d68cd5ea11f4b0cf0ce1594cb8c54d147a799edad553832345e9a70befe55f72

Analysis

max time kernel
154s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 02:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d68cd5ea11f4b0cf0ce1594cb8c54d147a799edad553832345e9a70befe55f72.exe
Size

308KB
MD5

0c6f34c19c98574c9bfb974c73d5b59d
SHA1

5d79c6058231c466fa92c9b8aa7ef68430b3f929
SHA256

d68cd5ea11f4b0cf0ce1594cb8c54d147a799edad553832345e9a70befe55f72
SHA512

5b07e6f0879b7a3f1a560a1bb09ae2dfdd47d4a91cd12b15ee847e8103b16c94de60a8d90c141ac7cbb4791eb47e05a0fc1674f07a521322385c3dbc192a688e
SSDEEP

6144:kh3rzMYXh+02d1r5ZTYnQbc0rF6tANv4hituxp38u0/:urgQmd195KQ40oANv4h8u/8l

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 42 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	d68cd5ea11f4b0cf0ce1594cb8c54d147a799edad553832345e9a70befe55f72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hpbygp.exe

UAC bypass 3 TTPs 54 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d68cd5ea11f4b0cf0ce1594cb8c54d147a799edad553832345e9a70befe55f72.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d68cd5ea11f4b0cf0ce1594cb8c54d147a799edad553832345e9a70befe55f72.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	d68cd5ea11f4b0cf0ce1594cb8c54d147a799edad553832345e9a70befe55f72.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d68cd5ea11f4b0cf0ce1594cb8c54d147a799edad553832345e9a70befe55f72.exe

Adds policy Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kzswlbpbrpceu = "tlhogzqfyzpunqpq.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfvwivgpcx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upoytpjbxbucyegkifa.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kzswlbpbrpceu = "jdbkezsjehzgbghkhd.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kzswlbpbrpceu = "hddokhcvsxraxehmljff.exe"	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfvwivgpcx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdbkezsjehzgbghkhd.exe"	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kzswlbpbrpceu = "atqyrldtnpgmgkkmi.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfvwivgpcx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtugdbxrpvqaygkqqpmnz.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfvwivgpcx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlhogzqfyzpunqpq.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kzswlbpbrpceu = "upoytpjbxbucyegkifa.exe"	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfvwivgpcx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hddokhcvsxraxehmljff.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kzswlbpbrpceu = "atqyrldtnpgmgkkmi.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kzswlbpbrpceu = "wtugdbxrpvqaygkqqpmnz.exe"	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kzswlbpbrpceu = "wtugdbxrpvqaygkqqpmnz.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kzswlbpbrpceu = "hddokhcvsxraxehmljff.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfvwivgpcx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upoytpjbxbucyegkifa.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kzswlbpbrpceu = "wtugdbxrpvqaygkqqpmnz.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kzswlbpbrpceu = "atqyrldtnpgmgkkmi.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfvwivgpcx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlhogzqfyzpunqpq.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfvwivgpcx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atqyrldtnpgmgkkmi.exe"	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kzswlbpbrpceu = "hddokhcvsxraxehmljff.exe"	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kzswlbpbrpceu = "tlhogzqfyzpunqpq.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfvwivgpcx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hddokhcvsxraxehmljff.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfvwivgpcx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hddokhcvsxraxehmljff.exe"	d68cd5ea11f4b0cf0ce1594cb8c54d147a799edad553832345e9a70befe55f72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kzswlbpbrpceu = "wtugdbxrpvqaygkqqpmnz.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kzswlbpbrpceu = "wtugdbxrpvqaygkqqpmnz.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfvwivgpcx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upoytpjbxbucyegkifa.exe"	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kzswlbpbrpceu = "hddokhcvsxraxehmljff.exe"	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfvwivgpcx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtugdbxrpvqaygkqqpmnz.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kzswlbpbrpceu = "upoytpjbxbucyegkifa.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kzswlbpbrpceu = "jdbkezsjehzgbghkhd.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kzswlbpbrpceu = "hddokhcvsxraxehmljff.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfvwivgpcx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlhogzqfyzpunqpq.exe"	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfvwivgpcx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upoytpjbxbucyegkifa.exe"	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfvwivgpcx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hddokhcvsxraxehmljff.exe"	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kzswlbpbrpceu = "atqyrldtnpgmgkkmi.exe"	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfvwivgpcx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atqyrldtnpgmgkkmi.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfvwivgpcx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atqyrldtnpgmgkkmi.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfvwivgpcx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlhogzqfyzpunqpq.exe"	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	hpbygp.exe

Disables RegEdit via registry modification 46 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	d68cd5ea11f4b0cf0ce1594cb8c54d147a799edad553832345e9a70befe55f72.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	d68cd5ea11f4b0cf0ce1594cb8c54d147a799edad553832345e9a70befe55f72.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hpbygp.exe

Executes dropped EXE 41 IoCs

pid	Process
4676	hpbygp.exe
4960	hpbygp.exe
4924	hpbygp.exe
4716	hpbygp.exe
3452	hpbygp.exe
4228	hpbygp.exe
4132	hpbygp.exe
1772	hpbygp.exe
1012	hpbygp.exe
3928	hpbygp.exe
4328	hpbygp.exe
3664	hpbygp.exe
3264	hpbygp.exe
3276	hpbygp.exe
1348	hpbygp.exe
1392	hpbygp.exe
3212	hpbygp.exe
4476	hpbygp.exe
4788	hpbygp.exe
4420	hpbygp.exe
1464	hpbygp.exe
3608	hpbygp.exe
3052	hpbygp.exe
3484	hpbygp.exe
4148	hpbygp.exe
1944	hpbygp.exe
2936	hpbygp.exe
3964	hpbygp.exe
4032	hpbygp.exe
4512	hpbygp.exe
4472	hpbygp.exe
4408	hpbygp.exe
4196	hpbygp.exe
4888	hpbygp.exe
896	hpbygp.exe
1140	hpbygp.exe
3168	hpbygp.exe
1908	hpbygp.exe
4232	hpbygp.exe
3380	hpbygp.exe
4672	hpbygp.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	d68cd5ea11f4b0cf0ce1594cb8c54d147a799edad553832345e9a70befe55f72.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	hpbygp.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	hpbygp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\obsuhvhrfbm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upoytpjbxbucyegkifa.exe"	hpbygp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lzruixkvkhtu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlhogzqfyzpunqpq.exe ."	hpbygp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	hpbygp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbvaqhwjaznqhi = "upoytpjbxbucyegkifa.exe"	hpbygp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lzruixkvkhtu = "tlhogzqfyzpunqpq.exe ."	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tlhogzqfyzpunqpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdbkezsjehzgbghkhd.exe ."	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tlhogzqfyzpunqpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdbkezsjehzgbghkhd.exe ."	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obsuhvhrfbm = "wtugdbxrpvqaygkqqpmnz.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tlhogzqfyzpunqpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdbkezsjehzgbghkhd.exe ."	hpbygp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	hpbygp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ofagxpftllaewyw = "tlhogzqfyzpunqpq.exe ."	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obsuhvhrfbm = "tlhogzqfyzpunqpq.exe"	hpbygp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lzruixkvkhtu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdbkezsjehzgbghkhd.exe ."	hpbygp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	hpbygp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbvaqhwjaznqhi = "wtugdbxrpvqaygkqqpmnz.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tlhogzqfyzpunqpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hddokhcvsxraxehmljff.exe ."	hpbygp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obsuhvhrfbm = "tlhogzqfyzpunqpq.exe"	hpbygp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbvaqhwjaznqhi = "jdbkezsjehzgbghkhd.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lzruixkvkhtu = "hddokhcvsxraxehmljff.exe ."	hpbygp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lzruixkvkhtu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hddokhcvsxraxehmljff.exe ."	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obsuhvhrfbm = "tlhogzqfyzpunqpq.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obsuhvhrfbm = "tlhogzqfyzpunqpq.exe"	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	hpbygp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ofagxpftllaewyw = "hddokhcvsxraxehmljff.exe ."	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obsuhvhrfbm = "upoytpjbxbucyegkifa.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\atqyrldtnpgmgkkmi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlhogzqfyzpunqpq.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tlhogzqfyzpunqpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdbkezsjehzgbghkhd.exe ."	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obsuhvhrfbm = "atqyrldtnpgmgkkmi.exe"	hpbygp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tlhogzqfyzpunqpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlhogzqfyzpunqpq.exe ."	hpbygp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lzruixkvkhtu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtugdbxrpvqaygkqqpmnz.exe ."	hpbygp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\obsuhvhrfbm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hddokhcvsxraxehmljff.exe"	hpbygp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lzruixkvkhtu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hddokhcvsxraxehmljff.exe ."	hpbygp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	d68cd5ea11f4b0cf0ce1594cb8c54d147a799edad553832345e9a70befe55f72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lzruixkvkhtu = "wtugdbxrpvqaygkqqpmnz.exe ."	hpbygp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\obsuhvhrfbm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atqyrldtnpgmgkkmi.exe"	hpbygp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ofagxpftllaewyw = "atqyrldtnpgmgkkmi.exe ."	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lzruixkvkhtu = "upoytpjbxbucyegkifa.exe ."	hpbygp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbvaqhwjaznqhi = "atqyrldtnpgmgkkmi.exe"	hpbygp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ofagxpftllaewyw = "tlhogzqfyzpunqpq.exe ."	hpbygp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ofagxpftllaewyw = "jdbkezsjehzgbghkhd.exe ."	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lzruixkvkhtu = "atqyrldtnpgmgkkmi.exe ."	hpbygp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ofagxpftllaewyw = "tlhogzqfyzpunqpq.exe ."	hpbygp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ofagxpftllaewyw = "wtugdbxrpvqaygkqqpmnz.exe ."	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	hpbygp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lzruixkvkhtu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upoytpjbxbucyegkifa.exe ."	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\atqyrldtnpgmgkkmi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdbkezsjehzgbghkhd.exe"	hpbygp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lzruixkvkhtu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upoytpjbxbucyegkifa.exe ."	hpbygp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ofagxpftllaewyw = "tlhogzqfyzpunqpq.exe ."	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\atqyrldtnpgmgkkmi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlhogzqfyzpunqpq.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\atqyrldtnpgmgkkmi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upoytpjbxbucyegkifa.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\atqyrldtnpgmgkkmi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdbkezsjehzgbghkhd.exe"	hpbygp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obsuhvhrfbm = "tlhogzqfyzpunqpq.exe"	hpbygp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	hpbygp.exe

Checks whether UAC is enabled 1 TTPs 64 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d68cd5ea11f4b0cf0ce1594cb8c54d147a799edad553832345e9a70befe55f72.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hpbygp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hpbygp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hpbygp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d68cd5ea11f4b0cf0ce1594cb8c54d147a799edad553832345e9a70befe55f72.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hpbygp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hpbygp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hpbygp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hpbygp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hpbygp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hpbygp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hpbygp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hpbygp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hpbygp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hpbygp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hpbygp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hpbygp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hpbygp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hpbygp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hpbygp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hpbygp.exe

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
28	whatismyip.everdot.org
32	whatismyip.everdot.org
52	whatismyip.everdot.org
59	whatismyip.everdot.org
60	www.showmyipaddress.com
20	whatismyipaddress.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\yzeuvxxvxhguwiqaehind.gge	hpbygp.exe
File created	C:\Windows\SysWOW64\yzeuvxxvxhguwiqaehind.gge	hpbygp.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\yzeuvxxvxhguwiqaehind.gge	hpbygp.exe
File created	C:\Program Files (x86)\yzeuvxxvxhguwiqaehind.gge	hpbygp.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\yzeuvxxvxhguwiqaehind.gge	hpbygp.exe
File created	C:\Windows\yzeuvxxvxhguwiqaehind.gge	hpbygp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	4676	hpbygp.exe
Token: SeDebugPrivilege	4924	hpbygp.exe
Token: SeDebugPrivilege	4716	hpbygp.exe
Token: SeDebugPrivilege	3452	hpbygp.exe
Token: SeDebugPrivilege	4132	hpbygp.exe
Token: SeDebugPrivilege	1772	hpbygp.exe
Token: SeDebugPrivilege	1012	hpbygp.exe
Token: SeDebugPrivilege	3928	hpbygp.exe
Token: SeDebugPrivilege	4328	hpbygp.exe
Token: SeDebugPrivilege	3664	hpbygp.exe
Token: SeDebugPrivilege	3264	hpbygp.exe
Token: SeDebugPrivilege	3276	hpbygp.exe
Token: SeDebugPrivilege	1348	hpbygp.exe
Token: SeDebugPrivilege	1392	hpbygp.exe
Token: SeDebugPrivilege	3212	hpbygp.exe
Token: SeDebugPrivilege	4788	hpbygp.exe
Token: SeDebugPrivilege	4420	hpbygp.exe
Token: SeDebugPrivilege	1464	hpbygp.exe
Token: SeDebugPrivilege	3608	hpbygp.exe
Token: SeDebugPrivilege	3052	hpbygp.exe
Token: SeDebugPrivilege	3484	hpbygp.exe
Token: SeDebugPrivilege	4148	hpbygp.exe
Token: SeDebugPrivilege	1944	hpbygp.exe
Token: SeDebugPrivilege	3964	hpbygp.exe
Token: SeDebugPrivilege	4032	hpbygp.exe
Token: SeDebugPrivilege	4512	hpbygp.exe
Token: SeDebugPrivilege	4472	hpbygp.exe
Token: SeDebugPrivilege	4408	hpbygp.exe
Token: SeDebugPrivilege	4196	hpbygp.exe
Token: SeDebugPrivilege	4888	hpbygp.exe
Token: SeDebugPrivilege	896	hpbygp.exe
Token: SeDebugPrivilege	1140	hpbygp.exe
Token: SeDebugPrivilege	3168	hpbygp.exe
Token: SeDebugPrivilege	1908	hpbygp.exe
Token: SeDebugPrivilege	4232	hpbygp.exe
Token: SeDebugPrivilege	3380	hpbygp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 4676	2760	d68cd5ea11f4b0cf0ce1594cb8c54d147a799edad553832345e9a70befe55f72.exe	81
PID 2760 wrote to memory of 4676	2760	d68cd5ea11f4b0cf0ce1594cb8c54d147a799edad553832345e9a70befe55f72.exe	81
PID 2760 wrote to memory of 4676	2760	d68cd5ea11f4b0cf0ce1594cb8c54d147a799edad553832345e9a70befe55f72.exe	81
PID 2760 wrote to memory of 4960	2760	d68cd5ea11f4b0cf0ce1594cb8c54d147a799edad553832345e9a70befe55f72.exe	82
PID 2760 wrote to memory of 4960	2760	d68cd5ea11f4b0cf0ce1594cb8c54d147a799edad553832345e9a70befe55f72.exe	82
PID 2760 wrote to memory of 4960	2760	d68cd5ea11f4b0cf0ce1594cb8c54d147a799edad553832345e9a70befe55f72.exe	82
PID 2760 wrote to memory of 4924	2760	d68cd5ea11f4b0cf0ce1594cb8c54d147a799edad553832345e9a70befe55f72.exe	83
PID 2760 wrote to memory of 4924	2760	d68cd5ea11f4b0cf0ce1594cb8c54d147a799edad553832345e9a70befe55f72.exe	83
PID 2760 wrote to memory of 4924	2760	d68cd5ea11f4b0cf0ce1594cb8c54d147a799edad553832345e9a70befe55f72.exe	83
PID 4960 wrote to memory of 4716	4960	hpbygp.exe	84
PID 4960 wrote to memory of 4716	4960	hpbygp.exe	84
PID 4960 wrote to memory of 4716	4960	hpbygp.exe	84
PID 4960 wrote to memory of 3452	4960	hpbygp.exe	85
PID 4960 wrote to memory of 3452	4960	hpbygp.exe	85
PID 4960 wrote to memory of 3452	4960	hpbygp.exe	85
PID 4960 wrote to memory of 4228	4960	hpbygp.exe	87
PID 4960 wrote to memory of 4228	4960	hpbygp.exe	87
PID 4960 wrote to memory of 4228	4960	hpbygp.exe	87
PID 4960 wrote to memory of 4132	4960	hpbygp.exe	88
PID 4960 wrote to memory of 4132	4960	hpbygp.exe	88
PID 4960 wrote to memory of 4132	4960	hpbygp.exe	88
PID 4960 wrote to memory of 1772	4960	hpbygp.exe	89
PID 4960 wrote to memory of 1772	4960	hpbygp.exe	89
PID 4960 wrote to memory of 1772	4960	hpbygp.exe	89
PID 4960 wrote to memory of 1012	4960	hpbygp.exe	90
PID 4960 wrote to memory of 1012	4960	hpbygp.exe	90
PID 4960 wrote to memory of 1012	4960	hpbygp.exe	90
PID 4960 wrote to memory of 3928	4960	hpbygp.exe	91
PID 4960 wrote to memory of 3928	4960	hpbygp.exe	91
PID 4960 wrote to memory of 3928	4960	hpbygp.exe	91
PID 4960 wrote to memory of 4328	4960	hpbygp.exe	92
PID 4960 wrote to memory of 4328	4960	hpbygp.exe	92
PID 4960 wrote to memory of 4328	4960	hpbygp.exe	92
PID 4960 wrote to memory of 3664	4960	hpbygp.exe	93
PID 4960 wrote to memory of 3664	4960	hpbygp.exe	93
PID 4960 wrote to memory of 3664	4960	hpbygp.exe	93
PID 4960 wrote to memory of 3264	4960	hpbygp.exe	94
PID 4960 wrote to memory of 3264	4960	hpbygp.exe	94
PID 4960 wrote to memory of 3264	4960	hpbygp.exe	94
PID 4960 wrote to memory of 3276	4960	hpbygp.exe	95
PID 4960 wrote to memory of 3276	4960	hpbygp.exe	95
PID 4960 wrote to memory of 3276	4960	hpbygp.exe	95
PID 4960 wrote to memory of 1348	4960	hpbygp.exe	96
PID 4960 wrote to memory of 1348	4960	hpbygp.exe	96
PID 4960 wrote to memory of 1348	4960	hpbygp.exe	96
PID 4960 wrote to memory of 1392	4960	hpbygp.exe	97
PID 4960 wrote to memory of 1392	4960	hpbygp.exe	97
PID 4960 wrote to memory of 1392	4960	hpbygp.exe	97
PID 4960 wrote to memory of 3212	4960	hpbygp.exe	98
PID 4960 wrote to memory of 3212	4960	hpbygp.exe	98
PID 4960 wrote to memory of 3212	4960	hpbygp.exe	98
PID 4960 wrote to memory of 4476	4960	hpbygp.exe	99
PID 4960 wrote to memory of 4476	4960	hpbygp.exe	99
PID 4960 wrote to memory of 4476	4960	hpbygp.exe	99
PID 4960 wrote to memory of 4788	4960	hpbygp.exe	100
PID 4960 wrote to memory of 4788	4960	hpbygp.exe	100
PID 4960 wrote to memory of 4788	4960	hpbygp.exe	100
PID 4960 wrote to memory of 4420	4960	hpbygp.exe	101
PID 4960 wrote to memory of 4420	4960	hpbygp.exe	101
PID 4960 wrote to memory of 4420	4960	hpbygp.exe	101
PID 4960 wrote to memory of 1464	4960	hpbygp.exe	102
PID 4960 wrote to memory of 1464	4960	hpbygp.exe	102
PID 4960 wrote to memory of 1464	4960	hpbygp.exe	102
PID 4960 wrote to memory of 3608	4960	hpbygp.exe	103

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	d68cd5ea11f4b0cf0ce1594cb8c54d147a799edad553832345e9a70befe55f72.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d68cd5ea11f4b0cf0ce1594cb8c54d147a799edad553832345e9a70befe55f72.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	d68cd5ea11f4b0cf0ce1594cb8c54d147a799edad553832345e9a70befe55f72.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	d68cd5ea11f4b0cf0ce1594cb8c54d147a799edad553832345e9a70befe55f72.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hpbygp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	hpbygp.exe

C:\Users\Admin\AppData\Local\Temp\d68cd5ea11f4b0cf0ce1594cb8c54d147a799edad553832345e9a70befe55f72.exe
"C:\Users\Admin\AppData\Local\Temp\d68cd5ea11f4b0cf0ce1594cb8c54d147a799edad553832345e9a70befe55f72.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2760
- C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
  "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:4676
- C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
  "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4960
- - C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
    "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:4716
- - C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
    "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:3452
- - C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
    "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - System policy modification
    PID:4228
- - C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
    "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:4132
- - C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
    "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    PID:1772
- - C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
    "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    PID:1012
- - C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
    "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    PID:3928
- - C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
    "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:4328
- - C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
    "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:3664
- - C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
    "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:3264
- - C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
    "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:3276
- - C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
    "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1348
- - C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
    "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    PID:1392
- - C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
    "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:3212
- - C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
    "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System policy modification
    PID:4476
- - C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
    "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:4788
- - C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
    "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    PID:4420
- - C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
    "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1464
- - C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
    "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:3608
- - C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
    "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:3052
- - C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
    "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:3484
- - C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
    "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:4148
- - C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
    "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1944
- - C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
    "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System policy modification
    PID:2936
- - C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
    "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:3964
- - C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
    "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:4032
- - C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
    "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    PID:4512
- - C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
    "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:4472
- - C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
    "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    PID:4408
- - C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
    "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:4196
- - C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
    "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    PID:4888
- - C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
    "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    PID:896
- - C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
    "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1140
- - C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
    "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    PID:3168
- - C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
    "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1908
- - C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
    "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:4232
- - C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
    "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:3380
- - C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
    "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System policy modification
    PID:4672
- C:\Users\Admin\AppData\Local\Temp\hpbygp.exe
  "C:\Users\Admin\AppData\Local\Temp\hpbygp.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:4924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\yzeuvxxvxhguwiqaehind.gge

Filesize
120B

MD5
cc70a6fea5e7f7d06b170e0596573c51

SHA1
c1721aab8a332330fe3ac26b656a4dfdeab10930

SHA256
fe672000862b42b88624fd0c1f179477305b434fb933fdef11bdd2c86d53db03

SHA512
8277b1a77b52da47eb07c8b9df8abb59075b51fec2b1463d4157a6c73fa2b1025ece5fc6d5f7cbd8b0a0050d651f08b7bcf0ab14c9cab85a74f82e991985f954

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpbygp.exe

Filesize
684KB

MD5
17a2f7728e63964bbfe15820b91bcd34

SHA1
fb914271394df0004ac96d395f27484af0e0c811

SHA256
698fe13c332ace142f262ca31b82575f478e680fbdd8e241a7d15818c5b6eb0d

SHA512
dc460935493288e76deaa66c973a09e8d111faced88915a80d7e8d862158119086242828452da4454e658650ef516009aea980f278631417f89a27fe4fda32aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\yzeuvxxvxhguwiqaehind.gge

Filesize
120B

MD5
cc70a6fea5e7f7d06b170e0596573c51

SHA1
c1721aab8a332330fe3ac26b656a4dfdeab10930

SHA256
fe672000862b42b88624fd0c1f179477305b434fb933fdef11bdd2c86d53db03

SHA512
8277b1a77b52da47eb07c8b9df8abb59075b51fec2b1463d4157a6c73fa2b1025ece5fc6d5f7cbd8b0a0050d651f08b7bcf0ab14c9cab85a74f82e991985f954

Download Submit
C:\Users\Admin\AppData\Local\yzeuvxxvxhguwiqaehind.gge

Filesize
120B

MD5
cc70a6fea5e7f7d06b170e0596573c51

SHA1
c1721aab8a332330fe3ac26b656a4dfdeab10930

SHA256
fe672000862b42b88624fd0c1f179477305b434fb933fdef11bdd2c86d53db03

SHA512
8277b1a77b52da47eb07c8b9df8abb59075b51fec2b1463d4157a6c73fa2b1025ece5fc6d5f7cbd8b0a0050d651f08b7bcf0ab14c9cab85a74f82e991985f954

Download Submit
C:\Windows\SysWOW64\yzeuvxxvxhguwiqaehind.gge

Filesize
120B

MD5
cc70a6fea5e7f7d06b170e0596573c51

SHA1
c1721aab8a332330fe3ac26b656a4dfdeab10930

SHA256
fe672000862b42b88624fd0c1f179477305b434fb933fdef11bdd2c86d53db03

SHA512
8277b1a77b52da47eb07c8b9df8abb59075b51fec2b1463d4157a6c73fa2b1025ece5fc6d5f7cbd8b0a0050d651f08b7bcf0ab14c9cab85a74f82e991985f954

Download Submit
C:\Windows\yzeuvxxvxhguwiqaehind.gge

Filesize
120B

MD5
cc70a6fea5e7f7d06b170e0596573c51

SHA1
c1721aab8a332330fe3ac26b656a4dfdeab10930

SHA256
fe672000862b42b88624fd0c1f179477305b434fb933fdef11bdd2c86d53db03

SHA512
8277b1a77b52da47eb07c8b9df8abb59075b51fec2b1463d4157a6c73fa2b1025ece5fc6d5f7cbd8b0a0050d651f08b7bcf0ab14c9cab85a74f82e991985f954

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads