663ce3c83d989ce0fc8a3ab

SHA512
a1d37fded62a22279a3abd2bf294e17ac747ce0a60cd2f2b4cd9d624dc7d17610de1ac4271eb49c67033db911d36d2737d09d040645a7d994b15437e3cde95e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe

Filesize
320KB

MD5
8f07e621f4e75519b143f0727974517f

SHA1
42d590021f9c9bfdf3d7c8bf62e4bf9ffed38e24

SHA256
72332573d4fd88455c3fd5ccdd6f13b0728b5e49c663ce3c83d989ce0fc8a3ab

SHA512
a1d37fded62a22279a3abd2bf294e17ac747ce0a60cd2f2b4cd9d624dc7d17610de1ac4271eb49c67033db911d36d2737d09d040645a7d994b15437e3cde95e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfwrpebvthrlurybgffb.exe

Filesize
1016KB

MD5
969823c040794294347f1453b53a1940

SHA1
9e1161c7ea8d5a02f6d223cd24d7915cc8b772ac

SHA256
0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb

SHA512
917946890ca60ade50afb3bc26eb8cb7db1e27927156fd808ae0dba9844da4dce8cf75f38d50d13bcc923e17267c44a8e405edd0948d05a98412e46205b70a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfwrpebvthrlurybgffb.exe

Filesize
1016KB

MD5
969823c040794294347f1453b53a1940

SHA1
9e1161c7ea8d5a02f6d223cd24d7915cc8b772ac

SHA256
0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb

SHA512
917946890ca60ade50afb3bc26eb8cb7db1e27927156fd808ae0dba9844da4dce8cf75f38d50d13bcc923e17267c44a8e405edd0948d05a98412e46205b70a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\lfunjwrjfrzrytyzcz.exe

Filesize
1016KB

MD5
969823c040794294347f1453b53a1940

SHA1
9e1161c7ea8d5a02f6d223cd24d7915cc8b772ac

SHA256
0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb

SHA512
917946890ca60ade50afb3bc26eb8cb7db1e27927156fd808ae0dba9844da4dce8cf75f38d50d13bcc923e17267c44a8e405edd0948d05a98412e46205b70a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\lfunjwrjfrzrytyzcz.exe

Filesize
1016KB

MD5
969823c040794294347f1453b53a1940

SHA1
9e1161c7ea8d5a02f6d223cd24d7915cc8b772ac

SHA256
0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb

SHA512
917946890ca60ade50afb3bc26eb8cb7db1e27927156fd808ae0dba9844da4dce8cf75f38d50d13bcc923e17267c44a8e405edd0948d05a98412e46205b70a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\pngddutppfrnyxglstvtmj.exe

Filesize
1016KB

MD5
969823c040794294347f1453b53a1940

SHA1
9e1161c7ea8d5a02f6d223cd24d7915cc8b772ac

SHA256
0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb

SHA512
917946890ca60ade50afb3bc26eb8cb7db1e27927156fd808ae0dba9844da4dce8cf75f38d50d13bcc923e17267c44a8e405edd0948d05a98412e46205b70a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\pngddutppfrnyxglstvtmj.exe

Filesize
1016KB

MD5
969823c040794294347f1453b53a1940

SHA1
9e1161c7ea8d5a02f6d223cd24d7915cc8b772ac

SHA256
0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb

SHA512
917946890ca60ade50afb3bc26eb8cb7db1e27927156fd808ae0dba9844da4dce8cf75f38d50d13bcc923e17267c44a8e405edd0948d05a98412e46205b70a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnarlwpfzjpfkdgf.exe

Filesize
1016KB

MD5
969823c040794294347f1453b53a1940

SHA1
9e1161c7ea8d5a02f6d223cd24d7915cc8b772ac

SHA256
0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb

SHA512
917946890ca60ade50afb3bc26eb8cb7db1e27927156fd808ae0dba9844da4dce8cf75f38d50d13bcc923e17267c44a8e405edd0948d05a98412e46205b70a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\wrhbymibylunvrxzdba.exe

Filesize
1016KB

MD5
969823c040794294347f1453b53a1940

SHA1
9e1161c7ea8d5a02f6d223cd24d7915cc8b772ac

SHA256
0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb

SHA512
917946890ca60ade50afb3bc26eb8cb7db1e27927156fd808ae0dba9844da4dce8cf75f38d50d13bcc923e17267c44a8e405edd0948d05a98412e46205b70a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\wrhbymibylunvrxzdba.exe

Filesize
1016KB

MD5
969823c040794294347f1453b53a1940

SHA1
9e1161c7ea8d5a02f6d223cd24d7915cc8b772ac

SHA256
0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb

SHA512
917946890ca60ade50afb3bc26eb8cb7db1e27927156fd808ae0dba9844da4dce8cf75f38d50d13bcc923e17267c44a8e405edd0948d05a98412e46205b70a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\yfhnw.exe

Filesize
716KB

MD5
f5c166f540693bcb90e3e1dfff6e3dbd

SHA1
05825b917f727701b6048f035e9decf8c5a2f705

SHA256
e71d93e30820e62366bf99095dbc0964f0a646e3c285e08d924e89d00fa316b9

SHA512
3e6b2b30f10bd6babfc19946a9ca227dba973315618e5cde679f2b7d642e2e59290440e2a3389269b75dffdc8a07e363cbd2513d52cb467dea042445a1a9d990

Download Submit
C:\Users\Admin\AppData\Local\Temp\yfhnw.exe

Filesize
716KB

MD5
f5c166f540693bcb90e3e1dfff6e3dbd

SHA1
05825b917f727701b6048f035e9decf8c5a2f705

SHA256
e71d93e30820e62366bf99095dbc0964f0a646e3c285e08d924e89d00fa316b9

SHA512
3e6b2b30f10bd6babfc19946a9ca227dba973315618e5cde679f2b7d642e2e59290440e2a3389269b75dffdc8a07e363cbd2513d52cb467dea042445a1a9d990

Download Submit
C:\Users\Admin\AppData\Local\Temp\yfhnw.exe

Filesize
716KB

MD5
f5c166f540693bcb90e3e1dfff6e3dbd

SHA1
05825b917f727701b6048f035e9decf8c5a2f705

SHA256
e71d93e30820e62366bf99095dbc0964f0a646e3c285e08d924e89d00fa316b9

SHA512
3e6b2b30f10bd6babfc19946a9ca227dba973315618e5cde679f2b7d642e2e59290440e2a3389269b75dffdc8a07e363cbd2513d52cb467dea042445a1a9d990

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvnjiywrqfqlvtbfllmjb.exe

Filesize
1016KB

MD5
969823c040794294347f1453b53a1940

SHA1
9e1161c7ea8d5a02f6d223cd24d7915cc8b772ac

SHA256
0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb

SHA512
917946890ca60ade50afb3bc26eb8cb7db1e27927156fd808ae0dba9844da4dce8cf75f38d50d13bcc923e17267c44a8e405edd0948d05a98412e46205b70a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvnjiywrqfqlvtbfllmjb.exe

Filesize
1016KB

MD5
969823c040794294347f1453b53a1940

SHA1
9e1161c7ea8d5a02f6d223cd24d7915cc8b772ac

SHA256
0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb

SHA512
917946890ca60ade50afb3bc26eb8cb7db1e27927156fd808ae0dba9844da4dce8cf75f38d50d13bcc923e17267c44a8e405edd0948d05a98412e46205b70a48

Download Submit
C:\Windows\SysWOW64\cvjbwictozgxdxbbd.exe

Filesize
1016KB

MD5
969823c040794294347f1453b53a1940

SHA1
9e1161c7ea8d5a02f6d223cd24d7915cc8b772ac

SHA256
0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb

SHA512
917946890ca60ade50afb3bc26eb8cb7db1e27927156fd808ae0dba9844da4dce8cf75f38d50d13bcc923e17267c44a8e405edd0948d05a98412e46205b70a48

Download Submit
C:\Windows\SysWOW64\jfwrpebvthrlurybgffb.exe

Filesize
1016KB

MD5
969823c040794294347f1453b53a1940

SHA1
9e1161c7ea8d5a02f6d223cd24d7915cc8b772ac

SHA256
0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb

SHA512
917946890ca60ade50afb3bc26eb8cb7db1e27927156fd808ae0dba9844da4dce8cf75f38d50d13bcc923e17267c44a8e405edd0948d05a98412e46205b70a48

Download Submit
C:\Windows\SysWOW64\lfunjwrjfrzrytyzcz.exe

Filesize
1016KB

MD5
969823c040794294347f1453b53a1940

SHA1
9e1161c7ea8d5a02f6d223cd24d7915cc8b772ac

SHA256
0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb

SHA512
917946890ca60ade50afb3bc26eb8cb7db1e27927156fd808ae0dba9844da4dce8cf75f38d50d13bcc923e17267c44a8e405edd0948d05a98412e46205b70a48

Download Submit
C:\Windows\SysWOW64\pngddutppfrnyxglstvtmj.exe

Filesize
1016KB

MD5
969823c040794294347f1453b53a1940

SHA1
9e1161c7ea8d5a02f6d223cd24d7915cc8b772ac

SHA256
0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb

SHA512
917946890ca60ade50afb3bc26eb8cb7db1e27927156fd808ae0dba9844da4dce8cf75f38d50d13bcc923e17267c44a8e405edd0948d05a98412e46205b70a48

Download Submit
C:\Windows\SysWOW64\vnarlwpfzjpfkdgf.exe

Filesize
1016KB

MD5
969823c040794294347f1453b53a1940

SHA1
9e1161c7ea8d5a02f6d223cd24d7915cc8b772ac

SHA256
0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb

SHA512
917946890ca60ade50afb3bc26eb8cb7db1e27927156fd808ae0dba9844da4dce8cf75f38d50d13bcc923e17267c44a8e405edd0948d05a98412e46205b70a48

Download Submit
C:\Windows\SysWOW64\wrhbymibylunvrxzdba.exe

Filesize
1016KB

MD5
969823c040794294347f1453b53a1940

SHA1
9e1161c7ea8d5a02f6d223cd24d7915cc8b772ac

SHA256
0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb

SHA512
917946890ca60ade50afb3bc26eb8cb7db1e27927156fd808ae0dba9844da4dce8cf75f38d50d13bcc923e17267c44a8e405edd0948d05a98412e46205b70a48

Download Submit
C:\Windows\SysWOW64\yvnjiywrqfqlvtbfllmjb.exe

Filesize
1016KB

MD5
969823c040794294347f1453b53a1940

SHA1
9e1161c7ea8d5a02f6d223cd24d7915cc8b772ac

SHA256
0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb

SHA512
917946890ca60ade50afb3bc26eb8cb7db1e27927156fd808ae0dba9844da4dce8cf75f38d50d13bcc923e17267c44a8e405edd0948d05a98412e46205b70a48

Download Submit
C:\Windows\cvjbwictozgxdxbbd.exe

Filesize
1016KB

MD5
969823c040794294347f1453b53a1940

SHA1
9e1161c7ea8d5a02f6d223cd24d7915cc8b772ac

SHA256
0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb

SHA512
917946890ca60ade50afb3bc26eb8cb7db1e27927156fd808ae0dba9844da4dce8cf75f38d50d13bcc923e17267c44a8e405edd0948d05a98412e46205b70a48

Download Submit
C:\Windows\cvjbwictozgxdxbbd.exe

Filesize
1016KB

MD5
969823c040794294347f1453b53a1940

SHA1
9e1161c7ea8d5a02f6d223cd24d7915cc8b772ac

SHA256
0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb

SHA512
917946890ca60ade50afb3bc26eb8cb7db1e27927156fd808ae0dba9844da4dce8cf75f38d50d13bcc923e17267c44a8e405edd0948d05a98412e46205b70a48

Download Submit
C:\Windows\jfwrpebvthrlurybgffb.exe

Filesize
1016KB

MD5
969823c040794294347f1453b53a1940

SHA1
9e1161c7ea8d5a02f6d223cd24d7915cc8b772ac

SHA256
0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb

SHA512
917946890ca60ade50afb3bc26eb8cb7db1e27927156fd808ae0dba9844da4dce8cf75f38d50d13bcc923e17267c44a8e405edd0948d05a98412e46205b70a48

Download Submit
C:\Windows\jfwrpebvthrlurybgffb.exe

Filesize
1016KB

MD5
969823c040794294347f1453b53a1940

SHA1
9e1161c7ea8d5a02f6d223cd24d7915cc8b772ac

SHA256
0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb

SHA512
917946890ca60ade50afb3bc26eb8cb7db1e27927156fd808ae0dba9844da4dce8cf75f38d50d13bcc923e17267c44a8e405edd0948d05a98412e46205b70a48

Download Submit
C:\Windows\lfunjwrjfrzrytyzcz.exe

Filesize
1016KB

MD5
969823c040794294347f1453b53a1940

SHA1
9e1161c7ea8d5a02f6d223cd24d7915cc8b772ac

SHA256
0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb

SHA512
917946890ca60ade50afb3bc26eb8cb7db1e27927156fd808ae0dba9844da4dce8cf75f38d50d13bcc923e17267c44a8e405edd0948d05a98412e46205b70a48

Download Submit
C:\Windows\lfunjwrjfrzrytyzcz.exe

Filesize
1016KB

MD5
969823c040794294347f1453b53a1940

SHA1
9e1161c7ea8d5a02f6d223cd24d7915cc8b772ac

SHA256
0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb

SHA512
917946890ca60ade50afb3bc26eb8cb7db1e27927156fd808ae0dba9844da4dce8cf75f38d50d13bcc923e17267c44a8e405edd0948d05a98412e46205b70a48

Download Submit
C:\Windows\pngddutppfrnyxglstvtmj.exe

Filesize
1016KB

MD5
969823c040794294347f1453b53a1940

SHA1
9e1161c7ea8d5a02f6d223cd24d7915cc8b772ac

SHA256
0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb

SHA512
917946890ca60ade50afb3bc26eb8cb7db1e27927156fd808ae0dba9844da4dce8cf75f38d50d13bcc923e17267c44a8e405edd0948d05a98412e46205b70a48

Download Submit
C:\Windows\pngddutppfrnyxglstvtmj.exe

Filesize
1016KB

MD5
969823c040794294347f1453b53a1940

SHA1
9e1161c7ea8d5a02f6d223cd24d7915cc8b772ac

SHA256
0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb

SHA512
917946890ca60ade50afb3bc26eb8cb7db1e27927156fd808ae0dba9844da4dce8cf75f38d50d13bcc923e17267c44a8e405edd0948d05a98412e46205b70a48

Download Submit
C:\Windows\vnarlwpfzjpfkdgf.exe

Filesize
1016KB

MD5
969823c040794294347f1453b53a1940

SHA1
9e1161c7ea8d5a02f6d223cd24d7915cc8b772ac

SHA256
0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb

SHA512
917946890ca60ade50afb3bc26eb8cb7db1e27927156fd808ae0dba9844da4dce8cf75f38d50d13bcc923e17267c44a8e405edd0948d05a98412e46205b70a48

Download Submit
C:\Windows\vnarlwpfzjpfkdgf.exe

Filesize
1016KB

MD5
969823c040794294347f1453b53a1940

SHA1
9e1161c7ea8d5a02f6d223cd24d7915cc8b772ac

SHA256
0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb

SHA512
917946890ca60ade50afb3bc26eb8cb7db1e27927156fd808ae0dba9844da4dce8cf75f38d50d13bcc923e17267c44a8e405edd0948d05a98412e46205b70a48

Download Submit
C:\Windows\wrhbymibylunvrxzdba.exe

Filesize
1016KB

MD5
969823c040794294347f1453b53a1940

SHA1
9e1161c7ea8d5a02f6d223cd24d7915cc8b772ac

SHA256
0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb

SHA512
917946890ca60ade50afb3bc26eb8cb7db1e27927156fd808ae0dba9844da4dce8cf75f38d50d13bcc923e17267c44a8e405edd0948d05a98412e46205b70a48

Download Submit
C:\Windows\wrhbymibylunvrxzdba.exe

Filesize
1016KB

MD5
969823c040794294347f1453b53a1940

SHA1
9e1161c7ea8d5a02f6d223cd24d7915cc8b772ac

SHA256
0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb

SHA512
917946890ca60ade50afb3bc26eb8cb7db1e27927156fd808ae0dba9844da4dce8cf75f38d50d13bcc923e17267c44a8e405edd0948d05a98412e46205b70a48

Download Submit
C:\Windows\yvnjiywrqfqlvtbfllmjb.exe

Filesize
1016KB

MD5
969823c040794294347f1453b53a1940

SHA1
9e1161c7ea8d5a02f6d223cd24d7915cc8b772ac

SHA256
0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb

SHA512
917946890ca60ade50afb3bc26eb8cb7db1e27927156fd808ae0dba9844da4dce8cf75f38d50d13bcc923e17267c44a8e405edd0948d05a98412e46205b70a48

Download Submit
C:\Windows\yvnjiywrqfqlvtbfllmjb.exe

Filesize
1016KB

MD5
969823c040794294347f1453b53a1940

SHA1
9e1161c7ea8d5a02f6d223cd24d7915cc8b772ac

SHA256
0ed064b084828b9670acdc41fc503133d4c2b591e13efd1c9198099d0f4e61bb

SHA512
917946890ca60ade50afb3bc26eb8cb7db1e27927156fd808ae0dba9844da4dce8cf75f38d50d13bcc923e17267c44a8e405edd0948d05a98412e46205b70a48

Download Submit