77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06

Analysis

max time kernel
153s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
Size

1016KB
MD5

417073b2fcb92c9f0b00b610de7a7f70
SHA1

97132931908b1305dbf8bef42036e4f6631458ab
SHA256

77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06
SHA512

9d07dbbecd71eb876f90a95e3bbe615b8e3da89f143d0b24dbde8b141719aa36e00879f830b3194596e5f5a6316b3dc3c349fcb409d2336e9d8c49a5046be2c3
SSDEEP

6144:7IXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUKz:7IXsgtvm1De5YlOx6lzBH46Us

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

ktugkt.exegrrfdxtjqbb.exegrrfdxtjqbb.exektugkt.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ktugkt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ktugkt.exe

UAC bypass 3 TTPs 13 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

grrfdxtjqbb.exektugkt.exegrrfdxtjqbb.exektugkt.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ktugkt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ktugkt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ktugkt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ktugkt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ktugkt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ktugkt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ktugkt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ktugkt.exe

Adds policy Run key to start application 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ktugkt.exegrrfdxtjqbb.exegrrfdxtjqbb.exektugkt.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ktugkt = "khwwolyxmgrlurybgfgd.exe"	ktugkt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ktugkt = "mhusidolyqzrytyzcz.exe"	ktugkt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpawkdmhsipfkdgf.exe"	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ktugkt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ktugkt = "dxjgvpzvhygxdxbbd.exe"	ktugkt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ktugkt = "zxnohfttjeqlvtbfllnlb.exe"	ktugkt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ktugkt = "dxjgvpzvhygxdxbbd.exe"	ktugkt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhusidolyqzrytyzcz.exe"	ktugkt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khwwolyxmgrlurybgfgd.exe"	ktugkt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxjgvpzvhygxdxbbd.exe"	ktugkt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ktugkt = "wpawkdmhsipfkdgf.exe"	ktugkt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpawkdmhsipfkdgf.exe"	ktugkt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxjgvpzvhygxdxbbd.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ktugkt = "khwwolyxmgrlurybgfgd.exe"	ktugkt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpawkdmhsipfkdgf.exe"	ktugkt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxjgvpzvhygxdxbbd.exe"	ktugkt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xthgxtfdrkunvrxzdbb.exe"	ktugkt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ktugkt = "wpawkdmhsipfkdgf.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ktugkt = "wpawkdmhsipfkdgf.exe"	ktugkt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ktugkt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ktugkt = "zxnohfttjeqlvtbfllnlb.exe"	ktugkt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khwwolyxmgrlurybgfgd.exe"	ktugkt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ktugkt = "mhusidolyqzrytyzcz.exe"	ktugkt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ktugkt = "zxnohfttjeqlvtbfllnlb.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxnohfttjeqlvtbfllnlb.exe"	ktugkt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhusidolyqzrytyzcz.exe"	ktugkt.exe

Disables RegEdit via registry modification 6 IoCs

evasion

Processes:

ktugkt.exektugkt.exegrrfdxtjqbb.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ktugkt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ktugkt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ktugkt.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ktugkt.exe

Executes dropped EXE 4 IoCs

Processes:

grrfdxtjqbb.exektugkt.exektugkt.exegrrfdxtjqbb.exe

pid process

3792 grrfdxtjqbb.exe
4416 ktugkt.exe
2744 ktugkt.exe
4512 grrfdxtjqbb.exe

pid	process
3792	grrfdxtjqbb.exe
4416	ktugkt.exe
2744	ktugkt.exe
4512	grrfdxtjqbb.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exegrrfdxtjqbb.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	grrfdxtjqbb.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ktugkt.exektugkt.exegrrfdxtjqbb.exegrrfdxtjqbb.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	ktugkt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxaoufgt = "dxjgvpzvhygxdxbbd.exe ."	ktugkt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zhhsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khwwolyxmgrlurybgfgd.exe ."	ktugkt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qxwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxjgvpzvhygxdxbbd.exe"	ktugkt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxwg = "mhusidolyqzrytyzcz.exe"	ktugkt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qxwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhusidolyqzrytyzcz.exe"	ktugkt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dptipbdrv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxnohfttjeqlvtbfllnlb.exe ."	ktugkt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dptipbdrv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxnohfttjeqlvtbfllnlb.exe ."	ktugkt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zhhsv = "mhusidolyqzrytyzcz.exe ."	ktugkt.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	grrfdxtjqbb.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	ktugkt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qxwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhusidolyqzrytyzcz.exe"	ktugkt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qxwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxnohfttjeqlvtbfllnlb.exe"	ktugkt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxwg = "wpawkdmhsipfkdgf.exe"	ktugkt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qxwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpawkdmhsipfkdgf.exe"	ktugkt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zhhsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhusidolyqzrytyzcz.exe ."	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zhhsv = "mhusidolyqzrytyzcz.exe ."	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxaoufgt = "dxjgvpzvhygxdxbbd.exe ."	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xhjwbll = "xthgxtfdrkunvrxzdbb.exe"	ktugkt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxwg = "zxnohfttjeqlvtbfllnlb.exe"	ktugkt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxaoufgt = "wpawkdmhsipfkdgf.exe ."	ktugkt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zhhsv = "mhusidolyqzrytyzcz.exe ."	ktugkt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zhhsv = "zxnohfttjeqlvtbfllnlb.exe ."	ktugkt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wjoemzcrwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xthgxtfdrkunvrxzdbb.exe"	ktugkt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xhjwbll = "khwwolyxmgrlurybgfgd.exe"	ktugkt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxwg = "zxnohfttjeqlvtbfllnlb.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xhjwbll = "wpawkdmhsipfkdgf.exe"	ktugkt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxwg = "xthgxtfdrkunvrxzdbb.exe"	ktugkt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zhhsv = "wpawkdmhsipfkdgf.exe ."	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxaoufgt = "zxnohfttjeqlvtbfllnlb.exe ."	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zhhsv = "dxjgvpzvhygxdxbbd.exe ."	ktugkt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xhjwbll = "xthgxtfdrkunvrxzdbb.exe"	ktugkt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxaoufgt = "zxnohfttjeqlvtbfllnlb.exe ."	ktugkt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dptipbdrv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhusidolyqzrytyzcz.exe ."	ktugkt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxwg = "zxnohfttjeqlvtbfllnlb.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxwg = "mhusidolyqzrytyzcz.exe"	ktugkt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zhhsv = "xthgxtfdrkunvrxzdbb.exe ."	ktugkt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xhjwbll = "wpawkdmhsipfkdgf.exe"	ktugkt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zhhsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xthgxtfdrkunvrxzdbb.exe ."	ktugkt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dptipbdrv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpawkdmhsipfkdgf.exe ."	ktugkt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zhhsv = "zxnohfttjeqlvtbfllnlb.exe ."	ktugkt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zhhsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhusidolyqzrytyzcz.exe ."	ktugkt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xhjwbll = "khwwolyxmgrlurybgfgd.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wjoemzcrwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxnohfttjeqlvtbfllnlb.exe"	ktugkt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qxwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xthgxtfdrkunvrxzdbb.exe"	ktugkt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zhhsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhusidolyqzrytyzcz.exe ."	ktugkt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wjoemzcrwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xthgxtfdrkunvrxzdbb.exe"	grrfdxtjqbb.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xhjwbll = "dxjgvpzvhygxdxbbd.exe"	ktugkt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zhhsv = "xthgxtfdrkunvrxzdbb.exe ."	ktugkt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxaoufgt = "mhusidolyqzrytyzcz.exe ."	ktugkt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wjoemzcrwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhusidolyqzrytyzcz.exe"	ktugkt.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	ktugkt.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	ktugkt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wjoemzcrwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxjgvpzvhygxdxbbd.exe"	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ktugkt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zhhsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxnohfttjeqlvtbfllnlb.exe ."	ktugkt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qxwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxnohfttjeqlvtbfllnlb.exe"	ktugkt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zhhsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpawkdmhsipfkdgf.exe ."	ktugkt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xhjwbll = "zxnohfttjeqlvtbfllnlb.exe"	ktugkt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxaoufgt = "xthgxtfdrkunvrxzdbb.exe ."	ktugkt.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ktugkt.exektugkt.exegrrfdxtjqbb.exegrrfdxtjqbb.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ktugkt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ktugkt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ktugkt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ktugkt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	grrfdxtjqbb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	grrfdxtjqbb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	grrfdxtjqbb.exe

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
11	www.showmyipaddress.com
51	whatismyipaddress.com
58	whatismyip.everdot.org
60	www.showmyipaddress.com
72	whatismyip.everdot.org
7	whatismyip.everdot.org
9	whatismyipaddress.com

Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

ktugkt.exe

description ioc process

File opened for modification C:\autorun.inf ktugkt.exe
File created C:\autorun.inf ktugkt.exe

description	ioc	process
File opened for modification	C:\autorun.inf	ktugkt.exe
File created	C:\autorun.inf	ktugkt.exe

Drops file in System32 directory 32 IoCs

Processes:

ktugkt.exektugkt.exegrrfdxtjqbb.exegrrfdxtjqbb.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\khwwolyxmgrlurybgfgd.exe	ktugkt.exe
File opened for modification	C:\Windows\SysWOW64\qpgicbqriernyxglstwvmo.exe	ktugkt.exe
File opened for modification	C:\Windows\SysWOW64\mhusidolyqzrytyzcz.exe	ktugkt.exe
File created	C:\Windows\SysWOW64\zhhsvdbllqmrltlzpzlttehpnxx.ydx	ktugkt.exe
File opened for modification	C:\Windows\SysWOW64\mhusidolyqzrytyzcz.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\khwwolyxmgrlurybgfgd.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\qpgicbqriernyxglstwvmo.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\wpawkdmhsipfkdgf.exe	ktugkt.exe
File opened for modification	C:\Windows\SysWOW64\dxjgvpzvhygxdxbbd.exe	ktugkt.exe
File opened for modification	C:\Windows\SysWOW64\khwwolyxmgrlurybgfgd.exe	ktugkt.exe
File opened for modification	C:\Windows\SysWOW64\qpgicbqriernyxglstwvmo.exe	ktugkt.exe
File opened for modification	C:\Windows\SysWOW64\zxnohfttjeqlvtbfllnlb.exe	ktugkt.exe
File opened for modification	C:\Windows\SysWOW64\zxnohfttjeqlvtbfllnlb.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\zhhsvdbllqmrltlzpzlttehpnxx.ydx	ktugkt.exe
File opened for modification	C:\Windows\SysWOW64\wpawkdmhsipfkdgfgbyrcymfojukrhmfihidat.aoh	ktugkt.exe
File opened for modification	C:\Windows\SysWOW64\dxjgvpzvhygxdxbbd.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\wpawkdmhsipfkdgf.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\mhusidolyqzrytyzcz.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\wpawkdmhsipfkdgf.exe	ktugkt.exe
File opened for modification	C:\Windows\SysWOW64\mhusidolyqzrytyzcz.exe	ktugkt.exe
File opened for modification	C:\Windows\SysWOW64\dxjgvpzvhygxdxbbd.exe	ktugkt.exe
File opened for modification	C:\Windows\SysWOW64\khwwolyxmgrlurybgfgd.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\dxjgvpzvhygxdxbbd.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\xthgxtfdrkunvrxzdbb.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\xthgxtfdrkunvrxzdbb.exe	ktugkt.exe
File created	C:\Windows\SysWOW64\wpawkdmhsipfkdgfgbyrcymfojukrhmfihidat.aoh	ktugkt.exe
File opened for modification	C:\Windows\SysWOW64\wpawkdmhsipfkdgf.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\zxnohfttjeqlvtbfllnlb.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\zxnohfttjeqlvtbfllnlb.exe	ktugkt.exe
File opened for modification	C:\Windows\SysWOW64\xthgxtfdrkunvrxzdbb.exe	ktugkt.exe
File opened for modification	C:\Windows\SysWOW64\xthgxtfdrkunvrxzdbb.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\qpgicbqriernyxglstwvmo.exe	grrfdxtjqbb.exe

Drops file in Program Files directory 4 IoCs

Processes:

ktugkt.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\zhhsvdbllqmrltlzpzlttehpnxx.ydx	ktugkt.exe
File created	C:\Program Files (x86)\zhhsvdbllqmrltlzpzlttehpnxx.ydx	ktugkt.exe
File opened for modification	C:\Program Files (x86)\wpawkdmhsipfkdgfgbyrcymfojukrhmfihidat.aoh	ktugkt.exe
File created	C:\Program Files (x86)\wpawkdmhsipfkdgfgbyrcymfojukrhmfihidat.aoh	ktugkt.exe

Drops file in Windows directory 32 IoCs

Processes:

ktugkt.exektugkt.exegrrfdxtjqbb.exegrrfdxtjqbb.exe

description	ioc	process
File opened for modification	C:\Windows\qpgicbqriernyxglstwvmo.exe	ktugkt.exe
File opened for modification	C:\Windows\zxnohfttjeqlvtbfllnlb.exe	ktugkt.exe
File opened for modification	C:\Windows\xthgxtfdrkunvrxzdbb.exe	ktugkt.exe
File opened for modification	C:\Windows\mhusidolyqzrytyzcz.exe	ktugkt.exe
File opened for modification	C:\Windows\khwwolyxmgrlurybgfgd.exe	ktugkt.exe
File opened for modification	C:\Windows\mhusidolyqzrytyzcz.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\wpawkdmhsipfkdgf.exe	ktugkt.exe
File opened for modification	C:\Windows\mhusidolyqzrytyzcz.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\qpgicbqriernyxglstwvmo.exe	grrfdxtjqbb.exe
File created	C:\Windows\zhhsvdbllqmrltlzpzlttehpnxx.ydx	ktugkt.exe
File opened for modification	C:\Windows\dxjgvpzvhygxdxbbd.exe	ktugkt.exe
File opened for modification	C:\Windows\wpawkdmhsipfkdgf.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\xthgxtfdrkunvrxzdbb.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\zxnohfttjeqlvtbfllnlb.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\wpawkdmhsipfkdgfgbyrcymfojukrhmfihidat.aoh	ktugkt.exe
File opened for modification	C:\Windows\qpgicbqriernyxglstwvmo.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\wpawkdmhsipfkdgf.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\wpawkdmhsipfkdgf.exe	ktugkt.exe
File opened for modification	C:\Windows\zhhsvdbllqmrltlzpzlttehpnxx.ydx	ktugkt.exe
File opened for modification	C:\Windows\dxjgvpzvhygxdxbbd.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\khwwolyxmgrlurybgfgd.exe	ktugkt.exe
File opened for modification	C:\Windows\dxjgvpzvhygxdxbbd.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\xthgxtfdrkunvrxzdbb.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\khwwolyxmgrlurybgfgd.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\xthgxtfdrkunvrxzdbb.exe	ktugkt.exe
File opened for modification	C:\Windows\mhusidolyqzrytyzcz.exe	ktugkt.exe
File opened for modification	C:\Windows\zxnohfttjeqlvtbfllnlb.exe	ktugkt.exe
File created	C:\Windows\wpawkdmhsipfkdgfgbyrcymfojukrhmfihidat.aoh	ktugkt.exe
File opened for modification	C:\Windows\khwwolyxmgrlurybgfgd.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\zxnohfttjeqlvtbfllnlb.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\dxjgvpzvhygxdxbbd.exe	ktugkt.exe
File opened for modification	C:\Windows\qpgicbqriernyxglstwvmo.exe	ktugkt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exektugkt.exe

pid	process
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
4416	ktugkt.exe
4416	ktugkt.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
4416	ktugkt.exe
4416	ktugkt.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ktugkt.exe

description pid process

Token: SeDebugPrivilege 4416 ktugkt.exe

description	pid	process
Token: SeDebugPrivilege	4416	ktugkt.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exegrrfdxtjqbb.exe

description	pid	process	target process
PID 1436 wrote to memory of 3792	1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe	grrfdxtjqbb.exe
PID 1436 wrote to memory of 3792	1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe	grrfdxtjqbb.exe
PID 1436 wrote to memory of 3792	1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe	grrfdxtjqbb.exe
PID 3792 wrote to memory of 4416	3792	grrfdxtjqbb.exe	ktugkt.exe
PID 3792 wrote to memory of 4416	3792	grrfdxtjqbb.exe	ktugkt.exe
PID 3792 wrote to memory of 4416	3792	grrfdxtjqbb.exe	ktugkt.exe
PID 3792 wrote to memory of 2744	3792	grrfdxtjqbb.exe	ktugkt.exe
PID 3792 wrote to memory of 2744	3792	grrfdxtjqbb.exe	ktugkt.exe
PID 3792 wrote to memory of 2744	3792	grrfdxtjqbb.exe	ktugkt.exe
PID 1436 wrote to memory of 4512	1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe	grrfdxtjqbb.exe
PID 1436 wrote to memory of 4512	1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe	grrfdxtjqbb.exe
PID 1436 wrote to memory of 4512	1436	77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe	grrfdxtjqbb.exe

System policy modification 1 TTPs 41 IoCs

evasion

Modify Registry

T1112

Processes:

ktugkt.exegrrfdxtjqbb.exegrrfdxtjqbb.exektugkt.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ktugkt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ktugkt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ktugkt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ktugkt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ktugkt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ktugkt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ktugkt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ktugkt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ktugkt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ktugkt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ktugkt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ktugkt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ktugkt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ktugkt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ktugkt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ktugkt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ktugkt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ktugkt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ktugkt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ktugkt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ktugkt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ktugkt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ktugkt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ktugkt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ktugkt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ktugkt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	grrfdxtjqbb.exe

C:\Users\Admin\AppData\Local\Temp\77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe
"C:\Users\Admin\AppData\Local\Temp\77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1436

C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe
"C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe" "c:\users\admin\appdata\local\temp\77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe*"
2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3792

C:\Users\Admin\AppData\Local\Temp\ktugkt.exe
"C:\Users\Admin\AppData\Local\Temp\ktugkt.exe" "-C:\Users\Admin\AppData\Local\Temp\wpawkdmhsipfkdgf.exe"
3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4416

C:\Users\Admin\AppData\Local\Temp\ktugkt.exe
"C:\Users\Admin\AppData\Local\Temp\ktugkt.exe" "-C:\Users\Admin\AppData\Local\Temp\wpawkdmhsipfkdgf.exe"
3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2744

C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe
"C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe" "c:\users\admin\appdata\local\temp\77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06.exe"
2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dxjgvpzvhygxdxbbd.exe

Filesize
1016KB

MD5
417073b2fcb92c9f0b00b610de7a7f70

SHA1
97132931908b1305dbf8bef42036e4f6631458ab

SHA256
77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06

SHA512
9d07dbbecd71eb876f90a95e3bbe615b8e3da89f143d0b24dbde8b141719aa36e00879f830b3194596e5f5a6316b3dc3c349fcb409d2336e9d8c49a5046be2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe

Filesize
320KB

MD5
a2818231ff216dfcbf7c71488d3bada3

SHA1
a77a2b348378fc47de2c25867af3cca3b10aef62

SHA256
718bec3c1519d820581574669d298d10a7f564a071150a00f1a6379c708e5143

SHA512
0e0c0ffb260568abff6e4e981ff9760f9354c8f410b56d2af22f37c273c28891669667931495de7fea29b6b5e0d58a34abc557775f60516fab3f13feafad1a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe

Filesize
320KB

MD5
a2818231ff216dfcbf7c71488d3bada3

SHA1
a77a2b348378fc47de2c25867af3cca3b10aef62

SHA256
718bec3c1519d820581574669d298d10a7f564a071150a00f1a6379c708e5143

SHA512
0e0c0ffb260568abff6e4e981ff9760f9354c8f410b56d2af22f37c273c28891669667931495de7fea29b6b5e0d58a34abc557775f60516fab3f13feafad1a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe

Filesize
320KB

MD5
a2818231ff216dfcbf7c71488d3bada3

SHA1
a77a2b348378fc47de2c25867af3cca3b10aef62

SHA256
718bec3c1519d820581574669d298d10a7f564a071150a00f1a6379c708e5143

SHA512
0e0c0ffb260568abff6e4e981ff9760f9354c8f410b56d2af22f37c273c28891669667931495de7fea29b6b5e0d58a34abc557775f60516fab3f13feafad1a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\khwwolyxmgrlurybgfgd.exe

Filesize
1016KB

MD5
417073b2fcb92c9f0b00b610de7a7f70

SHA1
97132931908b1305dbf8bef42036e4f6631458ab

SHA256
77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06

SHA512
9d07dbbecd71eb876f90a95e3bbe615b8e3da89f143d0b24dbde8b141719aa36e00879f830b3194596e5f5a6316b3dc3c349fcb409d2336e9d8c49a5046be2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ktugkt.exe

Filesize
700KB

MD5
63941994c2023dbebcc34c1ff2e6e84e

SHA1
36d7377a6a3d5f47be4d21bbaac0ad5f9fa52cf1

SHA256
e473a3bd08b735987f9b74da948a7ef34d9fb55408d5db0292b37d2ce5b448bf

SHA512
b10f76d3c48d7de9ec0b7ea25693f1994351556d97b072fc5a45b0e2e1b89f0003d71d839ba9679584cadad966272c2b3c51b4b0bec1db40b7c5f32ab2eb104c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ktugkt.exe

Filesize
700KB

MD5
63941994c2023dbebcc34c1ff2e6e84e

SHA1
36d7377a6a3d5f47be4d21bbaac0ad5f9fa52cf1

SHA256
e473a3bd08b735987f9b74da948a7ef34d9fb55408d5db0292b37d2ce5b448bf

SHA512
b10f76d3c48d7de9ec0b7ea25693f1994351556d97b072fc5a45b0e2e1b89f0003d71d839ba9679584cadad966272c2b3c51b4b0bec1db40b7c5f32ab2eb104c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ktugkt.exe

Filesize
700KB

MD5
63941994c2023dbebcc34c1ff2e6e84e

SHA1
36d7377a6a3d5f47be4d21bbaac0ad5f9fa52cf1

SHA256
e473a3bd08b735987f9b74da948a7ef34d9fb55408d5db0292b37d2ce5b448bf

SHA512
b10f76d3c48d7de9ec0b7ea25693f1994351556d97b072fc5a45b0e2e1b89f0003d71d839ba9679584cadad966272c2b3c51b4b0bec1db40b7c5f32ab2eb104c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mhusidolyqzrytyzcz.exe

Filesize
1016KB

MD5
417073b2fcb92c9f0b00b610de7a7f70

SHA1
97132931908b1305dbf8bef42036e4f6631458ab

SHA256
77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06

SHA512
9d07dbbecd71eb876f90a95e3bbe615b8e3da89f143d0b24dbde8b141719aa36e00879f830b3194596e5f5a6316b3dc3c349fcb409d2336e9d8c49a5046be2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpgicbqriernyxglstwvmo.exe

Filesize
1016KB

MD5
417073b2fcb92c9f0b00b610de7a7f70

SHA1
97132931908b1305dbf8bef42036e4f6631458ab

SHA256
77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06

SHA512
9d07dbbecd71eb876f90a95e3bbe615b8e3da89f143d0b24dbde8b141719aa36e00879f830b3194596e5f5a6316b3dc3c349fcb409d2336e9d8c49a5046be2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wpawkdmhsipfkdgf.exe

Filesize
1016KB

MD5
417073b2fcb92c9f0b00b610de7a7f70

SHA1
97132931908b1305dbf8bef42036e4f6631458ab

SHA256
77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06

SHA512
9d07dbbecd71eb876f90a95e3bbe615b8e3da89f143d0b24dbde8b141719aa36e00879f830b3194596e5f5a6316b3dc3c349fcb409d2336e9d8c49a5046be2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\xthgxtfdrkunvrxzdbb.exe

Filesize
1016KB

MD5
417073b2fcb92c9f0b00b610de7a7f70

SHA1
97132931908b1305dbf8bef42036e4f6631458ab

SHA256
77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06

SHA512
9d07dbbecd71eb876f90a95e3bbe615b8e3da89f143d0b24dbde8b141719aa36e00879f830b3194596e5f5a6316b3dc3c349fcb409d2336e9d8c49a5046be2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxnohfttjeqlvtbfllnlb.exe

Filesize
1016KB

MD5
417073b2fcb92c9f0b00b610de7a7f70

SHA1
97132931908b1305dbf8bef42036e4f6631458ab

SHA256
77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06

SHA512
9d07dbbecd71eb876f90a95e3bbe615b8e3da89f143d0b24dbde8b141719aa36e00879f830b3194596e5f5a6316b3dc3c349fcb409d2336e9d8c49a5046be2c3

Download Submit
C:\Windows\SysWOW64\dxjgvpzvhygxdxbbd.exe

Filesize
1016KB

MD5
417073b2fcb92c9f0b00b610de7a7f70

SHA1
97132931908b1305dbf8bef42036e4f6631458ab

SHA256
77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06

SHA512
9d07dbbecd71eb876f90a95e3bbe615b8e3da89f143d0b24dbde8b141719aa36e00879f830b3194596e5f5a6316b3dc3c349fcb409d2336e9d8c49a5046be2c3

Download Submit
C:\Windows\SysWOW64\khwwolyxmgrlurybgfgd.exe

Filesize
1016KB

MD5
417073b2fcb92c9f0b00b610de7a7f70

SHA1
97132931908b1305dbf8bef42036e4f6631458ab

SHA256
77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06

SHA512
9d07dbbecd71eb876f90a95e3bbe615b8e3da89f143d0b24dbde8b141719aa36e00879f830b3194596e5f5a6316b3dc3c349fcb409d2336e9d8c49a5046be2c3

Download Submit
C:\Windows\SysWOW64\mhusidolyqzrytyzcz.exe

Filesize
1016KB

MD5
417073b2fcb92c9f0b00b610de7a7f70

SHA1
97132931908b1305dbf8bef42036e4f6631458ab

SHA256
77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06

SHA512
9d07dbbecd71eb876f90a95e3bbe615b8e3da89f143d0b24dbde8b141719aa36e00879f830b3194596e5f5a6316b3dc3c349fcb409d2336e9d8c49a5046be2c3

Download Submit
C:\Windows\SysWOW64\qpgicbqriernyxglstwvmo.exe

Filesize
1016KB

MD5
417073b2fcb92c9f0b00b610de7a7f70

SHA1
97132931908b1305dbf8bef42036e4f6631458ab

SHA256
77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06

SHA512
9d07dbbecd71eb876f90a95e3bbe615b8e3da89f143d0b24dbde8b141719aa36e00879f830b3194596e5f5a6316b3dc3c349fcb409d2336e9d8c49a5046be2c3

Download Submit
C:\Windows\SysWOW64\wpawkdmhsipfkdgf.exe

Filesize
1016KB

MD5
417073b2fcb92c9f0b00b610de7a7f70

SHA1
97132931908b1305dbf8bef42036e4f6631458ab

SHA256
77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06

SHA512
9d07dbbecd71eb876f90a95e3bbe615b8e3da89f143d0b24dbde8b141719aa36e00879f830b3194596e5f5a6316b3dc3c349fcb409d2336e9d8c49a5046be2c3

Download Submit
C:\Windows\SysWOW64\xthgxtfdrkunvrxzdbb.exe

Filesize
1016KB

MD5
417073b2fcb92c9f0b00b610de7a7f70

SHA1
97132931908b1305dbf8bef42036e4f6631458ab

SHA256
77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06

SHA512
9d07dbbecd71eb876f90a95e3bbe615b8e3da89f143d0b24dbde8b141719aa36e00879f830b3194596e5f5a6316b3dc3c349fcb409d2336e9d8c49a5046be2c3

Download Submit
C:\Windows\SysWOW64\zxnohfttjeqlvtbfllnlb.exe

Filesize
1016KB

MD5
417073b2fcb92c9f0b00b610de7a7f70

SHA1
97132931908b1305dbf8bef42036e4f6631458ab

SHA256
77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06

SHA512
9d07dbbecd71eb876f90a95e3bbe615b8e3da89f143d0b24dbde8b141719aa36e00879f830b3194596e5f5a6316b3dc3c349fcb409d2336e9d8c49a5046be2c3

Download Submit
C:\Windows\dxjgvpzvhygxdxbbd.exe

Filesize
1016KB

MD5
417073b2fcb92c9f0b00b610de7a7f70

SHA1
97132931908b1305dbf8bef42036e4f6631458ab

SHA256
77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06

SHA512
9d07dbbecd71eb876f90a95e3bbe615b8e3da89f143d0b24dbde8b141719aa36e00879f830b3194596e5f5a6316b3dc3c349fcb409d2336e9d8c49a5046be2c3

Download Submit
C:\Windows\dxjgvpzvhygxdxbbd.exe

Filesize
1016KB

MD5
417073b2fcb92c9f0b00b610de7a7f70

SHA1
97132931908b1305dbf8bef42036e4f6631458ab

SHA256
77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06

SHA512
9d07dbbecd71eb876f90a95e3bbe615b8e3da89f143d0b24dbde8b141719aa36e00879f830b3194596e5f5a6316b3dc3c349fcb409d2336e9d8c49a5046be2c3

Download Submit
C:\Windows\dxjgvpzvhygxdxbbd.exe

Filesize
1016KB

MD5
417073b2fcb92c9f0b00b610de7a7f70

SHA1
97132931908b1305dbf8bef42036e4f6631458ab

SHA256
77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06

SHA512
9d07dbbecd71eb876f90a95e3bbe615b8e3da89f143d0b24dbde8b141719aa36e00879f830b3194596e5f5a6316b3dc3c349fcb409d2336e9d8c49a5046be2c3

Download Submit
C:\Windows\khwwolyxmgrlurybgfgd.exe

Filesize
1016KB

MD5
417073b2fcb92c9f0b00b610de7a7f70

SHA1
97132931908b1305dbf8bef42036e4f6631458ab

SHA256
77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06

SHA512
9d07dbbecd71eb876f90a95e3bbe615b8e3da89f143d0b24dbde8b141719aa36e00879f830b3194596e5f5a6316b3dc3c349fcb409d2336e9d8c49a5046be2c3

Download Submit
C:\Windows\khwwolyxmgrlurybgfgd.exe

Filesize
1016KB

MD5
417073b2fcb92c9f0b00b610de7a7f70

SHA1
97132931908b1305dbf8bef42036e4f6631458ab

SHA256
77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06

SHA512
9d07dbbecd71eb876f90a95e3bbe615b8e3da89f143d0b24dbde8b141719aa36e00879f830b3194596e5f5a6316b3dc3c349fcb409d2336e9d8c49a5046be2c3

Download Submit
C:\Windows\khwwolyxmgrlurybgfgd.exe

Filesize
1016KB

MD5
417073b2fcb92c9f0b00b610de7a7f70

SHA1
97132931908b1305dbf8bef42036e4f6631458ab

SHA256
77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06

SHA512
9d07dbbecd71eb876f90a95e3bbe615b8e3da89f143d0b24dbde8b141719aa36e00879f830b3194596e5f5a6316b3dc3c349fcb409d2336e9d8c49a5046be2c3

Download Submit
C:\Windows\mhusidolyqzrytyzcz.exe

Filesize
1016KB

MD5
417073b2fcb92c9f0b00b610de7a7f70

SHA1
97132931908b1305dbf8bef42036e4f6631458ab

SHA256
77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06

SHA512
9d07dbbecd71eb876f90a95e3bbe615b8e3da89f143d0b24dbde8b141719aa36e00879f830b3194596e5f5a6316b3dc3c349fcb409d2336e9d8c49a5046be2c3

Download Submit
C:\Windows\mhusidolyqzrytyzcz.exe

Filesize
1016KB

MD5
417073b2fcb92c9f0b00b610de7a7f70

SHA1
97132931908b1305dbf8bef42036e4f6631458ab

SHA256
77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06

SHA512
9d07dbbecd71eb876f90a95e3bbe615b8e3da89f143d0b24dbde8b141719aa36e00879f830b3194596e5f5a6316b3dc3c349fcb409d2336e9d8c49a5046be2c3

Download Submit
C:\Windows\mhusidolyqzrytyzcz.exe

Filesize
1016KB

MD5
417073b2fcb92c9f0b00b610de7a7f70

SHA1
97132931908b1305dbf8bef42036e4f6631458ab

SHA256
77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06

SHA512
9d07dbbecd71eb876f90a95e3bbe615b8e3da89f143d0b24dbde8b141719aa36e00879f830b3194596e5f5a6316b3dc3c349fcb409d2336e9d8c49a5046be2c3

Download Submit
C:\Windows\qpgicbqriernyxglstwvmo.exe

Filesize
1016KB

MD5
417073b2fcb92c9f0b00b610de7a7f70

SHA1
97132931908b1305dbf8bef42036e4f6631458ab

SHA256
77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06

SHA512
9d07dbbecd71eb876f90a95e3bbe615b8e3da89f143d0b24dbde8b141719aa36e00879f830b3194596e5f5a6316b3dc3c349fcb409d2336e9d8c49a5046be2c3

Download Submit
C:\Windows\qpgicbqriernyxglstwvmo.exe

Filesize
1016KB

MD5
417073b2fcb92c9f0b00b610de7a7f70

SHA1
97132931908b1305dbf8bef42036e4f6631458ab

SHA256
77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06

SHA512
9d07dbbecd71eb876f90a95e3bbe615b8e3da89f143d0b24dbde8b141719aa36e00879f830b3194596e5f5a6316b3dc3c349fcb409d2336e9d8c49a5046be2c3

Download Submit
C:\Windows\qpgicbqriernyxglstwvmo.exe

Filesize
1016KB

MD5
417073b2fcb92c9f0b00b610de7a7f70

SHA1
97132931908b1305dbf8bef42036e4f6631458ab

SHA256
77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06

SHA512
9d07dbbecd71eb876f90a95e3bbe615b8e3da89f143d0b24dbde8b141719aa36e00879f830b3194596e5f5a6316b3dc3c349fcb409d2336e9d8c49a5046be2c3

Download Submit
C:\Windows\wpawkdmhsipfkdgf.exe

Filesize
1016KB

MD5
417073b2fcb92c9f0b00b610de7a7f70

SHA1
97132931908b1305dbf8bef42036e4f6631458ab

SHA256
77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06

SHA512
9d07dbbecd71eb876f90a95e3bbe615b8e3da89f143d0b24dbde8b141719aa36e00879f830b3194596e5f5a6316b3dc3c349fcb409d2336e9d8c49a5046be2c3

Download Submit
C:\Windows\wpawkdmhsipfkdgf.exe

Filesize
1016KB

MD5
417073b2fcb92c9f0b00b610de7a7f70

SHA1
97132931908b1305dbf8bef42036e4f6631458ab

SHA256
77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06

SHA512
9d07dbbecd71eb876f90a95e3bbe615b8e3da89f143d0b24dbde8b141719aa36e00879f830b3194596e5f5a6316b3dc3c349fcb409d2336e9d8c49a5046be2c3

Download Submit
C:\Windows\wpawkdmhsipfkdgf.exe

Filesize
1016KB

MD5
417073b2fcb92c9f0b00b610de7a7f70

SHA1
97132931908b1305dbf8bef42036e4f6631458ab

SHA256
77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06

SHA512
9d07dbbecd71eb876f90a95e3bbe615b8e3da89f143d0b24dbde8b141719aa36e00879f830b3194596e5f5a6316b3dc3c349fcb409d2336e9d8c49a5046be2c3

Download Submit
C:\Windows\xthgxtfdrkunvrxzdbb.exe

Filesize
1016KB

MD5
417073b2fcb92c9f0b00b610de7a7f70

SHA1
97132931908b1305dbf8bef42036e4f6631458ab

SHA256
77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06

SHA512
9d07dbbecd71eb876f90a95e3bbe615b8e3da89f143d0b24dbde8b141719aa36e00879f830b3194596e5f5a6316b3dc3c349fcb409d2336e9d8c49a5046be2c3

Download Submit
C:\Windows\xthgxtfdrkunvrxzdbb.exe

Filesize
1016KB

MD5
417073b2fcb92c9f0b00b610de7a7f70

SHA1
97132931908b1305dbf8bef42036e4f6631458ab

SHA256
77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06

SHA512
9d07dbbecd71eb876f90a95e3bbe615b8e3da89f143d0b24dbde8b141719aa36e00879f830b3194596e5f5a6316b3dc3c349fcb409d2336e9d8c49a5046be2c3

Download Submit
C:\Windows\xthgxtfdrkunvrxzdbb.exe

Filesize
1016KB

MD5
417073b2fcb92c9f0b00b610de7a7f70

SHA1
97132931908b1305dbf8bef42036e4f6631458ab

SHA256
77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06

SHA512
9d07dbbecd71eb876f90a95e3bbe615b8e3da89f143d0b24dbde8b141719aa36e00879f830b3194596e5f5a6316b3dc3c349fcb409d2336e9d8c49a5046be2c3

Download Submit
C:\Windows\zxnohfttjeqlvtbfllnlb.exe

Filesize
1016KB

MD5
417073b2fcb92c9f0b00b610de7a7f70

SHA1
97132931908b1305dbf8bef42036e4f6631458ab

SHA256
77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06

SHA512
9d07dbbecd71eb876f90a95e3bbe615b8e3da89f143d0b24dbde8b141719aa36e00879f830b3194596e5f5a6316b3dc3c349fcb409d2336e9d8c49a5046be2c3

Download Submit
C:\Windows\zxnohfttjeqlvtbfllnlb.exe

Filesize
1016KB

MD5
417073b2fcb92c9f0b00b610de7a7f70

SHA1
97132931908b1305dbf8bef42036e4f6631458ab

SHA256
77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06

SHA512
9d07dbbecd71eb876f90a95e3bbe615b8e3da89f143d0b24dbde8b141719aa36e00879f830b3194596e5f5a6316b3dc3c349fcb409d2336e9d8c49a5046be2c3

Download Submit
C:\Windows\zxnohfttjeqlvtbfllnlb.exe

Filesize
1016KB

MD5
417073b2fcb92c9f0b00b610de7a7f70

SHA1
97132931908b1305dbf8bef42036e4f6631458ab

SHA256
77d33ee80a700b529bda5d1a90ebe851d2d2e70fa641bb72b1d4a81d57942c06

SHA512
9d07dbbecd71eb876f90a95e3bbe615b8e3da89f143d0b24dbde8b141719aa36e00879f830b3194596e5f5a6316b3dc3c349fcb409d2336e9d8c49a5046be2c3

Download Submit
memory/2744-138-0x0000000000000000-mapping.dmp

Download
memory/3792-132-0x0000000000000000-mapping.dmp

Download
memory/4416-135-0x0000000000000000-mapping.dmp

Download
memory/4512-168-0x0000000000000000-mapping.dmp

Download