f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d

Analysis

max time kernel
151s
max time network
154s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 16:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
Size

1016KB
MD5

824e38533001a70140371646590d55f0
SHA1

b50caa7dac386664e385e2f8b496882a902ea907
SHA256

f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d
SHA512

71b905d8d06ca68bfcbb3b9cf0a1f24d1f871ec71de56036f0dd43ecc95c776d57611f2378fac70002f8f3e3cfc8e6b1efe9cfdd2ab7a1596c506196e975b834
SSDEEP

6144:8IXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUKz:8IXsgtvm1De5YlOx6lzBH46Us

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wfgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wfgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	iffdguquspp.exe

UAC bypass 3 TTPs 10 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wfgrp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	wfgrp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wfgrp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wfgrp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wfgrp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wfgrp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wfgrp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	wfgrp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	iffdguquspp.exe

Adds policy Run key to start application 2 TTPs 17 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wfgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\anshjaikx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\urgfrskwtdiqwhdhtfc.exe"	wfgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lbjbgalqgjhi = "hfvvikdqozfovhejwjhx.exe"	wfgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\anshjaikx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\urgfrskwtdiqwhdhtfc.exe"	wfgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\anshjaikx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wvmnbeymlxeowjhnbpofg.exe"	wfgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\anshjaikx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avifpoeojruaenhjt.exe"	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lbjbgalqgjhi = "wvmnbeymlxeowjhnbpofg.exe"	wfgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\anshjaikx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jftrccteajnuzjehsd.exe"	wfgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\anshjaikx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avifpoeojruaenhjt.exe"	wfgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\anshjaikx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hfvvikdqozfovhejwjhx.exe"	wfgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lbjbgalqgjhi = "jftrccteajnuzjehsd.exe"	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lbjbgalqgjhi = "avifpoeojruaenhjt.exe"	wfgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\anshjaikx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hfvvikdqozfovhejwjhx.exe"	wfgrp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	iffdguquspp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wfgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lbjbgalqgjhi = "tnzvecraubdiltmn.exe"	wfgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lbjbgalqgjhi = "avifpoeojruaenhjt.exe"	wfgrp.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wfgrp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wfgrp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wfgrp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	iffdguquspp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wfgrp.exe

Executes dropped EXE 3 IoCs

pid	Process
844	iffdguquspp.exe
1040	wfgrp.exe
1132	wfgrp.exe

Loads dropped DLL 6 IoCs

pid	Process
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
844	iffdguquspp.exe
844	iffdguquspp.exe
844	iffdguquspp.exe
844	iffdguquspp.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	iffdguquspp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	wfgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\odkbfyimbda = "tnzvecraubdiltmn.exe ."	wfgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\odkbfyimbda = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hfvvikdqozfovhejwjhx.exe ."	wfgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\odkbfyimbda = "tnzvecraubdiltmn.exe ."	iffdguquspp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	wfgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kbkdjeqwnrqss = "avifpoeojruaenhjt.exe"	wfgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ohsnvsgohnosubt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wvmnbeymlxeowjhnbpofg.exe ."	wfgrp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	iffdguquspp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kbkdjeqwnrqss = "hfvvikdqozfovhejwjhx.exe"	wfgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ldnhokxewbbefl = "urgfrskwtdiqwhdhtfc.exe ."	wfgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ohsnvsgohnosubt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wvmnbeymlxeowjhnbpofg.exe ."	wfgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ldnhokxewbbefl = "hfvvikdqozfovhejwjhx.exe ."	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\odkbfyimbda = "wvmnbeymlxeowjhnbpofg.exe ."	wfgrp.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	wfgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tnzvecraubdiltmn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jftrccteajnuzjehsd.exe"	wfgrp.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	wfgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\thndgyhkyz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wvmnbeymlxeowjhnbpofg.exe"	wfgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\odkbfyimbda = "urgfrskwtdiqwhdhtfc.exe ."	wfgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\odkbfyimbda = "C:\\Users\\Admin\\AppData\\Local\\Temp\\urgfrskwtdiqwhdhtfc.exe ."	wfgrp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	iffdguquspp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kbkdjeqwnrqss = "hfvvikdqozfovhejwjhx.exe"	iffdguquspp.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	wfgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tnzvecraubdiltmn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\urgfrskwtdiqwhdhtfc.exe"	wfgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kbkdjeqwnrqss = "tnzvecraubdiltmn.exe"	wfgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\thndgyhkyz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tnzvecraubdiltmn.exe"	wfgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kbkdjeqwnrqss = "wvmnbeymlxeowjhnbpofg.exe"	wfgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\thndgyhkyz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hfvvikdqozfovhejwjhx.exe"	wfgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\odkbfyimbda = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wvmnbeymlxeowjhnbpofg.exe ."	wfgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thndgyhkyz = "urgfrskwtdiqwhdhtfc.exe"	wfgrp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	wfgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\odkbfyimbda = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jftrccteajnuzjehsd.exe ."	wfgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thndgyhkyz = "jftrccteajnuzjehsd.exe"	wfgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tnzvecraubdiltmn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hfvvikdqozfovhejwjhx.exe"	wfgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\thndgyhkyz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\urgfrskwtdiqwhdhtfc.exe"	wfgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\odkbfyimbda = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jftrccteajnuzjehsd.exe ."	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thndgyhkyz = "jftrccteajnuzjehsd.exe"	wfgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tnzvecraubdiltmn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\urgfrskwtdiqwhdhtfc.exe"	wfgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ohsnvsgohnosubt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\urgfrskwtdiqwhdhtfc.exe ."	wfgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\thndgyhkyz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jftrccteajnuzjehsd.exe"	iffdguquspp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\thndgyhkyz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avifpoeojruaenhjt.exe"	wfgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ldnhokxewbbefl = "jftrccteajnuzjehsd.exe ."	wfgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thndgyhkyz = "avifpoeojruaenhjt.exe"	wfgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ldnhokxewbbefl = "avifpoeojruaenhjt.exe ."	wfgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ohsnvsgohnosubt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avifpoeojruaenhjt.exe ."	wfgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\odkbfyimbda = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tnzvecraubdiltmn.exe ."	wfgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tnzvecraubdiltmn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hfvvikdqozfovhejwjhx.exe"	wfgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thndgyhkyz = "hfvvikdqozfovhejwjhx.exe"	wfgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\odkbfyimbda = "tnzvecraubdiltmn.exe ."	wfgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\odkbfyimbda = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jftrccteajnuzjehsd.exe ."	wfgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ohsnvsgohnosubt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hfvvikdqozfovhejwjhx.exe ."	wfgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\odkbfyimbda = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avifpoeojruaenhjt.exe ."	wfgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thndgyhkyz = "urgfrskwtdiqwhdhtfc.exe"	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tnzvecraubdiltmn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tnzvecraubdiltmn.exe"	iffdguquspp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	wfgrp.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	wfgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ohsnvsgohnosubt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hfvvikdqozfovhejwjhx.exe ."	iffdguquspp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ldnhokxewbbefl = "hfvvikdqozfovhejwjhx.exe ."	wfgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thndgyhkyz = "hfvvikdqozfovhejwjhx.exe"	wfgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kbkdjeqwnrqss = "urgfrskwtdiqwhdhtfc.exe"	wfgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ldnhokxewbbefl = "hfvvikdqozfovhejwjhx.exe ."	wfgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tnzvecraubdiltmn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tnzvecraubdiltmn.exe"	wfgrp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\thndgyhkyz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avifpoeojruaenhjt.exe"	wfgrp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\odkbfyimbda = "avifpoeojruaenhjt.exe ."	wfgrp.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wfgrp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wfgrp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wfgrp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wfgrp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	iffdguquspp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iffdguquspp.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	whatismyipaddress.com
6	www.showmyipaddress.com
10	whatismyip.everdot.org

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\urgfrskwtdiqwhdhtfc.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\wvmnbeymlxeowjhnbpofg.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\avifpoeojruaenhjt.exe	wfgrp.exe
File opened for modification	C:\Windows\SysWOW64\jftrccteajnuzjehsd.exe	wfgrp.exe
File opened for modification	C:\Windows\SysWOW64\avifpoeojruaenhjt.exe	wfgrp.exe
File opened for modification	C:\Windows\SysWOW64\wvmnbeymlxeowjhnbpofg.exe	wfgrp.exe
File opened for modification	C:\Windows\SysWOW64\hfvvikdqozfovhejwjhx.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\hfvvikdqozfovhejwjhx.exe	wfgrp.exe
File opened for modification	C:\Windows\SysWOW64\tnzvecraubdiltmn.exe	wfgrp.exe
File opened for modification	C:\Windows\SysWOW64\jftrccteajnuzjehsd.exe	wfgrp.exe
File created	C:\Windows\SysWOW64\ohsnvsgohnosubttbjcniqnbjcijnpwoowexi.liw	wfgrp.exe
File opened for modification	C:\Windows\SysWOW64\nnfhwavkkxfqznmtixxprg.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\urgfrskwtdiqwhdhtfc.exe	wfgrp.exe
File opened for modification	C:\Windows\SysWOW64\urgfrskwtdiqwhdhtfc.exe	wfgrp.exe
File opened for modification	C:\Windows\SysWOW64\nvvfcorowrharnujgdllvsehem.xqh	wfgrp.exe
File opened for modification	C:\Windows\SysWOW64\ohsnvsgohnosubttbjcniqnbjcijnpwoowexi.liw	wfgrp.exe
File opened for modification	C:\Windows\SysWOW64\tnzvecraubdiltmn.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\avifpoeojruaenhjt.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\jftrccteajnuzjehsd.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\tnzvecraubdiltmn.exe	wfgrp.exe
File opened for modification	C:\Windows\SysWOW64\wvmnbeymlxeowjhnbpofg.exe	wfgrp.exe
File opened for modification	C:\Windows\SysWOW64\nnfhwavkkxfqznmtixxprg.exe	wfgrp.exe
File opened for modification	C:\Windows\SysWOW64\hfvvikdqozfovhejwjhx.exe	wfgrp.exe
File opened for modification	C:\Windows\SysWOW64\nnfhwavkkxfqznmtixxprg.exe	wfgrp.exe
File created	C:\Windows\SysWOW64\nvvfcorowrharnujgdllvsehem.xqh	wfgrp.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\nvvfcorowrharnujgdllvsehem.xqh	wfgrp.exe
File created	C:\Program Files (x86)\nvvfcorowrharnujgdllvsehem.xqh	wfgrp.exe
File opened for modification	C:\Program Files (x86)\ohsnvsgohnosubttbjcniqnbjcijnpwoowexi.liw	wfgrp.exe
File created	C:\Program Files (x86)\ohsnvsgohnosubttbjcniqnbjcijnpwoowexi.liw	wfgrp.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\nvvfcorowrharnujgdllvsehem.xqh	wfgrp.exe
File created	C:\Windows\nvvfcorowrharnujgdllvsehem.xqh	wfgrp.exe
File opened for modification	C:\Windows\jftrccteajnuzjehsd.exe	iffdguquspp.exe
File opened for modification	C:\Windows\hfvvikdqozfovhejwjhx.exe	iffdguquspp.exe
File opened for modification	C:\Windows\jftrccteajnuzjehsd.exe	wfgrp.exe
File opened for modification	C:\Windows\urgfrskwtdiqwhdhtfc.exe	wfgrp.exe
File opened for modification	C:\Windows\hfvvikdqozfovhejwjhx.exe	wfgrp.exe
File opened for modification	C:\Windows\nnfhwavkkxfqznmtixxprg.exe	wfgrp.exe
File opened for modification	C:\Windows\nnfhwavkkxfqznmtixxprg.exe	wfgrp.exe
File opened for modification	C:\Windows\avifpoeojruaenhjt.exe	iffdguquspp.exe
File opened for modification	C:\Windows\tnzvecraubdiltmn.exe	wfgrp.exe
File opened for modification	C:\Windows\tnzvecraubdiltmn.exe	wfgrp.exe
File opened for modification	C:\Windows\avifpoeojruaenhjt.exe	wfgrp.exe
File opened for modification	C:\Windows\urgfrskwtdiqwhdhtfc.exe	wfgrp.exe
File opened for modification	C:\Windows\hfvvikdqozfovhejwjhx.exe	wfgrp.exe
File opened for modification	C:\Windows\tnzvecraubdiltmn.exe	iffdguquspp.exe
File opened for modification	C:\Windows\wvmnbeymlxeowjhnbpofg.exe	iffdguquspp.exe
File opened for modification	C:\Windows\nnfhwavkkxfqznmtixxprg.exe	iffdguquspp.exe
File opened for modification	C:\Windows\wvmnbeymlxeowjhnbpofg.exe	wfgrp.exe
File opened for modification	C:\Windows\wvmnbeymlxeowjhnbpofg.exe	wfgrp.exe
File created	C:\Windows\ohsnvsgohnosubttbjcniqnbjcijnpwoowexi.liw	wfgrp.exe
File opened for modification	C:\Windows\urgfrskwtdiqwhdhtfc.exe	iffdguquspp.exe
File opened for modification	C:\Windows\avifpoeojruaenhjt.exe	wfgrp.exe
File opened for modification	C:\Windows\jftrccteajnuzjehsd.exe	wfgrp.exe
File opened for modification	C:\Windows\ohsnvsgohnosubttbjcniqnbjcijnpwoowexi.liw	wfgrp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1040	wfgrp.exe
1040	wfgrp.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1040	wfgrp.exe
1040	wfgrp.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1040	wfgrp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 844	1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe	27
PID 1204 wrote to memory of 844	1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe	27
PID 1204 wrote to memory of 844	1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe	27
PID 1204 wrote to memory of 844	1204	f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe	27
PID 844 wrote to memory of 1040	844	iffdguquspp.exe	28
PID 844 wrote to memory of 1040	844	iffdguquspp.exe	28
PID 844 wrote to memory of 1040	844	iffdguquspp.exe	28
PID 844 wrote to memory of 1040	844	iffdguquspp.exe	28
PID 844 wrote to memory of 1132	844	iffdguquspp.exe	29
PID 844 wrote to memory of 1132	844	iffdguquspp.exe	29
PID 844 wrote to memory of 1132	844	iffdguquspp.exe	29
PID 844 wrote to memory of 1132	844	iffdguquspp.exe	29

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wfgrp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	wfgrp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	wfgrp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	wfgrp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	wfgrp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	wfgrp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	wfgrp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wfgrp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wfgrp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	wfgrp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	wfgrp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	wfgrp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	wfgrp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	wfgrp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wfgrp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wfgrp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	wfgrp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	wfgrp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	wfgrp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wfgrp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	wfgrp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	iffdguquspp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wfgrp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wfgrp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wfgrp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wfgrp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	wfgrp.exe

C:\Users\Admin\AppData\Local\Temp\f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe
"C:\Users\Admin\AppData\Local\Temp\f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\iffdguquspp.exe
  "C:\Users\Admin\AppData\Local\Temp\iffdguquspp.exe" "c:\users\admin\appdata\local\temp\f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:844
- - C:\Users\Admin\AppData\Local\Temp\wfgrp.exe
    "C:\Users\Admin\AppData\Local\Temp\wfgrp.exe" "-C:\Users\Admin\AppData\Local\Temp\tnzvecraubdiltmn.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1040
- - C:\Users\Admin\AppData\Local\Temp\wfgrp.exe
    "C:\Users\Admin\AppData\Local\Temp\wfgrp.exe" "-C:\Users\Admin\AppData\Local\Temp\tnzvecraubdiltmn.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\avifpoeojruaenhjt.exe

Filesize
1016KB

MD5
824e38533001a70140371646590d55f0

SHA1
b50caa7dac386664e385e2f8b496882a902ea907

SHA256
f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d

SHA512
71b905d8d06ca68bfcbb3b9cf0a1f24d1f871ec71de56036f0dd43ecc95c776d57611f2378fac70002f8f3e3cfc8e6b1efe9cfdd2ab7a1596c506196e975b834

Download Submit
C:\Users\Admin\AppData\Local\Temp\hfvvikdqozfovhejwjhx.exe

Filesize
1016KB

MD5
824e38533001a70140371646590d55f0

SHA1
b50caa7dac386664e385e2f8b496882a902ea907

SHA256
f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d

SHA512
71b905d8d06ca68bfcbb3b9cf0a1f24d1f871ec71de56036f0dd43ecc95c776d57611f2378fac70002f8f3e3cfc8e6b1efe9cfdd2ab7a1596c506196e975b834

Download Submit
C:\Users\Admin\AppData\Local\Temp\iffdguquspp.exe

Filesize
320KB

MD5
56ecc391c5940a67eaa45ca1df8a49ef

SHA1
304bbd4111872509323c1fce958f82e0eeb8280d

SHA256
476501e818bdd11420dc951b2d05ed2ea1f0e799e2990074d09e25b73801326d

SHA512
8c3b6174ef40d3fcb58ff3161888a647c5416286e93001e5bbbddde8d56930979e2a70eb2372289a3d69b5a553609400a27663d69c7897a601ee077002259df5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iffdguquspp.exe

Filesize
320KB

MD5
56ecc391c5940a67eaa45ca1df8a49ef

SHA1
304bbd4111872509323c1fce958f82e0eeb8280d

SHA256
476501e818bdd11420dc951b2d05ed2ea1f0e799e2990074d09e25b73801326d

SHA512
8c3b6174ef40d3fcb58ff3161888a647c5416286e93001e5bbbddde8d56930979e2a70eb2372289a3d69b5a553609400a27663d69c7897a601ee077002259df5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jftrccteajnuzjehsd.exe

Filesize
1016KB

MD5
824e38533001a70140371646590d55f0

SHA1
b50caa7dac386664e385e2f8b496882a902ea907

SHA256
f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d

SHA512
71b905d8d06ca68bfcbb3b9cf0a1f24d1f871ec71de56036f0dd43ecc95c776d57611f2378fac70002f8f3e3cfc8e6b1efe9cfdd2ab7a1596c506196e975b834

Download Submit
C:\Users\Admin\AppData\Local\Temp\nnfhwavkkxfqznmtixxprg.exe

Filesize
1016KB

MD5
824e38533001a70140371646590d55f0

SHA1
b50caa7dac386664e385e2f8b496882a902ea907

SHA256
f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d

SHA512
71b905d8d06ca68bfcbb3b9cf0a1f24d1f871ec71de56036f0dd43ecc95c776d57611f2378fac70002f8f3e3cfc8e6b1efe9cfdd2ab7a1596c506196e975b834

Download Submit
C:\Users\Admin\AppData\Local\Temp\tnzvecraubdiltmn.exe

Filesize
1016KB

MD5
824e38533001a70140371646590d55f0

SHA1
b50caa7dac386664e385e2f8b496882a902ea907

SHA256
f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d

SHA512
71b905d8d06ca68bfcbb3b9cf0a1f24d1f871ec71de56036f0dd43ecc95c776d57611f2378fac70002f8f3e3cfc8e6b1efe9cfdd2ab7a1596c506196e975b834

Download Submit
C:\Users\Admin\AppData\Local\Temp\urgfrskwtdiqwhdhtfc.exe

Filesize
1016KB

MD5
824e38533001a70140371646590d55f0

SHA1
b50caa7dac386664e385e2f8b496882a902ea907

SHA256
f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d

SHA512
71b905d8d06ca68bfcbb3b9cf0a1f24d1f871ec71de56036f0dd43ecc95c776d57611f2378fac70002f8f3e3cfc8e6b1efe9cfdd2ab7a1596c506196e975b834

Download Submit
C:\Users\Admin\AppData\Local\Temp\wfgrp.exe

Filesize
708KB

MD5
6ddaba062d3ad87bc4488bba52c72ffa

SHA1
6b277b951020d024f59178a39195b8f4eb1ea45e

SHA256
f65048f7d889d4d42e11c6ae25c008023012e48de467d4ed01ec2fed6f8528b3

SHA512
9031b7d5f45f5df7d7b9869668bfcbca315862d76066a4662b12b9967358ecfe6a2ca1aab172fcc5872ad4d5d373ad78546043e599f4441e9c3c89d354693335

Download Submit
C:\Users\Admin\AppData\Local\Temp\wfgrp.exe

Filesize
708KB

MD5
6ddaba062d3ad87bc4488bba52c72ffa

SHA1
6b277b951020d024f59178a39195b8f4eb1ea45e

SHA256
f65048f7d889d4d42e11c6ae25c008023012e48de467d4ed01ec2fed6f8528b3

SHA512
9031b7d5f45f5df7d7b9869668bfcbca315862d76066a4662b12b9967358ecfe6a2ca1aab172fcc5872ad4d5d373ad78546043e599f4441e9c3c89d354693335

Download Submit
C:\Users\Admin\AppData\Local\Temp\wvmnbeymlxeowjhnbpofg.exe

Filesize
1016KB

MD5
824e38533001a70140371646590d55f0

SHA1
b50caa7dac386664e385e2f8b496882a902ea907

SHA256
f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d

SHA512
71b905d8d06ca68bfcbb3b9cf0a1f24d1f871ec71de56036f0dd43ecc95c776d57611f2378fac70002f8f3e3cfc8e6b1efe9cfdd2ab7a1596c506196e975b834

Download Submit
C:\Windows\SysWOW64\avifpoeojruaenhjt.exe

Filesize
1016KB

MD5
824e38533001a70140371646590d55f0

SHA1
b50caa7dac386664e385e2f8b496882a902ea907

SHA256
f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d

SHA512
71b905d8d06ca68bfcbb3b9cf0a1f24d1f871ec71de56036f0dd43ecc95c776d57611f2378fac70002f8f3e3cfc8e6b1efe9cfdd2ab7a1596c506196e975b834

Download Submit
C:\Windows\SysWOW64\hfvvikdqozfovhejwjhx.exe

Filesize
1016KB

MD5
824e38533001a70140371646590d55f0

SHA1
b50caa7dac386664e385e2f8b496882a902ea907

SHA256
f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d

SHA512
71b905d8d06ca68bfcbb3b9cf0a1f24d1f871ec71de56036f0dd43ecc95c776d57611f2378fac70002f8f3e3cfc8e6b1efe9cfdd2ab7a1596c506196e975b834

Download Submit
C:\Windows\SysWOW64\jftrccteajnuzjehsd.exe

Filesize
1016KB

MD5
824e38533001a70140371646590d55f0

SHA1
b50caa7dac386664e385e2f8b496882a902ea907

SHA256
f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d

SHA512
71b905d8d06ca68bfcbb3b9cf0a1f24d1f871ec71de56036f0dd43ecc95c776d57611f2378fac70002f8f3e3cfc8e6b1efe9cfdd2ab7a1596c506196e975b834

Download Submit
C:\Windows\SysWOW64\nnfhwavkkxfqznmtixxprg.exe

Filesize
1016KB

MD5
824e38533001a70140371646590d55f0

SHA1
b50caa7dac386664e385e2f8b496882a902ea907

SHA256
f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d

SHA512
71b905d8d06ca68bfcbb3b9cf0a1f24d1f871ec71de56036f0dd43ecc95c776d57611f2378fac70002f8f3e3cfc8e6b1efe9cfdd2ab7a1596c506196e975b834

Download Submit
C:\Windows\SysWOW64\tnzvecraubdiltmn.exe

Filesize
1016KB

MD5
824e38533001a70140371646590d55f0

SHA1
b50caa7dac386664e385e2f8b496882a902ea907

SHA256
f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d

SHA512
71b905d8d06ca68bfcbb3b9cf0a1f24d1f871ec71de56036f0dd43ecc95c776d57611f2378fac70002f8f3e3cfc8e6b1efe9cfdd2ab7a1596c506196e975b834

Download Submit
C:\Windows\SysWOW64\urgfrskwtdiqwhdhtfc.exe

Filesize
1016KB

MD5
824e38533001a70140371646590d55f0

SHA1
b50caa7dac386664e385e2f8b496882a902ea907

SHA256
f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d

SHA512
71b905d8d06ca68bfcbb3b9cf0a1f24d1f871ec71de56036f0dd43ecc95c776d57611f2378fac70002f8f3e3cfc8e6b1efe9cfdd2ab7a1596c506196e975b834

Download Submit
C:\Windows\SysWOW64\wvmnbeymlxeowjhnbpofg.exe

Filesize
1016KB

MD5
824e38533001a70140371646590d55f0

SHA1
b50caa7dac386664e385e2f8b496882a902ea907

SHA256
f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d

SHA512
71b905d8d06ca68bfcbb3b9cf0a1f24d1f871ec71de56036f0dd43ecc95c776d57611f2378fac70002f8f3e3cfc8e6b1efe9cfdd2ab7a1596c506196e975b834

Download Submit
C:\Windows\avifpoeojruaenhjt.exe

Filesize
1016KB

MD5
824e38533001a70140371646590d55f0

SHA1
b50caa7dac386664e385e2f8b496882a902ea907

SHA256
f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d

SHA512
71b905d8d06ca68bfcbb3b9cf0a1f24d1f871ec71de56036f0dd43ecc95c776d57611f2378fac70002f8f3e3cfc8e6b1efe9cfdd2ab7a1596c506196e975b834

Download Submit
C:\Windows\avifpoeojruaenhjt.exe

Filesize
1016KB

MD5
824e38533001a70140371646590d55f0

SHA1
b50caa7dac386664e385e2f8b496882a902ea907

SHA256
f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d

SHA512
71b905d8d06ca68bfcbb3b9cf0a1f24d1f871ec71de56036f0dd43ecc95c776d57611f2378fac70002f8f3e3cfc8e6b1efe9cfdd2ab7a1596c506196e975b834

Download Submit
C:\Windows\hfvvikdqozfovhejwjhx.exe

Filesize
1016KB

MD5
824e38533001a70140371646590d55f0

SHA1
b50caa7dac386664e385e2f8b496882a902ea907

SHA256
f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d

SHA512
71b905d8d06ca68bfcbb3b9cf0a1f24d1f871ec71de56036f0dd43ecc95c776d57611f2378fac70002f8f3e3cfc8e6b1efe9cfdd2ab7a1596c506196e975b834

Download Submit
C:\Windows\hfvvikdqozfovhejwjhx.exe

Filesize
1016KB

MD5
824e38533001a70140371646590d55f0

SHA1
b50caa7dac386664e385e2f8b496882a902ea907

SHA256
f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d

SHA512
71b905d8d06ca68bfcbb3b9cf0a1f24d1f871ec71de56036f0dd43ecc95c776d57611f2378fac70002f8f3e3cfc8e6b1efe9cfdd2ab7a1596c506196e975b834

Download Submit
C:\Windows\jftrccteajnuzjehsd.exe

Filesize
1016KB

MD5
824e38533001a70140371646590d55f0

SHA1
b50caa7dac386664e385e2f8b496882a902ea907

SHA256
f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d

SHA512
71b905d8d06ca68bfcbb3b9cf0a1f24d1f871ec71de56036f0dd43ecc95c776d57611f2378fac70002f8f3e3cfc8e6b1efe9cfdd2ab7a1596c506196e975b834

Download Submit
C:\Windows\jftrccteajnuzjehsd.exe

Filesize
1016KB

MD5
824e38533001a70140371646590d55f0

SHA1
b50caa7dac386664e385e2f8b496882a902ea907

SHA256
f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d

SHA512
71b905d8d06ca68bfcbb3b9cf0a1f24d1f871ec71de56036f0dd43ecc95c776d57611f2378fac70002f8f3e3cfc8e6b1efe9cfdd2ab7a1596c506196e975b834

Download Submit
C:\Windows\nnfhwavkkxfqznmtixxprg.exe

Filesize
1016KB

MD5
824e38533001a70140371646590d55f0

SHA1
b50caa7dac386664e385e2f8b496882a902ea907

SHA256
f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d

SHA512
71b905d8d06ca68bfcbb3b9cf0a1f24d1f871ec71de56036f0dd43ecc95c776d57611f2378fac70002f8f3e3cfc8e6b1efe9cfdd2ab7a1596c506196e975b834

Download Submit
C:\Windows\nnfhwavkkxfqznmtixxprg.exe

Filesize
1016KB

MD5
824e38533001a70140371646590d55f0

SHA1
b50caa7dac386664e385e2f8b496882a902ea907

SHA256
f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d

SHA512
71b905d8d06ca68bfcbb3b9cf0a1f24d1f871ec71de56036f0dd43ecc95c776d57611f2378fac70002f8f3e3cfc8e6b1efe9cfdd2ab7a1596c506196e975b834

Download Submit
C:\Windows\tnzvecraubdiltmn.exe

Filesize
1016KB

MD5
824e38533001a70140371646590d55f0

SHA1
b50caa7dac386664e385e2f8b496882a902ea907

SHA256
f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d

SHA512
71b905d8d06ca68bfcbb3b9cf0a1f24d1f871ec71de56036f0dd43ecc95c776d57611f2378fac70002f8f3e3cfc8e6b1efe9cfdd2ab7a1596c506196e975b834

Download Submit
C:\Windows\tnzvecraubdiltmn.exe

Filesize
1016KB

MD5
824e38533001a70140371646590d55f0

SHA1
b50caa7dac386664e385e2f8b496882a902ea907

SHA256
f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d

SHA512
71b905d8d06ca68bfcbb3b9cf0a1f24d1f871ec71de56036f0dd43ecc95c776d57611f2378fac70002f8f3e3cfc8e6b1efe9cfdd2ab7a1596c506196e975b834

Download Submit
C:\Windows\urgfrskwtdiqwhdhtfc.exe

Filesize
1016KB

MD5
824e38533001a70140371646590d55f0

SHA1
b50caa7dac386664e385e2f8b496882a902ea907

SHA256
f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d

SHA512
71b905d8d06ca68bfcbb3b9cf0a1f24d1f871ec71de56036f0dd43ecc95c776d57611f2378fac70002f8f3e3cfc8e6b1efe9cfdd2ab7a1596c506196e975b834

Download Submit
C:\Windows\urgfrskwtdiqwhdhtfc.exe

Filesize
1016KB

MD5
824e38533001a70140371646590d55f0

SHA1
b50caa7dac386664e385e2f8b496882a902ea907

SHA256
f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d

SHA512
71b905d8d06ca68bfcbb3b9cf0a1f24d1f871ec71de56036f0dd43ecc95c776d57611f2378fac70002f8f3e3cfc8e6b1efe9cfdd2ab7a1596c506196e975b834

Download Submit
C:\Windows\wvmnbeymlxeowjhnbpofg.exe

Filesize
1016KB

MD5
824e38533001a70140371646590d55f0

SHA1
b50caa7dac386664e385e2f8b496882a902ea907

SHA256
f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d

SHA512
71b905d8d06ca68bfcbb3b9cf0a1f24d1f871ec71de56036f0dd43ecc95c776d57611f2378fac70002f8f3e3cfc8e6b1efe9cfdd2ab7a1596c506196e975b834

Download Submit
C:\Windows\wvmnbeymlxeowjhnbpofg.exe

Filesize
1016KB

MD5
824e38533001a70140371646590d55f0

SHA1
b50caa7dac386664e385e2f8b496882a902ea907

SHA256
f4308beafaa13fd048ad78a891d74f12e19cf2e8ed6f9a60fa92bfd30263f62d

SHA512
71b905d8d06ca68bfcbb3b9cf0a1f24d1f871ec71de56036f0dd43ecc95c776d57611f2378fac70002f8f3e3cfc8e6b1efe9cfdd2ab7a1596c506196e975b834

Download Submit
\Users\Admin\AppData\Local\Temp\iffdguquspp.exe

Filesize
320KB

MD5
56ecc391c5940a67eaa45ca1df8a49ef

SHA1
304bbd4111872509323c1fce958f82e0eeb8280d

SHA256
476501e818bdd11420dc951b2d05ed2ea1f0e799e2990074d09e25b73801326d

SHA512
8c3b6174ef40d3fcb58ff3161888a647c5416286e93001e5bbbddde8d56930979e2a70eb2372289a3d69b5a553609400a27663d69c7897a601ee077002259df5

Download Submit
\Users\Admin\AppData\Local\Temp\iffdguquspp.exe

Filesize
320KB

MD5
56ecc391c5940a67eaa45ca1df8a49ef

SHA1
304bbd4111872509323c1fce958f82e0eeb8280d

SHA256
476501e818bdd11420dc951b2d05ed2ea1f0e799e2990074d09e25b73801326d

SHA512
8c3b6174ef40d3fcb58ff3161888a647c5416286e93001e5bbbddde8d56930979e2a70eb2372289a3d69b5a553609400a27663d69c7897a601ee077002259df5

Download Submit
\Users\Admin\AppData\Local\Temp\wfgrp.exe

Filesize
708KB

MD5
6ddaba062d3ad87bc4488bba52c72ffa

SHA1
6b277b951020d024f59178a39195b8f4eb1ea45e

SHA256
f65048f7d889d4d42e11c6ae25c008023012e48de467d4ed01ec2fed6f8528b3

SHA512
9031b7d5f45f5df7d7b9869668bfcbca315862d76066a4662b12b9967358ecfe6a2ca1aab172fcc5872ad4d5d373ad78546043e599f4441e9c3c89d354693335

Download Submit
\Users\Admin\AppData\Local\Temp\wfgrp.exe

Filesize
708KB

MD5
6ddaba062d3ad87bc4488bba52c72ffa

SHA1
6b277b951020d024f59178a39195b8f4eb1ea45e

SHA256
f65048f7d889d4d42e11c6ae25c008023012e48de467d4ed01ec2fed6f8528b3

SHA512
9031b7d5f45f5df7d7b9869668bfcbca315862d76066a4662b12b9967358ecfe6a2ca1aab172fcc5872ad4d5d373ad78546043e599f4441e9c3c89d354693335

Download Submit
\Users\Admin\AppData\Local\Temp\wfgrp.exe

Filesize
708KB

MD5
6ddaba062d3ad87bc4488bba52c72ffa

SHA1
6b277b951020d024f59178a39195b8f4eb1ea45e

SHA256
f65048f7d889d4d42e11c6ae25c008023012e48de467d4ed01ec2fed6f8528b3

SHA512
9031b7d5f45f5df7d7b9869668bfcbca315862d76066a4662b12b9967358ecfe6a2ca1aab172fcc5872ad4d5d373ad78546043e599f4441e9c3c89d354693335

Download Submit
\Users\Admin\AppData\Local\Temp\wfgrp.exe

Filesize
708KB

MD5
6ddaba062d3ad87bc4488bba52c72ffa

SHA1
6b277b951020d024f59178a39195b8f4eb1ea45e

SHA256
f65048f7d889d4d42e11c6ae25c008023012e48de467d4ed01ec2fed6f8528b3

SHA512
9031b7d5f45f5df7d7b9869668bfcbca315862d76066a4662b12b9967358ecfe6a2ca1aab172fcc5872ad4d5d373ad78546043e599f4441e9c3c89d354693335

Download Submit
memory/1204-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download