1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

Analysis

max time kernel
186s
max time network
190s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
Size

1016KB
MD5

44393b585c395c719d5253ee3c31a620
SHA1

2e67a1959239c38212d2535b14933ca0509aaac1
SHA256

1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca
SHA512

52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65
SSDEEP

6144:KIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUmDa1is0f:KIXsgtvm1De5YlOx6lzBH46Umu1q

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

nyoszvryxiy.exeahgrr.exeahgrr.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	nyoszvryxiy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ahgrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ahgrr.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

ahgrr.exenyoszvryxiy.exeahgrr.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ahgrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	nyoszvryxiy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	nyoszvryxiy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ahgrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ahgrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ahgrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ahgrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ahgrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ahgrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	nyoszvryxiy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	nyoszvryxiy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ahgrr.exe

Adds policy Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ahgrr.exenyoszvryxiy.exeahgrr.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yhivxer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpzvgwsdyjwmhqcd.exe"	ahgrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xjndisinch = "xpzvgwsdyjwmhqcd.exe"	ahgrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yhivxer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytgftmlzxlbusetxbqc.exe"	ahgrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xjndisinch = "nhtrewuhergyvguxao.exe"	ahgrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yhivxer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhtrewuhergyvguxao.exe"	nyoszvryxiy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xjndisinch = "nhtrewuhergyvguxao.exe"	ahgrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xjndisinch = "lhvvkeetshysreuzeuhd.exe"	ahgrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yhivxer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axmndyzppfxssgxdjaola.exe"	ahgrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xjndisinch = "exifrifrnzneakxzb.exe"	ahgrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yhivxer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axmndyzppfxssgxdjaola.exe"	ahgrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xjndisinch = "exifrifrnzneakxzb.exe"	nyoszvryxiy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yhivxer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exifrifrnzneakxzb.exe"	nyoszvryxiy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xjndisinch = "ytgftmlzxlbusetxbqc.exe"	nyoszvryxiy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ahgrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	nyoszvryxiy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ahgrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xjndisinch = "lhvvkeetshysreuzeuhd.exe"	ahgrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yhivxer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exifrifrnzneakxzb.exe"	ahgrr.exe

Disables RegEdit via registry modification 6 IoCs

evasion

Processes:

ahgrr.exeahgrr.exenyoszvryxiy.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ahgrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ahgrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ahgrr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nyoszvryxiy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nyoszvryxiy.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ahgrr.exe

Executes dropped EXE 3 IoCs

Processes:

nyoszvryxiy.exeahgrr.exeahgrr.exe

pid process

580 nyoszvryxiy.exe
1736 ahgrr.exe
1740 ahgrr.exe

pid	process
580	nyoszvryxiy.exe
1736	ahgrr.exe
1740	ahgrr.exe

Loads dropped DLL 6 IoCs

Processes:

1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exenyoszvryxiy.exe

pid	process
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
580	nyoszvryxiy.exe
580	nyoszvryxiy.exe
580	nyoszvryxiy.exe
580	nyoszvryxiy.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

nyoszvryxiy.exeahgrr.exeahgrr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pdjbiumtkram = "axmndyzppfxssgxdjaola.exe ."	nyoszvryxiy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ahgrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\nxznqymp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhtrewuhergyvguxao.exe"	ahgrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\sfkbhsjpflt = "ytgftmlzxlbusetxbqc.exe"	ahgrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pdjbiumtkram = "xpzvgwsdyjwmhqcd.exe ."	ahgrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\epshlujnb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhtrewuhergyvguxao.exe ."	ahgrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\odkdlyrzrzjwo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytgftmlzxlbusetxbqc.exe ."	ahgrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\epshlujnb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytgftmlzxlbusetxbqc.exe ."	ahgrr.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	nyoszvryxiy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pfnhqeyhajuibi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpzvgwsdyjwmhqcd.exe"	nyoszvryxiy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\nxznqymp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axmndyzppfxssgxdjaola.exe"	ahgrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\odkdlyrzrzjwo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhvvkeetshysreuzeuhd.exe ."	ahgrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\nxznqymp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhvvkeetshysreuzeuhd.exe"	ahgrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\epshlujnb = "axmndyzppfxssgxdjaola.exe ."	ahgrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pfnhqeyhajuibi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhtrewuhergyvguxao.exe"	ahgrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\nxznqymp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpzvgwsdyjwmhqcd.exe"	ahgrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pdjbiumtkram = "exifrifrnzneakxzb.exe ."	nyoszvryxiy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nxznqymp = "nhtrewuhergyvguxao.exe"	ahgrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pfnhqeyhajuibi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhvvkeetshysreuzeuhd.exe"	ahgrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\odkdlyrzrzjwo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytgftmlzxlbusetxbqc.exe ."	ahgrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\epshlujnb = "lhvvkeetshysreuzeuhd.exe ."	ahgrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\epshlujnb = "lhvvkeetshysreuzeuhd.exe ."	ahgrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ahgrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nxznqymp = "axmndyzppfxssgxdjaola.exe"	ahgrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	nyoszvryxiy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\sfkbhsjpflt = "ytgftmlzxlbusetxbqc.exe"	nyoszvryxiy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pdjbiumtkram = "exifrifrnzneakxzb.exe ."	ahgrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\odkdlyrzrzjwo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exifrifrnzneakxzb.exe ."	ahgrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\sfkbhsjpflt = "xpzvgwsdyjwmhqcd.exe"	ahgrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\epshlujnb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axmndyzppfxssgxdjaola.exe ."	ahgrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\odkdlyrzrzjwo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhtrewuhergyvguxao.exe ."	nyoszvryxiy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ahgrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\sfkbhsjpflt = "axmndyzppfxssgxdjaola.exe"	ahgrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\sfkbhsjpflt = "xpzvgwsdyjwmhqcd.exe"	ahgrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ahgrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\odkdlyrzrzjwo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exifrifrnzneakxzb.exe ."	ahgrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\epshlujnb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exifrifrnzneakxzb.exe ."	ahgrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pdjbiumtkram = "nhtrewuhergyvguxao.exe ."	ahgrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\epshlujnb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axmndyzppfxssgxdjaola.exe ."	ahgrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nxznqymp = "nhtrewuhergyvguxao.exe"	nyoszvryxiy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\odkdlyrzrzjwo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytgftmlzxlbusetxbqc.exe ."	nyoszvryxiy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\epshlujnb = "nhtrewuhergyvguxao.exe ."	ahgrr.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	ahgrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\nxznqymp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytgftmlzxlbusetxbqc.exe"	ahgrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pdjbiumtkram = "nhtrewuhergyvguxao.exe ."	ahgrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	nyoszvryxiy.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	nyoszvryxiy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\epshlujnb = "nhtrewuhergyvguxao.exe ."	ahgrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\epshlujnb = "exifrifrnzneakxzb.exe ."	ahgrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\sfkbhsjpflt = "axmndyzppfxssgxdjaola.exe"	ahgrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\epshlujnb = "ytgftmlzxlbusetxbqc.exe ."	ahgrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pfnhqeyhajuibi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhtrewuhergyvguxao.exe"	ahgrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\nxznqymp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpzvgwsdyjwmhqcd.exe"	nyoszvryxiy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nxznqymp = "xpzvgwsdyjwmhqcd.exe"	ahgrr.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	ahgrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\epshlujnb = "xpzvgwsdyjwmhqcd.exe ."	ahgrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pfnhqeyhajuibi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytgftmlzxlbusetxbqc.exe"	nyoszvryxiy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\nxznqymp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpzvgwsdyjwmhqcd.exe"	ahgrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nxznqymp = "exifrifrnzneakxzb.exe"	nyoszvryxiy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pfnhqeyhajuibi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpzvgwsdyjwmhqcd.exe"	ahgrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\epshlujnb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exifrifrnzneakxzb.exe ."	ahgrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\epshlujnb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhtrewuhergyvguxao.exe ."	ahgrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\epshlujnb = "exifrifrnzneakxzb.exe ."	nyoszvryxiy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nxznqymp = "exifrifrnzneakxzb.exe"	ahgrr.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ahgrr.exenyoszvryxiy.exeahgrr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ahgrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	nyoszvryxiy.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	nyoszvryxiy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ahgrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ahgrr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ahgrr.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 whatismyip.everdot.org
4 www.showmyipaddress.com
8 whatismyipaddress.com

flow	ioc
3	whatismyip.everdot.org
4	www.showmyipaddress.com
8	whatismyipaddress.com

Drops file in System32 directory 25 IoCs

Processes:

nyoszvryxiy.exeahgrr.exeahgrr.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\axmndyzppfxssgxdjaola.exe	nyoszvryxiy.exe
File opened for modification	C:\Windows\SysWOW64\exifrifrnzneakxzb.exe	ahgrr.exe
File opened for modification	C:\Windows\SysWOW64\nhtrewuhergyvguxao.exe	ahgrr.exe
File opened for modification	C:\Windows\SysWOW64\lhvvkeetshysreuzeuhd.exe	ahgrr.exe
File opened for modification	C:\Windows\SysWOW64\ytgftmlzxlbusetxbqc.exe	ahgrr.exe
File opened for modification	C:\Windows\SysWOW64\xpzvgwsdyjwmhqcd.exe	nyoszvryxiy.exe
File opened for modification	C:\Windows\SysWOW64\xpzvgwsdyjwmhqcd.exe	ahgrr.exe
File opened for modification	C:\Windows\SysWOW64\ytgftmlzxlbusetxbqc.exe	ahgrr.exe
File opened for modification	C:\Windows\SysWOW64\axmndyzppfxssgxdjaola.exe	ahgrr.exe
File created	C:\Windows\SysWOW64\ahgrrwhhrrtyighxnomtsddittd.fku	ahgrr.exe
File created	C:\Windows\SysWOW64\xpzvgwsdyjwmhqcdeqzrbxiyufalyojsefgsbt.zka	ahgrr.exe
File opened for modification	C:\Windows\SysWOW64\nhtrewuhergyvguxao.exe	nyoszvryxiy.exe
File opened for modification	C:\Windows\SysWOW64\exifrifrnzneakxzb.exe	ahgrr.exe
File opened for modification	C:\Windows\SysWOW64\nhtrewuhergyvguxao.exe	ahgrr.exe
File opened for modification	C:\Windows\SysWOW64\lhvvkeetshysreuzeuhd.exe	ahgrr.exe
File opened for modification	C:\Windows\SysWOW64\axmndyzppfxssgxdjaola.exe	ahgrr.exe
File opened for modification	C:\Windows\SysWOW64\rpfhyuwnofyuvkcjqixvln.exe	ahgrr.exe
File opened for modification	C:\Windows\SysWOW64\ahgrrwhhrrtyighxnomtsddittd.fku	ahgrr.exe
File opened for modification	C:\Windows\SysWOW64\xpzvgwsdyjwmhqcdeqzrbxiyufalyojsefgsbt.zka	ahgrr.exe
File opened for modification	C:\Windows\SysWOW64\exifrifrnzneakxzb.exe	nyoszvryxiy.exe
File opened for modification	C:\Windows\SysWOW64\lhvvkeetshysreuzeuhd.exe	nyoszvryxiy.exe
File opened for modification	C:\Windows\SysWOW64\rpfhyuwnofyuvkcjqixvln.exe	nyoszvryxiy.exe
File opened for modification	C:\Windows\SysWOW64\xpzvgwsdyjwmhqcd.exe	ahgrr.exe
File opened for modification	C:\Windows\SysWOW64\rpfhyuwnofyuvkcjqixvln.exe	ahgrr.exe
File opened for modification	C:\Windows\SysWOW64\ytgftmlzxlbusetxbqc.exe	nyoszvryxiy.exe

Drops file in Program Files directory 4 IoCs

Processes:

ahgrr.exe

description	ioc	process
File created	C:\Program Files (x86)\ahgrrwhhrrtyighxnomtsddittd.fku	ahgrr.exe
File opened for modification	C:\Program Files (x86)\xpzvgwsdyjwmhqcdeqzrbxiyufalyojsefgsbt.zka	ahgrr.exe
File created	C:\Program Files (x86)\xpzvgwsdyjwmhqcdeqzrbxiyufalyojsefgsbt.zka	ahgrr.exe
File opened for modification	C:\Program Files (x86)\ahgrrwhhrrtyighxnomtsddittd.fku	ahgrr.exe

Drops file in Windows directory 25 IoCs

Processes:

ahgrr.exenyoszvryxiy.exeahgrr.exe

description	ioc	process
File opened for modification	C:\Windows\ahgrrwhhrrtyighxnomtsddittd.fku	ahgrr.exe
File created	C:\Windows\xpzvgwsdyjwmhqcdeqzrbxiyufalyojsefgsbt.zka	ahgrr.exe
File opened for modification	C:\Windows\xpzvgwsdyjwmhqcd.exe	nyoszvryxiy.exe
File opened for modification	C:\Windows\lhvvkeetshysreuzeuhd.exe	ahgrr.exe
File opened for modification	C:\Windows\xpzvgwsdyjwmhqcd.exe	ahgrr.exe
File opened for modification	C:\Windows\exifrifrnzneakxzb.exe	ahgrr.exe
File opened for modification	C:\Windows\rpfhyuwnofyuvkcjqixvln.exe	ahgrr.exe
File opened for modification	C:\Windows\ytgftmlzxlbusetxbqc.exe	ahgrr.exe
File opened for modification	C:\Windows\axmndyzppfxssgxdjaola.exe	nyoszvryxiy.exe
File opened for modification	C:\Windows\lhvvkeetshysreuzeuhd.exe	ahgrr.exe
File opened for modification	C:\Windows\nhtrewuhergyvguxao.exe	ahgrr.exe
File opened for modification	C:\Windows\nhtrewuhergyvguxao.exe	ahgrr.exe
File opened for modification	C:\Windows\rpfhyuwnofyuvkcjqixvln.exe	ahgrr.exe
File opened for modification	C:\Windows\xpzvgwsdyjwmhqcdeqzrbxiyufalyojsefgsbt.zka	ahgrr.exe
File opened for modification	C:\Windows\exifrifrnzneakxzb.exe	nyoszvryxiy.exe
File opened for modification	C:\Windows\ytgftmlzxlbusetxbqc.exe	nyoszvryxiy.exe
File opened for modification	C:\Windows\rpfhyuwnofyuvkcjqixvln.exe	nyoszvryxiy.exe
File opened for modification	C:\Windows\xpzvgwsdyjwmhqcd.exe	ahgrr.exe
File opened for modification	C:\Windows\exifrifrnzneakxzb.exe	ahgrr.exe
File opened for modification	C:\Windows\ytgftmlzxlbusetxbqc.exe	ahgrr.exe
File opened for modification	C:\Windows\axmndyzppfxssgxdjaola.exe	ahgrr.exe
File opened for modification	C:\Windows\axmndyzppfxssgxdjaola.exe	ahgrr.exe
File opened for modification	C:\Windows\nhtrewuhergyvguxao.exe	nyoszvryxiy.exe
File opened for modification	C:\Windows\lhvvkeetshysreuzeuhd.exe	nyoszvryxiy.exe
File created	C:\Windows\ahgrrwhhrrtyighxnomtsddittd.fku	ahgrr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exeahgrr.exe

pid	process
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
1740	ahgrr.exe
1740	ahgrr.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ahgrr.exe

description pid process

Token: SeDebugPrivilege 1740 ahgrr.exe

description	pid	process
Token: SeDebugPrivilege	1740	ahgrr.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exenyoszvryxiy.exe

description	pid	process	target process
PID 860 wrote to memory of 580	860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe	nyoszvryxiy.exe
PID 860 wrote to memory of 580	860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe	nyoszvryxiy.exe
PID 860 wrote to memory of 580	860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe	nyoszvryxiy.exe
PID 860 wrote to memory of 580	860	1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe	nyoszvryxiy.exe
PID 580 wrote to memory of 1736	580	nyoszvryxiy.exe	ahgrr.exe
PID 580 wrote to memory of 1736	580	nyoszvryxiy.exe	ahgrr.exe
PID 580 wrote to memory of 1736	580	nyoszvryxiy.exe	ahgrr.exe
PID 580 wrote to memory of 1736	580	nyoszvryxiy.exe	ahgrr.exe
PID 580 wrote to memory of 1740	580	nyoszvryxiy.exe	ahgrr.exe
PID 580 wrote to memory of 1740	580	nyoszvryxiy.exe	ahgrr.exe
PID 580 wrote to memory of 1740	580	nyoszvryxiy.exe	ahgrr.exe
PID 580 wrote to memory of 1740	580	nyoszvryxiy.exe	ahgrr.exe

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

Processes:

nyoszvryxiy.exeahgrr.exeahgrr.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	nyoszvryxiy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	nyoszvryxiy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ahgrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ahgrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	nyoszvryxiy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ahgrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	nyoszvryxiy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ahgrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ahgrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ahgrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ahgrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ahgrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ahgrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ahgrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ahgrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ahgrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ahgrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ahgrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ahgrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ahgrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	nyoszvryxiy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ahgrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ahgrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ahgrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ahgrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	nyoszvryxiy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	nyoszvryxiy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ahgrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ahgrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ahgrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ahgrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ahgrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	nyoszvryxiy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nyoszvryxiy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	nyoszvryxiy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	nyoszvryxiy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	nyoszvryxiy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ahgrr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	nyoszvryxiy.exe

C:\Users\Admin\AppData\Local\Temp\1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe
"C:\Users\Admin\AppData\Local\Temp\1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:860
- C:\Users\Admin\AppData\Local\Temp\nyoszvryxiy.exe
  "C:\Users\Admin\AppData\Local\Temp\nyoszvryxiy.exe" "c:\users\admin\appdata\local\temp\1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:580
- - C:\Users\Admin\AppData\Local\Temp\ahgrr.exe
    "C:\Users\Admin\AppData\Local\Temp\ahgrr.exe" "-C:\Users\Admin\AppData\Local\Temp\xpzvgwsdyjwmhqcd.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1736
- - C:\Users\Admin\AppData\Local\Temp\ahgrr.exe
    "C:\Users\Admin\AppData\Local\Temp\ahgrr.exe" "-C:\Users\Admin\AppData\Local\Temp\xpzvgwsdyjwmhqcd.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ahgrr.exe

Filesize
708KB

MD5
ba0b302e8ec676a59943bee7b1d58f9c

SHA1
35e60648d3f6906bb6b9407139e087c7a8688cb1

SHA256
6d3cdb6397c681f3d1c25d25f44989836fb887fa5a3924fa3b889f5b74a1b41e

SHA512
542e2fa9c7ff9d74d4f6d5587ce7e876c7b4d809cf38eeac824679b800bc5efa790932d5231b2cf7288eb63388d4442157c6c396eadd7f5ddf87c962a496a6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ahgrr.exe

Filesize
708KB

MD5
ba0b302e8ec676a59943bee7b1d58f9c

SHA1
35e60648d3f6906bb6b9407139e087c7a8688cb1

SHA256
6d3cdb6397c681f3d1c25d25f44989836fb887fa5a3924fa3b889f5b74a1b41e

SHA512
542e2fa9c7ff9d74d4f6d5587ce7e876c7b4d809cf38eeac824679b800bc5efa790932d5231b2cf7288eb63388d4442157c6c396eadd7f5ddf87c962a496a6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\axmndyzppfxssgxdjaola.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\axmndyzppfxssgxdjaola.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\axmndyzppfxssgxdjaola.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\exifrifrnzneakxzb.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\exifrifrnzneakxzb.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\exifrifrnzneakxzb.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\lhvvkeetshysreuzeuhd.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\lhvvkeetshysreuzeuhd.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\lhvvkeetshysreuzeuhd.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\nhtrewuhergyvguxao.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\nhtrewuhergyvguxao.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\nhtrewuhergyvguxao.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\nyoszvryxiy.exe

Filesize
320KB

MD5
a12c48e1df25e2a7b33d8a2955e152f8

SHA1
80d29d9a1cde01dae6475b2de73b81db11cc15d4

SHA256
f034132fcf337c605d5a50f4c24610966b314861a26bcb91286f675e14c4f97c

SHA512
4117a0ebf89ad6ffea5ea238acf37abf1ac18668cf12c8ce4972d24c4ee2b8956d46ffddbac5bf288035d8d47e82c8f43cc54461642872dd93262190e59306c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nyoszvryxiy.exe

Filesize
320KB

MD5
a12c48e1df25e2a7b33d8a2955e152f8

SHA1
80d29d9a1cde01dae6475b2de73b81db11cc15d4

SHA256
f034132fcf337c605d5a50f4c24610966b314861a26bcb91286f675e14c4f97c

SHA512
4117a0ebf89ad6ffea5ea238acf37abf1ac18668cf12c8ce4972d24c4ee2b8956d46ffddbac5bf288035d8d47e82c8f43cc54461642872dd93262190e59306c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rpfhyuwnofyuvkcjqixvln.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\rpfhyuwnofyuvkcjqixvln.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\rpfhyuwnofyuvkcjqixvln.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\xpzvgwsdyjwmhqcd.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytgftmlzxlbusetxbqc.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytgftmlzxlbusetxbqc.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytgftmlzxlbusetxbqc.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Windows\SysWOW64\axmndyzppfxssgxdjaola.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Windows\SysWOW64\axmndyzppfxssgxdjaola.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Windows\SysWOW64\axmndyzppfxssgxdjaola.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Windows\SysWOW64\exifrifrnzneakxzb.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Windows\SysWOW64\exifrifrnzneakxzb.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Windows\SysWOW64\exifrifrnzneakxzb.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Windows\SysWOW64\lhvvkeetshysreuzeuhd.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Windows\SysWOW64\lhvvkeetshysreuzeuhd.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Windows\SysWOW64\lhvvkeetshysreuzeuhd.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Windows\SysWOW64\nhtrewuhergyvguxao.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Windows\SysWOW64\nhtrewuhergyvguxao.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Windows\SysWOW64\nhtrewuhergyvguxao.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Windows\SysWOW64\rpfhyuwnofyuvkcjqixvln.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Windows\SysWOW64\rpfhyuwnofyuvkcjqixvln.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Windows\SysWOW64\rpfhyuwnofyuvkcjqixvln.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Windows\SysWOW64\xpzvgwsdyjwmhqcd.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Windows\SysWOW64\xpzvgwsdyjwmhqcd.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Windows\SysWOW64\xpzvgwsdyjwmhqcd.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Windows\SysWOW64\ytgftmlzxlbusetxbqc.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Windows\SysWOW64\ytgftmlzxlbusetxbqc.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Windows\SysWOW64\ytgftmlzxlbusetxbqc.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Windows\axmndyzppfxssgxdjaola.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Windows\axmndyzppfxssgxdjaola.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Windows\exifrifrnzneakxzb.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Windows\exifrifrnzneakxzb.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Windows\lhvvkeetshysreuzeuhd.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Windows\lhvvkeetshysreuzeuhd.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Windows\nhtrewuhergyvguxao.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Windows\nhtrewuhergyvguxao.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Windows\rpfhyuwnofyuvkcjqixvln.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Windows\rpfhyuwnofyuvkcjqixvln.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Windows\xpzvgwsdyjwmhqcd.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Windows\xpzvgwsdyjwmhqcd.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Windows\ytgftmlzxlbusetxbqc.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
C:\Windows\ytgftmlzxlbusetxbqc.exe

Filesize
1016KB

MD5
44393b585c395c719d5253ee3c31a620

SHA1
2e67a1959239c38212d2535b14933ca0509aaac1

SHA256
1e52a4e16dcf37f5b22980bf9f3821d36c7fc0f7194abb8dfeb56f11c511b6ca

SHA512
52327d3b305ff2c42ceec683dd2778f965cf62348fc1177e4506266b2fd6ba0bc7ed9ff8ef8e0b677ba7b4e5c17e42e471610faefdc5edc5b5d39883447c4b65

Download Submit
\Users\Admin\AppData\Local\Temp\ahgrr.exe

Filesize
708KB

MD5
ba0b302e8ec676a59943bee7b1d58f9c

SHA1
35e60648d3f6906bb6b9407139e087c7a8688cb1

SHA256
6d3cdb6397c681f3d1c25d25f44989836fb887fa5a3924fa3b889f5b74a1b41e

SHA512
542e2fa9c7ff9d74d4f6d5587ce7e876c7b4d809cf38eeac824679b800bc5efa790932d5231b2cf7288eb63388d4442157c6c396eadd7f5ddf87c962a496a6a2

Download Submit
\Users\Admin\AppData\Local\Temp\ahgrr.exe

Filesize
708KB

MD5
ba0b302e8ec676a59943bee7b1d58f9c

SHA1
35e60648d3f6906bb6b9407139e087c7a8688cb1

SHA256
6d3cdb6397c681f3d1c25d25f44989836fb887fa5a3924fa3b889f5b74a1b41e

SHA512
542e2fa9c7ff9d74d4f6d5587ce7e876c7b4d809cf38eeac824679b800bc5efa790932d5231b2cf7288eb63388d4442157c6c396eadd7f5ddf87c962a496a6a2

Download Submit
\Users\Admin\AppData\Local\Temp\ahgrr.exe

Filesize
708KB

MD5
ba0b302e8ec676a59943bee7b1d58f9c

SHA1
35e60648d3f6906bb6b9407139e087c7a8688cb1

SHA256
6d3cdb6397c681f3d1c25d25f44989836fb887fa5a3924fa3b889f5b74a1b41e

SHA512
542e2fa9c7ff9d74d4f6d5587ce7e876c7b4d809cf38eeac824679b800bc5efa790932d5231b2cf7288eb63388d4442157c6c396eadd7f5ddf87c962a496a6a2

Download Submit
\Users\Admin\AppData\Local\Temp\ahgrr.exe

Filesize
708KB

MD5
ba0b302e8ec676a59943bee7b1d58f9c

SHA1
35e60648d3f6906bb6b9407139e087c7a8688cb1

SHA256
6d3cdb6397c681f3d1c25d25f44989836fb887fa5a3924fa3b889f5b74a1b41e

SHA512
542e2fa9c7ff9d74d4f6d5587ce7e876c7b4d809cf38eeac824679b800bc5efa790932d5231b2cf7288eb63388d4442157c6c396eadd7f5ddf87c962a496a6a2

Download Submit
\Users\Admin\AppData\Local\Temp\nyoszvryxiy.exe

Filesize
320KB

MD5
a12c48e1df25e2a7b33d8a2955e152f8

SHA1
80d29d9a1cde01dae6475b2de73b81db11cc15d4

SHA256
f034132fcf337c605d5a50f4c24610966b314861a26bcb91286f675e14c4f97c

SHA512
4117a0ebf89ad6ffea5ea238acf37abf1ac18668cf12c8ce4972d24c4ee2b8956d46ffddbac5bf288035d8d47e82c8f43cc54461642872dd93262190e59306c0

Download Submit
\Users\Admin\AppData\Local\Temp\nyoszvryxiy.exe

Filesize
320KB

MD5
a12c48e1df25e2a7b33d8a2955e152f8

SHA1
80d29d9a1cde01dae6475b2de73b81db11cc15d4

SHA256
f034132fcf337c605d5a50f4c24610966b314861a26bcb91286f675e14c4f97c

SHA512
4117a0ebf89ad6ffea5ea238acf37abf1ac18668cf12c8ce4972d24c4ee2b8956d46ffddbac5bf288035d8d47e82c8f43cc54461642872dd93262190e59306c0

Download Submit
memory/580-57-0x0000000000000000-mapping.dmp

Download
memory/860-54-0x0000000074C41000-0x0000000074C43000-memory.dmp

Filesize
8KB

Download
memory/1736-63-0x0000000000000000-mapping.dmp

Download
memory/1740-68-0x0000000000000000-mapping.dmp

Download