200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

Analysis

max time kernel
153s
max time network
160s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21/10/2022, 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
Size

1016KB
MD5

7c426cef8ecaa87b81ffe2b200ffe7e0
SHA1

a3523449271aba6cf346f2e2b3463b57fbdeccfa
SHA256

200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a
SHA512

0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14
SSDEEP

6144:oIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHU:oIXsgtvm1De5YlOx6lzBH46U

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	gokvcejrqyu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	dhhrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	dhhrr.exe

UAC bypass 3 TTPs 11 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	gokvcejrqyu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	dhhrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	dhhrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dhhrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gokvcejrqyu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dhhrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dhhrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dhhrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dhhrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dhhrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gokvcejrqyu.exe

Adds policy Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dhhrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajodizjrbg = "dxnndfatoeqiojambtrlb.exe"	dhhrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajodizjrbg = "apavgdthxipcdtfm.exe"	dhhrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhjvxls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhuredvldqzorjxgsh.exe"	dhhrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajodizjrbg = "qhuredvldqzorjxgsh.exe"	gokvcejrqyu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhjvxls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxjfrpgvmyguwnait.exe"	dhhrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhjvxls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bthfttmdwkukohwgtjf.exe"	dhhrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	gokvcejrqyu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dhhrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajodizjrbg = "hxjfrpgvmyguwnait.exe"	dhhrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajodizjrbg = "dxnndfatoeqiojambtrlb.exe"	dhhrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhjvxls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxjfrpgvmyguwnait.exe"	dhhrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhjvxls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxjfrpgvmyguwnait.exe"	gokvcejrqyu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajodizjrbg = "qhuredvldqzorjxgsh.exe"	dhhrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhjvxls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bthfttmdwkukohwgtjf.exe"	dhhrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhjvxls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhuredvldqzorjxgsh.exe"	dhhrr.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	dhhrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	dhhrr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gokvcejrqyu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gokvcejrqyu.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	dhhrr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	dhhrr.exe

Executes dropped EXE 3 IoCs

pid	Process
1472	gokvcejrqyu.exe
1808	dhhrr.exe
1620	dhhrr.exe

Loads dropped DLL 6 IoCs

pid	Process
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1472	gokvcejrqyu.exe
1472	gokvcejrqyu.exe
1472	gokvcejrqyu.exe
1472	gokvcejrqyu.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	dhhrr.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	dhhrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\qxanqfnt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bthfttmdwkukohwgtjf.exe"	dhhrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdkbibnxjqtc = "apavgdthxipcdtfm.exe ."	dhhrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	dhhrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hpthlbkra = "ohwvklfxrgrinhxiwnkd.exe ."	dhhrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qxanqfnt = "ohwvklfxrgrinhxiwnkd.exe"	dhhrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sfohqlzlzinyxl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bthfttmdwkukohwgtjf.exe"	dhhrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qxanqfnt = "hxjfrpgvmyguwnait.exe"	dhhrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdkbibnxjqtc = "bthfttmdwkukohwgtjf.exe ."	dhhrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdkbibnxjqtc = "bthfttmdwkukohwgtjf.exe ."	dhhrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qxanqfnt = "qhuredvldqzorjxgsh.exe"	dhhrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qxanqfnt = "bthfttmdwkukohwgtjf.exe"	gokvcejrqyu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hpthlbkra = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apavgdthxipcdtfm.exe ."	dhhrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\qxanqfnt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apavgdthxipcdtfm.exe"	dhhrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdkbibnxjqtc = "hxjfrpgvmyguwnait.exe ."	gokvcejrqyu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rdldlfsdqycmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhuredvldqzorjxgsh.exe ."	gokvcejrqyu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\vflbhzktekm = "hxjfrpgvmyguwnait.exe"	dhhrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	dhhrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hpthlbkra = "bthfttmdwkukohwgtjf.exe ."	dhhrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\qxanqfnt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxnndfatoeqiojambtrlb.exe"	dhhrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hpthlbkra = "bthfttmdwkukohwgtjf.exe ."	dhhrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\vflbhzktekm = "bthfttmdwkukohwgtjf.exe"	dhhrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rdldlfsdqycmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxjfrpgvmyguwnait.exe ."	dhhrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdkbibnxjqtc = "ohwvklfxrgrinhxiwnkd.exe ."	dhhrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qxanqfnt = "apavgdthxipcdtfm.exe"	dhhrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\vflbhzktekm = "dxnndfatoeqiojambtrlb.exe"	dhhrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qxanqfnt = "bthfttmdwkukohwgtjf.exe"	dhhrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hpthlbkra = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxjfrpgvmyguwnait.exe ."	dhhrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hpthlbkra = "dxnndfatoeqiojambtrlb.exe ."	dhhrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdkbibnxjqtc = "dxnndfatoeqiojambtrlb.exe ."	dhhrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\qxanqfnt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxjfrpgvmyguwnait.exe"	dhhrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hpthlbkra = "qhuredvldqzorjxgsh.exe ."	dhhrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdkbibnxjqtc = "ohwvklfxrgrinhxiwnkd.exe ."	dhhrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\vflbhzktekm = "qhuredvldqzorjxgsh.exe"	gokvcejrqyu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qxanqfnt = "ohwvklfxrgrinhxiwnkd.exe"	dhhrr.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	gokvcejrqyu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hpthlbkra = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhuredvldqzorjxgsh.exe ."	gokvcejrqyu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hpthlbkra = "qhuredvldqzorjxgsh.exe ."	dhhrr.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	dhhrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\qxanqfnt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apavgdthxipcdtfm.exe"	dhhrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qxanqfnt = "dxnndfatoeqiojambtrlb.exe"	dhhrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdkbibnxjqtc = "qhuredvldqzorjxgsh.exe ."	dhhrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sfohqlzlzinyxl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxnndfatoeqiojambtrlb.exe"	dhhrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	gokvcejrqyu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	dhhrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rdldlfsdqycmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxnndfatoeqiojambtrlb.exe ."	dhhrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sfohqlzlzinyxl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohwvklfxrgrinhxiwnkd.exe"	dhhrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hpthlbkra = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxjfrpgvmyguwnait.exe ."	dhhrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\qxanqfnt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bthfttmdwkukohwgtjf.exe"	dhhrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hpthlbkra = "qhuredvldqzorjxgsh.exe ."	gokvcejrqyu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rdldlfsdqycmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohwvklfxrgrinhxiwnkd.exe ."	dhhrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sfohqlzlzinyxl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhuredvldqzorjxgsh.exe"	dhhrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\vflbhzktekm = "dxnndfatoeqiojambtrlb.exe"	dhhrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sfohqlzlzinyxl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhuredvldqzorjxgsh.exe"	dhhrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\qxanqfnt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxjfrpgvmyguwnait.exe"	gokvcejrqyu.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	dhhrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdkbibnxjqtc = "dxnndfatoeqiojambtrlb.exe ."	dhhrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hpthlbkra = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohwvklfxrgrinhxiwnkd.exe ."	dhhrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\vflbhzktekm = "hxjfrpgvmyguwnait.exe"	dhhrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rdldlfsdqycmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bthfttmdwkukohwgtjf.exe ."	dhhrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	gokvcejrqyu.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	gokvcejrqyu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rdldlfsdqycmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bthfttmdwkukohwgtjf.exe ."	dhhrr.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gokvcejrqyu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dhhrr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dhhrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dhhrr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dhhrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gokvcejrqyu.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	whatismyipaddress.com
4	whatismyip.everdot.org
6	www.showmyipaddress.com

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\qhuredvldqzorjxgsh.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\SysWOW64\apavgdthxipcdtfm.exe	dhhrr.exe
File opened for modification	C:\Windows\SysWOW64\bthfttmdwkukohwgtjf.exe	dhhrr.exe
File opened for modification	C:\Windows\SysWOW64\ohwvklfxrgrinhxiwnkd.exe	dhhrr.exe
File created	C:\Windows\SysWOW64\ffbhdlmlmiaykliavtxxtzv.ede	dhhrr.exe
File created	C:\Windows\SysWOW64\sdkbibnxjqtczltwclalsjqjvfrybkhtbe.tit	dhhrr.exe
File opened for modification	C:\Windows\SysWOW64\apavgdthxipcdtfm.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\SysWOW64\ohwvklfxrgrinhxiwnkd.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\SysWOW64\hxjfrpgvmyguwnait.exe	dhhrr.exe
File opened for modification	C:\Windows\SysWOW64\dxnndfatoeqiojambtrlb.exe	dhhrr.exe
File opened for modification	C:\Windows\SysWOW64\ohwvklfxrgrinhxiwnkd.exe	dhhrr.exe
File opened for modification	C:\Windows\SysWOW64\hxjfrpgvmyguwnait.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\SysWOW64\dxnndfatoeqiojambtrlb.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\SysWOW64\upghybxrnerkrnfsibavmn.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\SysWOW64\hxjfrpgvmyguwnait.exe	dhhrr.exe
File opened for modification	C:\Windows\SysWOW64\bthfttmdwkukohwgtjf.exe	dhhrr.exe
File opened for modification	C:\Windows\SysWOW64\dxnndfatoeqiojambtrlb.exe	dhhrr.exe
File opened for modification	C:\Windows\SysWOW64\upghybxrnerkrnfsibavmn.exe	dhhrr.exe
File opened for modification	C:\Windows\SysWOW64\bthfttmdwkukohwgtjf.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\SysWOW64\qhuredvldqzorjxgsh.exe	dhhrr.exe
File opened for modification	C:\Windows\SysWOW64\upghybxrnerkrnfsibavmn.exe	dhhrr.exe
File opened for modification	C:\Windows\SysWOW64\apavgdthxipcdtfm.exe	dhhrr.exe
File opened for modification	C:\Windows\SysWOW64\qhuredvldqzorjxgsh.exe	dhhrr.exe
File opened for modification	C:\Windows\SysWOW64\ffbhdlmlmiaykliavtxxtzv.ede	dhhrr.exe
File opened for modification	C:\Windows\SysWOW64\sdkbibnxjqtczltwclalsjqjvfrybkhtbe.tit	dhhrr.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ffbhdlmlmiaykliavtxxtzv.ede	dhhrr.exe
File created	C:\Program Files (x86)\ffbhdlmlmiaykliavtxxtzv.ede	dhhrr.exe
File opened for modification	C:\Program Files (x86)\sdkbibnxjqtczltwclalsjqjvfrybkhtbe.tit	dhhrr.exe
File created	C:\Program Files (x86)\sdkbibnxjqtczltwclalsjqjvfrybkhtbe.tit	dhhrr.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\bthfttmdwkukohwgtjf.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\ohwvklfxrgrinhxiwnkd.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\qhuredvldqzorjxgsh.exe	dhhrr.exe
File opened for modification	C:\Windows\dxnndfatoeqiojambtrlb.exe	dhhrr.exe
File opened for modification	C:\Windows\upghybxrnerkrnfsibavmn.exe	dhhrr.exe
File opened for modification	C:\Windows\bthfttmdwkukohwgtjf.exe	dhhrr.exe
File created	C:\Windows\sdkbibnxjqtczltwclalsjqjvfrybkhtbe.tit	dhhrr.exe
File opened for modification	C:\Windows\hxjfrpgvmyguwnait.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\ohwvklfxrgrinhxiwnkd.exe	dhhrr.exe
File opened for modification	C:\Windows\apavgdthxipcdtfm.exe	dhhrr.exe
File opened for modification	C:\Windows\qhuredvldqzorjxgsh.exe	dhhrr.exe
File opened for modification	C:\Windows\ohwvklfxrgrinhxiwnkd.exe	dhhrr.exe
File opened for modification	C:\Windows\sdkbibnxjqtczltwclalsjqjvfrybkhtbe.tit	dhhrr.exe
File opened for modification	C:\Windows\apavgdthxipcdtfm.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\apavgdthxipcdtfm.exe	dhhrr.exe
File opened for modification	C:\Windows\bthfttmdwkukohwgtjf.exe	dhhrr.exe
File opened for modification	C:\Windows\hxjfrpgvmyguwnait.exe	dhhrr.exe
File opened for modification	C:\Windows\dxnndfatoeqiojambtrlb.exe	dhhrr.exe
File opened for modification	C:\Windows\ffbhdlmlmiaykliavtxxtzv.ede	dhhrr.exe
File created	C:\Windows\ffbhdlmlmiaykliavtxxtzv.ede	dhhrr.exe
File opened for modification	C:\Windows\qhuredvldqzorjxgsh.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\dxnndfatoeqiojambtrlb.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\upghybxrnerkrnfsibavmn.exe	gokvcejrqyu.exe
File opened for modification	C:\Windows\hxjfrpgvmyguwnait.exe	dhhrr.exe
File opened for modification	C:\Windows\upghybxrnerkrnfsibavmn.exe	dhhrr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1808	dhhrr.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1808	dhhrr.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1808	dhhrr.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 1472	1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe	26
PID 1504 wrote to memory of 1472	1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe	26
PID 1504 wrote to memory of 1472	1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe	26
PID 1504 wrote to memory of 1472	1504	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe	26
PID 1472 wrote to memory of 1808	1472	gokvcejrqyu.exe	27
PID 1472 wrote to memory of 1808	1472	gokvcejrqyu.exe	27
PID 1472 wrote to memory of 1808	1472	gokvcejrqyu.exe	27
PID 1472 wrote to memory of 1808	1472	gokvcejrqyu.exe	27
PID 1472 wrote to memory of 1620	1472	gokvcejrqyu.exe	28
PID 1472 wrote to memory of 1620	1472	gokvcejrqyu.exe	28
PID 1472 wrote to memory of 1620	1472	gokvcejrqyu.exe	28
PID 1472 wrote to memory of 1620	1472	gokvcejrqyu.exe	28

System policy modification 1 TTPs 31 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dhhrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	dhhrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gokvcejrqyu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dhhrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	dhhrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dhhrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	dhhrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dhhrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	dhhrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	dhhrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dhhrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	dhhrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	dhhrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	dhhrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dhhrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gokvcejrqyu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dhhrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	dhhrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	dhhrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dhhrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gokvcejrqyu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	dhhrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	dhhrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gokvcejrqyu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	gokvcejrqyu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	dhhrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	dhhrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	dhhrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	dhhrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	dhhrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	dhhrr.exe

C:\Users\Admin\AppData\Local\Temp\200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
"C:\Users\Admin\AppData\Local\Temp\200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Users\Admin\AppData\Local\Temp\gokvcejrqyu.exe
  "C:\Users\Admin\AppData\Local\Temp\gokvcejrqyu.exe" "c:\users\admin\appdata\local\temp\200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1472
- - C:\Users\Admin\AppData\Local\Temp\dhhrr.exe
    "C:\Users\Admin\AppData\Local\Temp\dhhrr.exe" "-C:\Users\Admin\AppData\Local\Temp\apavgdthxipcdtfm.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1808
- - C:\Users\Admin\AppData\Local\Temp\dhhrr.exe
    "C:\Users\Admin\AppData\Local\Temp\dhhrr.exe" "-C:\Users\Admin\AppData\Local\Temp\apavgdthxipcdtfm.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\apavgdthxipcdtfm.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\bthfttmdwkukohwgtjf.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\dhhrr.exe

Filesize
716KB

MD5
b448a119df9342562983e6d7c92deeba

SHA1
cca5a8e5862e287e238fcd16325de195d82db268

SHA256
0146b26c4bd075ab0ed1b30590eef92e2a409a9caa55817676492c61883c5e1b

SHA512
59af1c21407c6150e8887b35f6cfa806902d4d281d46f1e1d212eb02737362208f372b118b104fb8e813ec90eca11f51d979d95cc5a94fd825d27eeb428a9d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\dhhrr.exe

Filesize
716KB

MD5
b448a119df9342562983e6d7c92deeba

SHA1
cca5a8e5862e287e238fcd16325de195d82db268

SHA256
0146b26c4bd075ab0ed1b30590eef92e2a409a9caa55817676492c61883c5e1b

SHA512
59af1c21407c6150e8887b35f6cfa806902d4d281d46f1e1d212eb02737362208f372b118b104fb8e813ec90eca11f51d979d95cc5a94fd825d27eeb428a9d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\dxnndfatoeqiojambtrlb.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\gokvcejrqyu.exe

Filesize
320KB

MD5
09dd3c58b4e54d4f06a072a61c0223ea

SHA1
6ea79527efd8c1837c1a316e5b2c1924b1ea99f3

SHA256
c0a6002b8e8b74a2af3d7dc261cb9fef62eeb3e4582776572a3647f0271de270

SHA512
fc120ce58473c569b41942dd2f35db412cb6a6bf9bbd86d24b9ae2d90a6572a0bf83bfa4255afe2661d562fd5388dc3d76569ce0e5dfd38cce49b6de5cf65fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\gokvcejrqyu.exe

Filesize
320KB

MD5
09dd3c58b4e54d4f06a072a61c0223ea

SHA1
6ea79527efd8c1837c1a316e5b2c1924b1ea99f3

SHA256
c0a6002b8e8b74a2af3d7dc261cb9fef62eeb3e4582776572a3647f0271de270

SHA512
fc120ce58473c569b41942dd2f35db412cb6a6bf9bbd86d24b9ae2d90a6572a0bf83bfa4255afe2661d562fd5388dc3d76569ce0e5dfd38cce49b6de5cf65fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hxjfrpgvmyguwnait.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\ohwvklfxrgrinhxiwnkd.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\qhuredvldqzorjxgsh.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\upghybxrnerkrnfsibavmn.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\SysWOW64\apavgdthxipcdtfm.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\SysWOW64\bthfttmdwkukohwgtjf.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\SysWOW64\dxnndfatoeqiojambtrlb.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\SysWOW64\hxjfrpgvmyguwnait.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\SysWOW64\ohwvklfxrgrinhxiwnkd.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\SysWOW64\qhuredvldqzorjxgsh.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\SysWOW64\upghybxrnerkrnfsibavmn.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\apavgdthxipcdtfm.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\apavgdthxipcdtfm.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\bthfttmdwkukohwgtjf.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\bthfttmdwkukohwgtjf.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\dxnndfatoeqiojambtrlb.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\dxnndfatoeqiojambtrlb.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\hxjfrpgvmyguwnait.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\hxjfrpgvmyguwnait.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\ohwvklfxrgrinhxiwnkd.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\ohwvklfxrgrinhxiwnkd.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\qhuredvldqzorjxgsh.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\qhuredvldqzorjxgsh.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\upghybxrnerkrnfsibavmn.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\upghybxrnerkrnfsibavmn.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
\Users\Admin\AppData\Local\Temp\dhhrr.exe

Filesize
716KB

MD5
b448a119df9342562983e6d7c92deeba

SHA1
cca5a8e5862e287e238fcd16325de195d82db268

SHA256
0146b26c4bd075ab0ed1b30590eef92e2a409a9caa55817676492c61883c5e1b

SHA512
59af1c21407c6150e8887b35f6cfa806902d4d281d46f1e1d212eb02737362208f372b118b104fb8e813ec90eca11f51d979d95cc5a94fd825d27eeb428a9d99

Download Submit
\Users\Admin\AppData\Local\Temp\dhhrr.exe

Filesize
716KB

MD5
b448a119df9342562983e6d7c92deeba

SHA1
cca5a8e5862e287e238fcd16325de195d82db268

SHA256
0146b26c4bd075ab0ed1b30590eef92e2a409a9caa55817676492c61883c5e1b

SHA512
59af1c21407c6150e8887b35f6cfa806902d4d281d46f1e1d212eb02737362208f372b118b104fb8e813ec90eca11f51d979d95cc5a94fd825d27eeb428a9d99

Download Submit
\Users\Admin\AppData\Local\Temp\dhhrr.exe

Filesize
716KB

MD5
b448a119df9342562983e6d7c92deeba

SHA1
cca5a8e5862e287e238fcd16325de195d82db268

SHA256
0146b26c4bd075ab0ed1b30590eef92e2a409a9caa55817676492c61883c5e1b

SHA512
59af1c21407c6150e8887b35f6cfa806902d4d281d46f1e1d212eb02737362208f372b118b104fb8e813ec90eca11f51d979d95cc5a94fd825d27eeb428a9d99

Download Submit
\Users\Admin\AppData\Local\Temp\dhhrr.exe

Filesize
716KB

MD5
b448a119df9342562983e6d7c92deeba

SHA1
cca5a8e5862e287e238fcd16325de195d82db268

SHA256
0146b26c4bd075ab0ed1b30590eef92e2a409a9caa55817676492c61883c5e1b

SHA512
59af1c21407c6150e8887b35f6cfa806902d4d281d46f1e1d212eb02737362208f372b118b104fb8e813ec90eca11f51d979d95cc5a94fd825d27eeb428a9d99

Download Submit
\Users\Admin\AppData\Local\Temp\gokvcejrqyu.exe

Filesize
320KB

MD5
09dd3c58b4e54d4f06a072a61c0223ea

SHA1
6ea79527efd8c1837c1a316e5b2c1924b1ea99f3

SHA256
c0a6002b8e8b74a2af3d7dc261cb9fef62eeb3e4582776572a3647f0271de270

SHA512
fc120ce58473c569b41942dd2f35db412cb6a6bf9bbd86d24b9ae2d90a6572a0bf83bfa4255afe2661d562fd5388dc3d76569ce0e5dfd38cce49b6de5cf65fb8

Download Submit
\Users\Admin\AppData\Local\Temp\gokvcejrqyu.exe

Filesize
320KB

MD5
09dd3c58b4e54d4f06a072a61c0223ea

SHA1
6ea79527efd8c1837c1a316e5b2c1924b1ea99f3

SHA256
c0a6002b8e8b74a2af3d7dc261cb9fef62eeb3e4582776572a3647f0271de270

SHA512
fc120ce58473c569b41942dd2f35db412cb6a6bf9bbd86d24b9ae2d90a6572a0bf83bfa4255afe2661d562fd5388dc3d76569ce0e5dfd38cce49b6de5cf65fb8

Download Submit
memory/1504-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download