ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67

Analysis

max time kernel
152s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
Size

516KB
MD5

a0f6dfd8b7695011b3fb4f85e30f0ca0
SHA1

8e56545c8970d064743738ba9b47caa2abbcca87
SHA256

ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67
SHA512

cb9743ce51fb5935b0e170193b4cb2cf15ce18a3dd55f62904b0c2d648571af501815a9cca1f594c2ca2a89eaaeb9827d5bb29c12c3e6c5010be17f3bf2f9d7d
SSDEEP

12288:W6bvdl0zCB8EDItMTzwg7lMQsvNuqZBRbZEYTwdD7IjLgvXPBOGy/d:vvdezCByqTtlMQsFuqzRbzI7IO5sd

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	krugkr.exe

UAC bypass 3 TTPs 13 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	krugkr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	krugkr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	krugkr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	krugkr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	krugkr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	krugkr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	krugkr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	krugkr.exe

Adds policy Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mvaoudeq = "xrhgxrdarlunvrxzdbb.exe"	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	krugkr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zfhsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvnohdrqjfqlvtbfllnjb.exe"	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mvaoudeq = "zvnohdrqjfqlvtbfllnjb.exe"	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mvaoudeq = "xrhgxrdarlunvrxzdbb.exe"	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zfhsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvjgvnxshzgxdxbbd.exe"	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mvaoudeq = "wnawkbkesjpfkdgf.exe"	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zfhsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wnawkbkesjpfkdgf.exe"	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zfhsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrhgxrdarlunvrxzdbb.exe"	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mvaoudeq = "kfwwojwumhrlurybgfgb.exe"	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zfhsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrhgxrdarlunvrxzdbb.exe"	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mvaoudeq = "zvnohdrqjfqlvtbfllnjb.exe"	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mvaoudeq = "wnawkbkesjpfkdgf.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mvaoudeq = "xrhgxrdarlunvrxzdbb.exe"	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zfhsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfusibmiyrzrytyzcz.exe"	krugkr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zfhsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvnohdrqjfqlvtbfllnjb.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zfhsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrhgxrdarlunvrxzdbb.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zfhsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvnohdrqjfqlvtbfllnjb.exe"	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mvaoudeq = "wnawkbkesjpfkdgf.exe"	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mvaoudeq = "mfusibmiyrzrytyzcz.exe"	krugkr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zfhsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfusibmiyrzrytyzcz.exe"	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zfhsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wnawkbkesjpfkdgf.exe"	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mvaoudeq = "mfusibmiyrzrytyzcz.exe"	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zfhsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvjgvnxshzgxdxbbd.exe"	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mvaoudeq = "dvjgvnxshzgxdxbbd.exe"	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mvaoudeq = "kfwwojwumhrlurybgfgb.exe"	krugkr.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	krugkr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	krugkr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	krugkr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	krugkr.exe

Executes dropped EXE 4 IoCs

pid	Process
5088	grrfdxtjqbb.exe
1360	krugkr.exe
712	krugkr.exe
3096	grrfdxtjqbb.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	grrfdxtjqbb.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xfjwbjj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvnohdrqjfqlvtbfllnjb.exe ."	krugkr.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\krugkr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfusibmiyrzrytyzcz.exe"	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obkcmzeuertf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvnohdrqjfqlvtbfllnjb.exe"	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rdlclxbqzlm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wnawkbkesjpfkdgf.exe ."	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obkcmzeuertf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kfwwojwumhrlurybgfgb.exe"	krugkr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\whoemxaowh = "zvnohdrqjfqlvtbfllnjb.exe ."	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\whoemxaowh = "mfusibmiyrzrytyzcz.exe ."	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obkcmzeuertf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvnohdrqjfqlvtbfllnjb.exe"	krugkr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xfjwbjj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvnohdrqjfqlvtbfllnjb.exe ."	krugkr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dntipzbov = "kfwwojwumhrlurybgfgb.exe"	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xfjwbjj = "dvjgvnxshzgxdxbbd.exe ."	krugkr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xfjwbjj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfusibmiyrzrytyzcz.exe ."	krugkr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xfjwbjj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvjgvnxshzgxdxbbd.exe ."	krugkr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dntipzbov = "dvjgvnxshzgxdxbbd.exe"	krugkr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dntipzbov = "kfwwojwumhrlurybgfgb.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krugkr = "wnawkbkesjpfkdgf.exe"	krugkr.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krugkr = "mfusibmiyrzrytyzcz.exe"	krugkr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\whoemxaowh = "dvjgvnxshzgxdxbbd.exe ."	krugkr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dntipzbov = "xrhgxrdarlunvrxzdbb.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rdlclxbqzlm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfusibmiyrzrytyzcz.exe ."	krugkr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	krugkr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\whoemxaowh = "mfusibmiyrzrytyzcz.exe ."	krugkr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krugkr = "wnawkbkesjpfkdgf.exe"	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obkcmzeuertf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfusibmiyrzrytyzcz.exe"	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xfjwbjj = "mfusibmiyrzrytyzcz.exe ."	krugkr.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	krugkr.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krugkr = "zvnohdrqjfqlvtbfllnjb.exe"	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krugkr = "dvjgvnxshzgxdxbbd.exe"	krugkr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dntipzbov = "dvjgvnxshzgxdxbbd.exe"	krugkr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\krugkr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvjgvnxshzgxdxbbd.exe"	krugkr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\krugkr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kfwwojwumhrlurybgfgb.exe"	krugkr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dntipzbov = "wnawkbkesjpfkdgf.exe"	krugkr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\krugkr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wnawkbkesjpfkdgf.exe"	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krugkr = "dvjgvnxshzgxdxbbd.exe"	krugkr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\krugkr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wnawkbkesjpfkdgf.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xfjwbjj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wnawkbkesjpfkdgf.exe ."	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rdlclxbqzlm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrhgxrdarlunvrxzdbb.exe ."	krugkr.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xfjwbjj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrhgxrdarlunvrxzdbb.exe ."	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rdlclxbqzlm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvjgvnxshzgxdxbbd.exe ."	krugkr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\krugkr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvjgvnxshzgxdxbbd.exe"	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xfjwbjj = "xrhgxrdarlunvrxzdbb.exe ."	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obkcmzeuertf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wnawkbkesjpfkdgf.exe"	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xfjwbjj = "wnawkbkesjpfkdgf.exe ."	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obkcmzeuertf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrhgxrdarlunvrxzdbb.exe"	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krugkr = "kfwwojwumhrlurybgfgb.exe"	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xfjwbjj = "kfwwojwumhrlurybgfgb.exe ."	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xfjwbjj = "kfwwojwumhrlurybgfgb.exe ."	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rdlclxbqzlm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfusibmiyrzrytyzcz.exe ."	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krugkr = "zvnohdrqjfqlvtbfllnjb.exe"	krugkr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\krugkr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kfwwojwumhrlurybgfgb.exe"	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rdlclxbqzlm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfusibmiyrzrytyzcz.exe ."	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obkcmzeuertf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kfwwojwumhrlurybgfgb.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xfjwbjj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrhgxrdarlunvrxzdbb.exe ."	krugkr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krugkr = "xrhgxrdarlunvrxzdbb.exe"	krugkr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dntipzbov = "mfusibmiyrzrytyzcz.exe"	krugkr.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	grrfdxtjqbb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	krugkr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	krugkr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	krugkr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	krugkr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	grrfdxtjqbb.exe

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	whatismyip.everdot.org
27	whatismyip.everdot.org
42	whatismyip.everdot.org
7	www.showmyipaddress.com
11	whatismyipaddress.com

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	krugkr.exe
File created	C:\autorun.inf	krugkr.exe

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mfusibmiyrzrytyzcz.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\qngiczooifrnyxglstwtmo.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\mfusibmiyrzrytyzcz.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\dvjgvnxshzgxdxbbd.exe	krugkr.exe
File opened for modification	C:\Windows\SysWOW64\qngiczooifrnyxglstwtmo.exe	krugkr.exe
File opened for modification	C:\Windows\SysWOW64\dvjgvnxshzgxdxbbd.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\xrhgxrdarlunvrxzdbb.exe	krugkr.exe
File opened for modification	C:\Windows\SysWOW64\kfwwojwumhrlurybgfgb.exe	krugkr.exe
File opened for modification	C:\Windows\SysWOW64\kfwwojwumhrlurybgfgb.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\kfwwojwumhrlurybgfgb.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\mfusibmiyrzrytyzcz.exe	krugkr.exe
File opened for modification	C:\Windows\SysWOW64\xrhgxrdarlunvrxzdbb.exe	krugkr.exe
File opened for modification	C:\Windows\SysWOW64\wnawkbkesjpfkdgf.exe	krugkr.exe
File opened for modification	C:\Windows\SysWOW64\wnawkbkesjpfkdgf.exe	grrfdxtjqbb.exe
File created	C:\Windows\SysWOW64\odoiujqiujnbevwtslgvgambiambftwnolkd.nys	krugkr.exe
File opened for modification	C:\Windows\SysWOW64\zvnohdrqjfqlvtbfllnjb.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\wnawkbkesjpfkdgf.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\xrhgxrdarlunvrxzdbb.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\qngiczooifrnyxglstwtmo.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\qngiczooifrnyxglstwtmo.exe	krugkr.exe
File opened for modification	C:\Windows\SysWOW64\dvjgvnxshzgxdxbbd.exe	krugkr.exe
File opened for modification	C:\Windows\SysWOW64\zvnohdrqjfqlvtbfllnjb.exe	krugkr.exe
File created	C:\Windows\SysWOW64\jnnwxbxefjcfxdtftblppyzdz.hle	krugkr.exe
File opened for modification	C:\Windows\SysWOW64\odoiujqiujnbevwtslgvgambiambftwnolkd.nys	krugkr.exe
File opened for modification	C:\Windows\SysWOW64\xrhgxrdarlunvrxzdbb.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\zvnohdrqjfqlvtbfllnjb.exe	krugkr.exe
File opened for modification	C:\Windows\SysWOW64\mfusibmiyrzrytyzcz.exe	krugkr.exe
File opened for modification	C:\Windows\SysWOW64\jnnwxbxefjcfxdtftblppyzdz.hle	krugkr.exe
File opened for modification	C:\Windows\SysWOW64\dvjgvnxshzgxdxbbd.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\zvnohdrqjfqlvtbfllnjb.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\wnawkbkesjpfkdgf.exe	krugkr.exe
File opened for modification	C:\Windows\SysWOW64\kfwwojwumhrlurybgfgb.exe	krugkr.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\jnnwxbxefjcfxdtftblppyzdz.hle	krugkr.exe
File created	C:\Program Files (x86)\jnnwxbxefjcfxdtftblppyzdz.hle	krugkr.exe
File opened for modification	C:\Program Files (x86)\odoiujqiujnbevwtslgvgambiambftwnolkd.nys	krugkr.exe
File created	C:\Program Files (x86)\odoiujqiujnbevwtslgvgambiambftwnolkd.nys	krugkr.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xrhgxrdarlunvrxzdbb.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\jnnwxbxefjcfxdtftblppyzdz.hle	krugkr.exe
File opened for modification	C:\Windows\dvjgvnxshzgxdxbbd.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\xrhgxrdarlunvrxzdbb.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\kfwwojwumhrlurybgfgb.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\qngiczooifrnyxglstwtmo.exe	krugkr.exe
File opened for modification	C:\Windows\xrhgxrdarlunvrxzdbb.exe	krugkr.exe
File opened for modification	C:\Windows\zvnohdrqjfqlvtbfllnjb.exe	krugkr.exe
File created	C:\Windows\jnnwxbxefjcfxdtftblppyzdz.hle	krugkr.exe
File opened for modification	C:\Windows\qngiczooifrnyxglstwtmo.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\odoiujqiujnbevwtslgvgambiambftwnolkd.nys	krugkr.exe
File opened for modification	C:\Windows\qngiczooifrnyxglstwtmo.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\zvnohdrqjfqlvtbfllnjb.exe	krugkr.exe
File opened for modification	C:\Windows\qngiczooifrnyxglstwtmo.exe	krugkr.exe
File opened for modification	C:\Windows\wnawkbkesjpfkdgf.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\kfwwojwumhrlurybgfgb.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\xrhgxrdarlunvrxzdbb.exe	krugkr.exe
File opened for modification	C:\Windows\mfusibmiyrzrytyzcz.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\mfusibmiyrzrytyzcz.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\zvnohdrqjfqlvtbfllnjb.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\wnawkbkesjpfkdgf.exe	krugkr.exe
File opened for modification	C:\Windows\mfusibmiyrzrytyzcz.exe	krugkr.exe
File opened for modification	C:\Windows\dvjgvnxshzgxdxbbd.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\wnawkbkesjpfkdgf.exe	krugkr.exe
File opened for modification	C:\Windows\dvjgvnxshzgxdxbbd.exe	krugkr.exe
File created	C:\Windows\odoiujqiujnbevwtslgvgambiambftwnolkd.nys	krugkr.exe
File opened for modification	C:\Windows\wnawkbkesjpfkdgf.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\dvjgvnxshzgxdxbbd.exe	krugkr.exe
File opened for modification	C:\Windows\mfusibmiyrzrytyzcz.exe	krugkr.exe
File opened for modification	C:\Windows\kfwwojwumhrlurybgfgb.exe	krugkr.exe
File opened for modification	C:\Windows\kfwwojwumhrlurybgfgb.exe	krugkr.exe
File opened for modification	C:\Windows\zvnohdrqjfqlvtbfllnjb.exe	grrfdxtjqbb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
1360	krugkr.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
1360	krugkr.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
1360	krugkr.exe
1360	krugkr.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1360	krugkr.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4212 wrote to memory of 5088	4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe	79
PID 4212 wrote to memory of 5088	4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe	79
PID 4212 wrote to memory of 5088	4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe	79
PID 5088 wrote to memory of 1360	5088	grrfdxtjqbb.exe	80
PID 5088 wrote to memory of 1360	5088	grrfdxtjqbb.exe	80
PID 5088 wrote to memory of 1360	5088	grrfdxtjqbb.exe	80
PID 5088 wrote to memory of 712	5088	grrfdxtjqbb.exe	81
PID 5088 wrote to memory of 712	5088	grrfdxtjqbb.exe	81
PID 5088 wrote to memory of 712	5088	grrfdxtjqbb.exe	81
PID 4212 wrote to memory of 3096	4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe	91
PID 4212 wrote to memory of 3096	4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe	91
PID 4212 wrote to memory of 3096	4212	ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe	91

System policy modification 1 TTPs 41 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	krugkr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	krugkr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	krugkr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	krugkr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	krugkr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	krugkr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	krugkr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	krugkr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	krugkr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	krugkr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	krugkr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	krugkr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	krugkr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	krugkr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	krugkr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	krugkr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	krugkr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	krugkr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	krugkr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	krugkr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	krugkr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	krugkr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	krugkr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	krugkr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	krugkr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	krugkr.exe

C:\Users\Admin\AppData\Local\Temp\ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe
"C:\Users\Admin\AppData\Local\Temp\ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4212
- C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe
  "C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe" "c:\users\admin\appdata\local\temp\ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:5088
- - C:\Users\Admin\AppData\Local\Temp\krugkr.exe
    "C:\Users\Admin\AppData\Local\Temp\krugkr.exe" "-C:\Users\Admin\AppData\Local\Temp\wnawkbkesjpfkdgf.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1360
- - C:\Users\Admin\AppData\Local\Temp\krugkr.exe
    "C:\Users\Admin\AppData\Local\Temp\krugkr.exe" "-C:\Users\Admin\AppData\Local\Temp\wnawkbkesjpfkdgf.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:712
- C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe
  "C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe" "c:\users\admin\appdata\local\temp\ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System policy modification
  PID:3096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dvjgvnxshzgxdxbbd.exe

Filesize
516KB

MD5
a0f6dfd8b7695011b3fb4f85e30f0ca0

SHA1
8e56545c8970d064743738ba9b47caa2abbcca87

SHA256
ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67

SHA512
cb9743ce51fb5935b0e170193b4cb2cf15ce18a3dd55f62904b0c2d648571af501815a9cca1f594c2ca2a89eaaeb9827d5bb29c12c3e6c5010be17f3bf2f9d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe

Filesize
320KB

MD5
89ec3461ef4a893428c32f89de78b396

SHA1
8067cdc0901f0dc5bc1bb67a1c9037f502ea85f9

SHA256
1849989ee704cda3b552b5021f3165012978d26d0daf7d22a09805deb6be2d0b

SHA512
7804fa36e1f050115b00d21a9a94cf92436260a385da67106b0c73eb350abafca53f2dec42d377d4eccc095dd75ac92e841fb66e874e656e412cd71ed7909fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe

Filesize
320KB

MD5
89ec3461ef4a893428c32f89de78b396

SHA1
8067cdc0901f0dc5bc1bb67a1c9037f502ea85f9

SHA256
1849989ee704cda3b552b5021f3165012978d26d0daf7d22a09805deb6be2d0b

SHA512
7804fa36e1f050115b00d21a9a94cf92436260a385da67106b0c73eb350abafca53f2dec42d377d4eccc095dd75ac92e841fb66e874e656e412cd71ed7909fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe

Filesize
320KB

MD5
89ec3461ef4a893428c32f89de78b396

SHA1
8067cdc0901f0dc5bc1bb67a1c9037f502ea85f9

SHA256
1849989ee704cda3b552b5021f3165012978d26d0daf7d22a09805deb6be2d0b

SHA512
7804fa36e1f050115b00d21a9a94cf92436260a385da67106b0c73eb350abafca53f2dec42d377d4eccc095dd75ac92e841fb66e874e656e412cd71ed7909fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kfwwojwumhrlurybgfgb.exe

Filesize
516KB

MD5
a0f6dfd8b7695011b3fb4f85e30f0ca0

SHA1
8e56545c8970d064743738ba9b47caa2abbcca87

SHA256
ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67

SHA512
cb9743ce51fb5935b0e170193b4cb2cf15ce18a3dd55f62904b0c2d648571af501815a9cca1f594c2ca2a89eaaeb9827d5bb29c12c3e6c5010be17f3bf2f9d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\krugkr.exe

Filesize
700KB

MD5
3edfb25618b2f0e1548d61fc48ae928c

SHA1
513ed1af0f404ad9965ac64eb0a5148893c89e4c

SHA256
3af73868bd3242a43996f752528e74db4daa4af1023cc74ac4ea8b6874ef69d5

SHA512
1f6df04a5c3212a4d93767cc0ba39e76f033f69b8b61f9d76f0d4c8786d48b5ab75683900ff3d2184e0c4e3657760e780fbfc2f606856d5efa2d9db3f06e07c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\krugkr.exe

Filesize
700KB

MD5
3edfb25618b2f0e1548d61fc48ae928c

SHA1
513ed1af0f404ad9965ac64eb0a5148893c89e4c

SHA256
3af73868bd3242a43996f752528e74db4daa4af1023cc74ac4ea8b6874ef69d5

SHA512
1f6df04a5c3212a4d93767cc0ba39e76f033f69b8b61f9d76f0d4c8786d48b5ab75683900ff3d2184e0c4e3657760e780fbfc2f606856d5efa2d9db3f06e07c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\krugkr.exe

Filesize
700KB

MD5
3edfb25618b2f0e1548d61fc48ae928c

SHA1
513ed1af0f404ad9965ac64eb0a5148893c89e4c

SHA256
3af73868bd3242a43996f752528e74db4daa4af1023cc74ac4ea8b6874ef69d5

SHA512
1f6df04a5c3212a4d93767cc0ba39e76f033f69b8b61f9d76f0d4c8786d48b5ab75683900ff3d2184e0c4e3657760e780fbfc2f606856d5efa2d9db3f06e07c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mfusibmiyrzrytyzcz.exe

Filesize
516KB

MD5
a0f6dfd8b7695011b3fb4f85e30f0ca0

SHA1
8e56545c8970d064743738ba9b47caa2abbcca87

SHA256
ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67

SHA512
cb9743ce51fb5935b0e170193b4cb2cf15ce18a3dd55f62904b0c2d648571af501815a9cca1f594c2ca2a89eaaeb9827d5bb29c12c3e6c5010be17f3bf2f9d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qngiczooifrnyxglstwtmo.exe

Filesize
516KB

MD5
a0f6dfd8b7695011b3fb4f85e30f0ca0

SHA1
8e56545c8970d064743738ba9b47caa2abbcca87

SHA256
ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67

SHA512
cb9743ce51fb5935b0e170193b4cb2cf15ce18a3dd55f62904b0c2d648571af501815a9cca1f594c2ca2a89eaaeb9827d5bb29c12c3e6c5010be17f3bf2f9d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wnawkbkesjpfkdgf.exe

Filesize
516KB

MD5
a0f6dfd8b7695011b3fb4f85e30f0ca0

SHA1
8e56545c8970d064743738ba9b47caa2abbcca87

SHA256
ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67

SHA512
cb9743ce51fb5935b0e170193b4cb2cf15ce18a3dd55f62904b0c2d648571af501815a9cca1f594c2ca2a89eaaeb9827d5bb29c12c3e6c5010be17f3bf2f9d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrhgxrdarlunvrxzdbb.exe

Filesize
516KB

MD5
a0f6dfd8b7695011b3fb4f85e30f0ca0

SHA1
8e56545c8970d064743738ba9b47caa2abbcca87

SHA256
ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67

SHA512
cb9743ce51fb5935b0e170193b4cb2cf15ce18a3dd55f62904b0c2d648571af501815a9cca1f594c2ca2a89eaaeb9827d5bb29c12c3e6c5010be17f3bf2f9d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvnohdrqjfqlvtbfllnjb.exe

Filesize
516KB

MD5
a0f6dfd8b7695011b3fb4f85e30f0ca0

SHA1
8e56545c8970d064743738ba9b47caa2abbcca87

SHA256
ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67

SHA512
cb9743ce51fb5935b0e170193b4cb2cf15ce18a3dd55f62904b0c2d648571af501815a9cca1f594c2ca2a89eaaeb9827d5bb29c12c3e6c5010be17f3bf2f9d7d

Download Submit
C:\Windows\SysWOW64\dvjgvnxshzgxdxbbd.exe

Filesize
516KB

MD5
a0f6dfd8b7695011b3fb4f85e30f0ca0

SHA1
8e56545c8970d064743738ba9b47caa2abbcca87

SHA256
ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67

SHA512
cb9743ce51fb5935b0e170193b4cb2cf15ce18a3dd55f62904b0c2d648571af501815a9cca1f594c2ca2a89eaaeb9827d5bb29c12c3e6c5010be17f3bf2f9d7d

Download Submit
C:\Windows\SysWOW64\kfwwojwumhrlurybgfgb.exe

Filesize
516KB

MD5
a0f6dfd8b7695011b3fb4f85e30f0ca0

SHA1
8e56545c8970d064743738ba9b47caa2abbcca87

SHA256
ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67

SHA512
cb9743ce51fb5935b0e170193b4cb2cf15ce18a3dd55f62904b0c2d648571af501815a9cca1f594c2ca2a89eaaeb9827d5bb29c12c3e6c5010be17f3bf2f9d7d

Download Submit
C:\Windows\SysWOW64\mfusibmiyrzrytyzcz.exe

Filesize
516KB

MD5
a0f6dfd8b7695011b3fb4f85e30f0ca0

SHA1
8e56545c8970d064743738ba9b47caa2abbcca87

SHA256
ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67

SHA512
cb9743ce51fb5935b0e170193b4cb2cf15ce18a3dd55f62904b0c2d648571af501815a9cca1f594c2ca2a89eaaeb9827d5bb29c12c3e6c5010be17f3bf2f9d7d

Download Submit
C:\Windows\SysWOW64\qngiczooifrnyxglstwtmo.exe

Filesize
516KB

MD5
a0f6dfd8b7695011b3fb4f85e30f0ca0

SHA1
8e56545c8970d064743738ba9b47caa2abbcca87

SHA256
ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67

SHA512
cb9743ce51fb5935b0e170193b4cb2cf15ce18a3dd55f62904b0c2d648571af501815a9cca1f594c2ca2a89eaaeb9827d5bb29c12c3e6c5010be17f3bf2f9d7d

Download Submit
C:\Windows\SysWOW64\wnawkbkesjpfkdgf.exe

Filesize
516KB

MD5
a0f6dfd8b7695011b3fb4f85e30f0ca0

SHA1
8e56545c8970d064743738ba9b47caa2abbcca87

SHA256
ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67

SHA512
cb9743ce51fb5935b0e170193b4cb2cf15ce18a3dd55f62904b0c2d648571af501815a9cca1f594c2ca2a89eaaeb9827d5bb29c12c3e6c5010be17f3bf2f9d7d

Download Submit
C:\Windows\SysWOW64\xrhgxrdarlunvrxzdbb.exe

Filesize
516KB

MD5
a0f6dfd8b7695011b3fb4f85e30f0ca0

SHA1
8e56545c8970d064743738ba9b47caa2abbcca87

SHA256
ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67

SHA512
cb9743ce51fb5935b0e170193b4cb2cf15ce18a3dd55f62904b0c2d648571af501815a9cca1f594c2ca2a89eaaeb9827d5bb29c12c3e6c5010be17f3bf2f9d7d

Download Submit
C:\Windows\SysWOW64\zvnohdrqjfqlvtbfllnjb.exe

Filesize
516KB

MD5
a0f6dfd8b7695011b3fb4f85e30f0ca0

SHA1
8e56545c8970d064743738ba9b47caa2abbcca87

SHA256
ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67

SHA512
cb9743ce51fb5935b0e170193b4cb2cf15ce18a3dd55f62904b0c2d648571af501815a9cca1f594c2ca2a89eaaeb9827d5bb29c12c3e6c5010be17f3bf2f9d7d

Download Submit
C:\Windows\dvjgvnxshzgxdxbbd.exe

Filesize
516KB

MD5
a0f6dfd8b7695011b3fb4f85e30f0ca0

SHA1
8e56545c8970d064743738ba9b47caa2abbcca87

SHA256
ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67

SHA512
cb9743ce51fb5935b0e170193b4cb2cf15ce18a3dd55f62904b0c2d648571af501815a9cca1f594c2ca2a89eaaeb9827d5bb29c12c3e6c5010be17f3bf2f9d7d

Download Submit
C:\Windows\dvjgvnxshzgxdxbbd.exe

Filesize
516KB

MD5
a0f6dfd8b7695011b3fb4f85e30f0ca0

SHA1
8e56545c8970d064743738ba9b47caa2abbcca87

SHA256
ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67

SHA512
cb9743ce51fb5935b0e170193b4cb2cf15ce18a3dd55f62904b0c2d648571af501815a9cca1f594c2ca2a89eaaeb9827d5bb29c12c3e6c5010be17f3bf2f9d7d

Download Submit
C:\Windows\dvjgvnxshzgxdxbbd.exe

Filesize
516KB

MD5
a0f6dfd8b7695011b3fb4f85e30f0ca0

SHA1
8e56545c8970d064743738ba9b47caa2abbcca87

SHA256
ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67

SHA512
cb9743ce51fb5935b0e170193b4cb2cf15ce18a3dd55f62904b0c2d648571af501815a9cca1f594c2ca2a89eaaeb9827d5bb29c12c3e6c5010be17f3bf2f9d7d

Download Submit
C:\Windows\kfwwojwumhrlurybgfgb.exe

Filesize
516KB

MD5
a0f6dfd8b7695011b3fb4f85e30f0ca0

SHA1
8e56545c8970d064743738ba9b47caa2abbcca87

SHA256
ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67

SHA512
cb9743ce51fb5935b0e170193b4cb2cf15ce18a3dd55f62904b0c2d648571af501815a9cca1f594c2ca2a89eaaeb9827d5bb29c12c3e6c5010be17f3bf2f9d7d

Download Submit
C:\Windows\kfwwojwumhrlurybgfgb.exe

Filesize
516KB

MD5
a0f6dfd8b7695011b3fb4f85e30f0ca0

SHA1
8e56545c8970d064743738ba9b47caa2abbcca87

SHA256
ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67

SHA512
cb9743ce51fb5935b0e170193b4cb2cf15ce18a3dd55f62904b0c2d648571af501815a9cca1f594c2ca2a89eaaeb9827d5bb29c12c3e6c5010be17f3bf2f9d7d

Download Submit
C:\Windows\kfwwojwumhrlurybgfgb.exe

Filesize
516KB

MD5
a0f6dfd8b7695011b3fb4f85e30f0ca0

SHA1
8e56545c8970d064743738ba9b47caa2abbcca87

SHA256
ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67

SHA512
cb9743ce51fb5935b0e170193b4cb2cf15ce18a3dd55f62904b0c2d648571af501815a9cca1f594c2ca2a89eaaeb9827d5bb29c12c3e6c5010be17f3bf2f9d7d

Download Submit
C:\Windows\mfusibmiyrzrytyzcz.exe

Filesize
516KB

MD5
a0f6dfd8b7695011b3fb4f85e30f0ca0

SHA1
8e56545c8970d064743738ba9b47caa2abbcca87

SHA256
ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67

SHA512
cb9743ce51fb5935b0e170193b4cb2cf15ce18a3dd55f62904b0c2d648571af501815a9cca1f594c2ca2a89eaaeb9827d5bb29c12c3e6c5010be17f3bf2f9d7d

Download Submit
C:\Windows\mfusibmiyrzrytyzcz.exe

Filesize
516KB

MD5
a0f6dfd8b7695011b3fb4f85e30f0ca0

SHA1
8e56545c8970d064743738ba9b47caa2abbcca87

SHA256
ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67

SHA512
cb9743ce51fb5935b0e170193b4cb2cf15ce18a3dd55f62904b0c2d648571af501815a9cca1f594c2ca2a89eaaeb9827d5bb29c12c3e6c5010be17f3bf2f9d7d

Download Submit
C:\Windows\mfusibmiyrzrytyzcz.exe

Filesize
516KB

MD5
a0f6dfd8b7695011b3fb4f85e30f0ca0

SHA1
8e56545c8970d064743738ba9b47caa2abbcca87

SHA256
ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67

SHA512
cb9743ce51fb5935b0e170193b4cb2cf15ce18a3dd55f62904b0c2d648571af501815a9cca1f594c2ca2a89eaaeb9827d5bb29c12c3e6c5010be17f3bf2f9d7d

Download Submit
C:\Windows\qngiczooifrnyxglstwtmo.exe

Filesize
516KB

MD5
a0f6dfd8b7695011b3fb4f85e30f0ca0

SHA1
8e56545c8970d064743738ba9b47caa2abbcca87

SHA256
ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67

SHA512
cb9743ce51fb5935b0e170193b4cb2cf15ce18a3dd55f62904b0c2d648571af501815a9cca1f594c2ca2a89eaaeb9827d5bb29c12c3e6c5010be17f3bf2f9d7d

Download Submit
C:\Windows\qngiczooifrnyxglstwtmo.exe

Filesize
516KB

MD5
a0f6dfd8b7695011b3fb4f85e30f0ca0

SHA1
8e56545c8970d064743738ba9b47caa2abbcca87

SHA256
ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67

SHA512
cb9743ce51fb5935b0e170193b4cb2cf15ce18a3dd55f62904b0c2d648571af501815a9cca1f594c2ca2a89eaaeb9827d5bb29c12c3e6c5010be17f3bf2f9d7d

Download Submit
C:\Windows\qngiczooifrnyxglstwtmo.exe

Filesize
516KB

MD5
a0f6dfd8b7695011b3fb4f85e30f0ca0

SHA1
8e56545c8970d064743738ba9b47caa2abbcca87

SHA256
ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67

SHA512
cb9743ce51fb5935b0e170193b4cb2cf15ce18a3dd55f62904b0c2d648571af501815a9cca1f594c2ca2a89eaaeb9827d5bb29c12c3e6c5010be17f3bf2f9d7d

Download Submit
C:\Windows\wnawkbkesjpfkdgf.exe

Filesize
516KB

MD5
a0f6dfd8b7695011b3fb4f85e30f0ca0

SHA1
8e56545c8970d064743738ba9b47caa2abbcca87

SHA256
ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67

SHA512
cb9743ce51fb5935b0e170193b4cb2cf15ce18a3dd55f62904b0c2d648571af501815a9cca1f594c2ca2a89eaaeb9827d5bb29c12c3e6c5010be17f3bf2f9d7d

Download Submit
C:\Windows\wnawkbkesjpfkdgf.exe

Filesize
516KB

MD5
a0f6dfd8b7695011b3fb4f85e30f0ca0

SHA1
8e56545c8970d064743738ba9b47caa2abbcca87

SHA256
ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67

SHA512
cb9743ce51fb5935b0e170193b4cb2cf15ce18a3dd55f62904b0c2d648571af501815a9cca1f594c2ca2a89eaaeb9827d5bb29c12c3e6c5010be17f3bf2f9d7d

Download Submit
C:\Windows\wnawkbkesjpfkdgf.exe

Filesize
516KB

MD5
a0f6dfd8b7695011b3fb4f85e30f0ca0

SHA1
8e56545c8970d064743738ba9b47caa2abbcca87

SHA256
ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67

SHA512
cb9743ce51fb5935b0e170193b4cb2cf15ce18a3dd55f62904b0c2d648571af501815a9cca1f594c2ca2a89eaaeb9827d5bb29c12c3e6c5010be17f3bf2f9d7d

Download Submit
C:\Windows\xrhgxrdarlunvrxzdbb.exe

Filesize
516KB

MD5
a0f6dfd8b7695011b3fb4f85e30f0ca0

SHA1
8e56545c8970d064743738ba9b47caa2abbcca87

SHA256
ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67

SHA512
cb9743ce51fb5935b0e170193b4cb2cf15ce18a3dd55f62904b0c2d648571af501815a9cca1f594c2ca2a89eaaeb9827d5bb29c12c3e6c5010be17f3bf2f9d7d

Download Submit
C:\Windows\xrhgxrdarlunvrxzdbb.exe

Filesize
516KB

MD5
a0f6dfd8b7695011b3fb4f85e30f0ca0

SHA1
8e56545c8970d064743738ba9b47caa2abbcca87

SHA256
ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67

SHA512
cb9743ce51fb5935b0e170193b4cb2cf15ce18a3dd55f62904b0c2d648571af501815a9cca1f594c2ca2a89eaaeb9827d5bb29c12c3e6c5010be17f3bf2f9d7d

Download Submit
C:\Windows\xrhgxrdarlunvrxzdbb.exe

Filesize
516KB

MD5
a0f6dfd8b7695011b3fb4f85e30f0ca0

SHA1
8e56545c8970d064743738ba9b47caa2abbcca87

SHA256
ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67

SHA512
cb9743ce51fb5935b0e170193b4cb2cf15ce18a3dd55f62904b0c2d648571af501815a9cca1f594c2ca2a89eaaeb9827d5bb29c12c3e6c5010be17f3bf2f9d7d

Download Submit
C:\Windows\zvnohdrqjfqlvtbfllnjb.exe

Filesize
516KB

MD5
a0f6dfd8b7695011b3fb4f85e30f0ca0

SHA1
8e56545c8970d064743738ba9b47caa2abbcca87

SHA256
ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67

SHA512
cb9743ce51fb5935b0e170193b4cb2cf15ce18a3dd55f62904b0c2d648571af501815a9cca1f594c2ca2a89eaaeb9827d5bb29c12c3e6c5010be17f3bf2f9d7d

Download Submit
C:\Windows\zvnohdrqjfqlvtbfllnjb.exe

Filesize
516KB

MD5
a0f6dfd8b7695011b3fb4f85e30f0ca0

SHA1
8e56545c8970d064743738ba9b47caa2abbcca87

SHA256
ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67

SHA512
cb9743ce51fb5935b0e170193b4cb2cf15ce18a3dd55f62904b0c2d648571af501815a9cca1f594c2ca2a89eaaeb9827d5bb29c12c3e6c5010be17f3bf2f9d7d

Download Submit
C:\Windows\zvnohdrqjfqlvtbfllnjb.exe

Filesize
516KB

MD5
a0f6dfd8b7695011b3fb4f85e30f0ca0

SHA1
8e56545c8970d064743738ba9b47caa2abbcca87

SHA256
ead421754be869ac0e651aacd09951a10d7cc9c1308336fc9d97e36ca8dc6c67

SHA512
cb9743ce51fb5935b0e170193b4cb2cf15ce18a3dd55f62904b0c2d648571af501815a9cca1f594c2ca2a89eaaeb9827d5bb29c12c3e6c5010be17f3bf2f9d7d

Download Submit