79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
Size

1016KB
MD5

5363730898d77d9b8374b0fc57ca4520
SHA1

a51bd285c4f2309533c6696fa3023843869b521d
SHA256

79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e
SHA512

2bb86aa6835d6c6d2f66ba53bf1dd4a66d008ed386a5ee485bc5a755ce2949aaea6910396d74f9a70b00660f9ed7c6c751c62f3604ded1ff12ffc114a8a3f970
SSDEEP

6144:jIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUmDa1is0f:jIXsgtvm1De5YlOx6lzBH46Umu1q

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	cdhky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	cdhky.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cdhky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cdhky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cdhky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdhky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cdhky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cdhky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdhky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cdhky.exe

Adds policy Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rzkupxkthqig = "ndworhctpggmpjdcjyjz.exe"	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gltasxhny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctngkbxpmefmqlggoeqhb.exe"	cdhky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rzkupxkthqig = "zlaonzqdviegfvlg.exe"	cdhky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rzkupxkthqig = "ndworhctpggmpjdcjyjz.exe"	cdhky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rzkupxkthqig = "ctngkbxpmefmqlggoeqhb.exe"	cdhky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rzkupxkthqig = "aphyapjzukjoqjcague.exe"	cdhky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cdhky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rzkupxkthqig = "aphyapjzukjoqjcague.exe"	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gltasxhny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlaonzqdviegfvlg.exe"	vsmxiywcfcw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cdhky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gltasxhny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pduklzshbqostldafs.exe"	cdhky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gltasxhny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtjyyldrkyvyypgcg.exe"	cdhky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gltasxhny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtjyyldrkyvyypgcg.exe"	cdhky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gltasxhny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndworhctpggmpjdcjyjz.exe"	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rzkupxkthqig = "aphyapjzukjoqjcague.exe"	cdhky.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cdhky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cdhky.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cdhky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cdhky.exe

Executes dropped EXE 5 IoCs

pid	Process
1104	vsmxiywcfcw.exe
1728	cdhky.exe
1924	cdhky.exe
1020	cdhky.exe
972	cdhky.exe

Loads dropped DLL 10 IoCs

pid	Process
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
1104	vsmxiywcfcw.exe
1104	vsmxiywcfcw.exe
1104	vsmxiywcfcw.exe
1104	vsmxiywcfcw.exe
1104	vsmxiywcfcw.exe
1104	vsmxiywcfcw.exe
1104	vsmxiywcfcw.exe
1104	vsmxiywcfcw.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ubluovhpckb = "aphyapjzukjoqjcague.exe ."	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zfowpvgnzg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pduklzshbqostldafs.exe"	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zfowpvgnzg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pduklzshbqostldafs.exe"	cdhky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qzlwsbpzoyrqm = "aphyapjzukjoqjcague.exe"	cdhky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\uftgepfriupqods = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pduklzshbqostldafs.exe ."	cdhky.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zfowpvgnzg = "gtjyyldrkyvyypgcg.exe"	cdhky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ubluovhpckb = "ctngkbxpmefmqlggoeqhb.exe ."	cdhky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zlaonzqdviegfvlg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctngkbxpmefmqlggoeqhb.exe"	cdhky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zlaonzqdviegfvlg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pduklzshbqostldafs.exe"	cdhky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qzlwsbpzoyrqm = "gtjyyldrkyvyypgcg.exe"	vsmxiywcfcw.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rboaxhwhxicczn = "gtjyyldrkyvyypgcg.exe ."	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rboaxhwhxicczn = "ctngkbxpmefmqlggoeqhb.exe ."	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ubluovhpckb = "ctngkbxpmefmqlggoeqhb.exe ."	cdhky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zfowpvgnzg = "zlaonzqdviegfvlg.exe"	cdhky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zfowpvgnzg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndworhctpggmpjdcjyjz.exe"	cdhky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rboaxhwhxicczn = "pduklzshbqostldafs.exe ."	cdhky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zlaonzqdviegfvlg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pduklzshbqostldafs.exe"	cdhky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zlaonzqdviegfvlg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndworhctpggmpjdcjyjz.exe"	vsmxiywcfcw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	cdhky.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	cdhky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qzlwsbpzoyrqm = "zlaonzqdviegfvlg.exe"	cdhky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zfowpvgnzg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtjyyldrkyvyypgcg.exe"	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zfowpvgnzg = "zlaonzqdviegfvlg.exe"	vsmxiywcfcw.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	cdhky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ubluovhpckb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtjyyldrkyvyypgcg.exe ."	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ubluovhpckb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndworhctpggmpjdcjyjz.exe ."	cdhky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zfowpvgnzg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlaonzqdviegfvlg.exe"	cdhky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ubluovhpckb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pduklzshbqostldafs.exe ."	cdhky.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	cdhky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rboaxhwhxicczn = "aphyapjzukjoqjcague.exe ."	cdhky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zlaonzqdviegfvlg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlaonzqdviegfvlg.exe"	cdhky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ubluovhpckb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctngkbxpmefmqlggoeqhb.exe ."	cdhky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zfowpvgnzg = "gtjyyldrkyvyypgcg.exe"	cdhky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zlaonzqdviegfvlg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlaonzqdviegfvlg.exe"	cdhky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	vsmxiywcfcw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	cdhky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zlaonzqdviegfvlg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aphyapjzukjoqjcague.exe"	cdhky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zfowpvgnzg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndworhctpggmpjdcjyjz.exe"	cdhky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rboaxhwhxicczn = "ctngkbxpmefmqlggoeqhb.exe ."	cdhky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\uftgepfriupqods = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aphyapjzukjoqjcague.exe ."	cdhky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ubluovhpckb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlaonzqdviegfvlg.exe ."	cdhky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zfowpvgnzg = "aphyapjzukjoqjcague.exe"	cdhky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ubluovhpckb = "ndworhctpggmpjdcjyjz.exe ."	cdhky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qzlwsbpzoyrqm = "ctngkbxpmefmqlggoeqhb.exe"	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ubluovhpckb = "ndworhctpggmpjdcjyjz.exe ."	cdhky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ubluovhpckb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctngkbxpmefmqlggoeqhb.exe ."	cdhky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	vsmxiywcfcw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	cdhky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zfowpvgnzg = "pduklzshbqostldafs.exe"	cdhky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ubluovhpckb = "zlaonzqdviegfvlg.exe ."	cdhky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rboaxhwhxicczn = "aphyapjzukjoqjcague.exe ."	cdhky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rboaxhwhxicczn = "pduklzshbqostldafs.exe ."	cdhky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\uftgepfriupqods = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctngkbxpmefmqlggoeqhb.exe ."	cdhky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\zfowpvgnzg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pduklzshbqostldafs.exe"	cdhky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qzlwsbpzoyrqm = "gtjyyldrkyvyypgcg.exe"	cdhky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qzlwsbpzoyrqm = "pduklzshbqostldafs.exe"	cdhky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zfowpvgnzg = "aphyapjzukjoqjcague.exe"	vsmxiywcfcw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	cdhky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qzlwsbpzoyrqm = "ctngkbxpmefmqlggoeqhb.exe"	cdhky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\uftgepfriupqods = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlaonzqdviegfvlg.exe ."	cdhky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\uftgepfriupqods = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pduklzshbqostldafs.exe ."	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zlaonzqdviegfvlg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctngkbxpmefmqlggoeqhb.exe"	vsmxiywcfcw.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdhky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cdhky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdhky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cdhky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vsmxiywcfcw.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	www.showmyipaddress.com
4	whatismyip.everdot.org
11	whatismyipaddress.com

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\zlaonzqdviegfvlg.exe	cdhky.exe
File opened for modification	C:\Windows\SysWOW64\ndworhctpggmpjdcjyjz.exe	cdhky.exe
File opened for modification	C:\Windows\SysWOW64\ctngkbxpmefmqlggoeqhb.exe	cdhky.exe
File opened for modification	C:\Windows\SysWOW64\ctngkbxpmefmqlggoeqhb.exe	cdhky.exe
File opened for modification	C:\Windows\SysWOW64\mlnoazddiirgsvygwuonpqcbf.kkt	cdhky.exe
File opened for modification	C:\Windows\SysWOW64\rboaxhwhxiccznbuvejtgspzozpauurftmnw.lyk	cdhky.exe
File opened for modification	C:\Windows\SysWOW64\aphyapjzukjoqjcague.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\SysWOW64\tlgafxunlegotplmvmzrmg.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\SysWOW64\ctngkbxpmefmqlggoeqhb.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\SysWOW64\tlgafxunlegotplmvmzrmg.exe	cdhky.exe
File opened for modification	C:\Windows\SysWOW64\pduklzshbqostldafs.exe	cdhky.exe
File opened for modification	C:\Windows\SysWOW64\aphyapjzukjoqjcague.exe	cdhky.exe
File created	C:\Windows\SysWOW64\rboaxhwhxiccznbuvejtgspzozpauurftmnw.lyk	cdhky.exe
File opened for modification	C:\Windows\SysWOW64\gtjyyldrkyvyypgcg.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\SysWOW64\pduklzshbqostldafs.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\SysWOW64\zlaonzqdviegfvlg.exe	cdhky.exe
File opened for modification	C:\Windows\SysWOW64\ndworhctpggmpjdcjyjz.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\SysWOW64\aphyapjzukjoqjcague.exe	cdhky.exe
File opened for modification	C:\Windows\SysWOW64\pduklzshbqostldafs.exe	cdhky.exe
File opened for modification	C:\Windows\SysWOW64\gtjyyldrkyvyypgcg.exe	cdhky.exe
File opened for modification	C:\Windows\SysWOW64\ndworhctpggmpjdcjyjz.exe	cdhky.exe
File opened for modification	C:\Windows\SysWOW64\tlgafxunlegotplmvmzrmg.exe	cdhky.exe
File created	C:\Windows\SysWOW64\mlnoazddiirgsvygwuonpqcbf.kkt	cdhky.exe
File opened for modification	C:\Windows\SysWOW64\zlaonzqdviegfvlg.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\SysWOW64\gtjyyldrkyvyypgcg.exe	cdhky.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\mlnoazddiirgsvygwuonpqcbf.kkt	cdhky.exe
File created	C:\Program Files (x86)\mlnoazddiirgsvygwuonpqcbf.kkt	cdhky.exe
File opened for modification	C:\Program Files (x86)\rboaxhwhxiccznbuvejtgspzozpauurftmnw.lyk	cdhky.exe
File created	C:\Program Files (x86)\rboaxhwhxiccznbuvejtgspzozpauurftmnw.lyk	cdhky.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ctngkbxpmefmqlggoeqhb.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\zlaonzqdviegfvlg.exe	cdhky.exe
File opened for modification	C:\Windows\ndworhctpggmpjdcjyjz.exe	cdhky.exe
File opened for modification	C:\Windows\gtjyyldrkyvyypgcg.exe	cdhky.exe
File opened for modification	C:\Windows\aphyapjzukjoqjcague.exe	cdhky.exe
File opened for modification	C:\Windows\ndworhctpggmpjdcjyjz.exe	cdhky.exe
File created	C:\Windows\rboaxhwhxiccznbuvejtgspzozpauurftmnw.lyk	cdhky.exe
File opened for modification	C:\Windows\zlaonzqdviegfvlg.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\gtjyyldrkyvyypgcg.exe	cdhky.exe
File opened for modification	C:\Windows\rboaxhwhxiccznbuvejtgspzozpauurftmnw.lyk	cdhky.exe
File opened for modification	C:\Windows\aphyapjzukjoqjcague.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\tlgafxunlegotplmvmzrmg.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\aphyapjzukjoqjcague.exe	cdhky.exe
File opened for modification	C:\Windows\tlgafxunlegotplmvmzrmg.exe	cdhky.exe
File opened for modification	C:\Windows\zlaonzqdviegfvlg.exe	cdhky.exe
File opened for modification	C:\Windows\ctngkbxpmefmqlggoeqhb.exe	cdhky.exe
File opened for modification	C:\Windows\mlnoazddiirgsvygwuonpqcbf.kkt	cdhky.exe
File opened for modification	C:\Windows\gtjyyldrkyvyypgcg.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\pduklzshbqostldafs.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\ndworhctpggmpjdcjyjz.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\pduklzshbqostldafs.exe	cdhky.exe
File opened for modification	C:\Windows\ctngkbxpmefmqlggoeqhb.exe	cdhky.exe
File opened for modification	C:\Windows\pduklzshbqostldafs.exe	cdhky.exe
File opened for modification	C:\Windows\tlgafxunlegotplmvmzrmg.exe	cdhky.exe
File created	C:\Windows\mlnoazddiirgsvygwuonpqcbf.kkt	cdhky.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
1728	cdhky.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1728	cdhky.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 1104	752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe	27
PID 752 wrote to memory of 1104	752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe	27
PID 752 wrote to memory of 1104	752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe	27
PID 752 wrote to memory of 1104	752	79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe	27
PID 1104 wrote to memory of 1728	1104	vsmxiywcfcw.exe	28
PID 1104 wrote to memory of 1728	1104	vsmxiywcfcw.exe	28
PID 1104 wrote to memory of 1728	1104	vsmxiywcfcw.exe	28
PID 1104 wrote to memory of 1728	1104	vsmxiywcfcw.exe	28
PID 1104 wrote to memory of 1924	1104	vsmxiywcfcw.exe	29
PID 1104 wrote to memory of 1924	1104	vsmxiywcfcw.exe	29
PID 1104 wrote to memory of 1924	1104	vsmxiywcfcw.exe	29
PID 1104 wrote to memory of 1924	1104	vsmxiywcfcw.exe	29
PID 1104 wrote to memory of 1020	1104	vsmxiywcfcw.exe	31
PID 1104 wrote to memory of 1020	1104	vsmxiywcfcw.exe	31
PID 1104 wrote to memory of 1020	1104	vsmxiywcfcw.exe	31
PID 1104 wrote to memory of 1020	1104	vsmxiywcfcw.exe	31
PID 1104 wrote to memory of 972	1104	vsmxiywcfcw.exe	30
PID 1104 wrote to memory of 972	1104	vsmxiywcfcw.exe	30
PID 1104 wrote to memory of 972	1104	vsmxiywcfcw.exe	30
PID 1104 wrote to memory of 972	1104	vsmxiywcfcw.exe	30

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vsmxiywcfcw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cdhky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cdhky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	cdhky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	cdhky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	cdhky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	cdhky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	cdhky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	cdhky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	cdhky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	cdhky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdhky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cdhky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cdhky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	cdhky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	cdhky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vsmxiywcfcw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdhky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cdhky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cdhky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cdhky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cdhky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	cdhky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	cdhky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cdhky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	cdhky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	cdhky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cdhky.exe

C:\Users\Admin\AppData\Local\Temp\79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe
"C:\Users\Admin\AppData\Local\Temp\79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:752
- C:\Users\Admin\AppData\Local\Temp\vsmxiywcfcw.exe
  "C:\Users\Admin\AppData\Local\Temp\vsmxiywcfcw.exe" "c:\users\admin\appdata\local\temp\79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1104
- - C:\Users\Admin\AppData\Local\Temp\cdhky.exe
    "C:\Users\Admin\AppData\Local\Temp\cdhky.exe" "-C:\Users\Admin\AppData\Local\Temp\zlaonzqdviegfvlg.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1728
- - C:\Users\Admin\AppData\Local\Temp\cdhky.exe
    "C:\Users\Admin\AppData\Local\Temp\cdhky.exe" "-C:\Users\Admin\AppData\Local\Temp\zlaonzqdviegfvlg.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1924
- - C:\Users\Admin\AppData\Local\Temp\cdhky.exe
    "C:\Users\Admin\AppData\Local\Temp\cdhky.exe" "-C:\Users\Admin\AppData\Local\Temp\zlaonzqdviegfvlg.exe"
    3⤵
    - Executes dropped EXE
    PID:972
- - C:\Users\Admin\AppData\Local\Temp\cdhky.exe
    "C:\Users\Admin\AppData\Local\Temp\cdhky.exe" "-C:\Users\Admin\AppData\Local\Temp\zlaonzqdviegfvlg.exe"
    3⤵
    - Executes dropped EXE
    PID:1020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aphyapjzukjoqjcague.exe

Filesize
1016KB

MD5
5363730898d77d9b8374b0fc57ca4520

SHA1
a51bd285c4f2309533c6696fa3023843869b521d

SHA256
79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e

SHA512
2bb86aa6835d6c6d2f66ba53bf1dd4a66d008ed386a5ee485bc5a755ce2949aaea6910396d74f9a70b00660f9ed7c6c751c62f3604ded1ff12ffc114a8a3f970

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdhky.exe

Filesize
712KB

MD5
e980bd0249783fefe2af247e38f19fe8

SHA1
42276a8698aa7764f02ceefde5efe49072943a00

SHA256
083a9761cd7f79b2f57d8779be2d0e96ef1b84d4ef2f3ec857447c46d293c985

SHA512
790d626491a5007c381ee44e178b14d9fd1653a6d58cb4a33e71a22eca568ec0fdc18f580a0c78cab71a3555f9a2c634577f49ed96212c0fc291fed81f4e552b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdhky.exe

Filesize
712KB

MD5
e980bd0249783fefe2af247e38f19fe8

SHA1
42276a8698aa7764f02ceefde5efe49072943a00

SHA256
083a9761cd7f79b2f57d8779be2d0e96ef1b84d4ef2f3ec857447c46d293c985

SHA512
790d626491a5007c381ee44e178b14d9fd1653a6d58cb4a33e71a22eca568ec0fdc18f580a0c78cab71a3555f9a2c634577f49ed96212c0fc291fed81f4e552b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdhky.exe

Filesize
712KB

MD5
e980bd0249783fefe2af247e38f19fe8

SHA1
42276a8698aa7764f02ceefde5efe49072943a00

SHA256
083a9761cd7f79b2f57d8779be2d0e96ef1b84d4ef2f3ec857447c46d293c985

SHA512
790d626491a5007c381ee44e178b14d9fd1653a6d58cb4a33e71a22eca568ec0fdc18f580a0c78cab71a3555f9a2c634577f49ed96212c0fc291fed81f4e552b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdhky.exe

Filesize
712KB

MD5
e980bd0249783fefe2af247e38f19fe8

SHA1
42276a8698aa7764f02ceefde5efe49072943a00

SHA256
083a9761cd7f79b2f57d8779be2d0e96ef1b84d4ef2f3ec857447c46d293c985

SHA512
790d626491a5007c381ee44e178b14d9fd1653a6d58cb4a33e71a22eca568ec0fdc18f580a0c78cab71a3555f9a2c634577f49ed96212c0fc291fed81f4e552b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctngkbxpmefmqlggoeqhb.exe

Filesize
1016KB

MD5
5363730898d77d9b8374b0fc57ca4520

SHA1
a51bd285c4f2309533c6696fa3023843869b521d

SHA256
79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e

SHA512
2bb86aa6835d6c6d2f66ba53bf1dd4a66d008ed386a5ee485bc5a755ce2949aaea6910396d74f9a70b00660f9ed7c6c751c62f3604ded1ff12ffc114a8a3f970

Download Submit
C:\Users\Admin\AppData\Local\Temp\gtjyyldrkyvyypgcg.exe

Filesize
1016KB

MD5
5363730898d77d9b8374b0fc57ca4520

SHA1
a51bd285c4f2309533c6696fa3023843869b521d

SHA256
79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e

SHA512
2bb86aa6835d6c6d2f66ba53bf1dd4a66d008ed386a5ee485bc5a755ce2949aaea6910396d74f9a70b00660f9ed7c6c751c62f3604ded1ff12ffc114a8a3f970

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndworhctpggmpjdcjyjz.exe

Filesize
1016KB

MD5
5363730898d77d9b8374b0fc57ca4520

SHA1
a51bd285c4f2309533c6696fa3023843869b521d

SHA256
79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e

SHA512
2bb86aa6835d6c6d2f66ba53bf1dd4a66d008ed386a5ee485bc5a755ce2949aaea6910396d74f9a70b00660f9ed7c6c751c62f3604ded1ff12ffc114a8a3f970

Download Submit
C:\Users\Admin\AppData\Local\Temp\pduklzshbqostldafs.exe

Filesize
1016KB

MD5
5363730898d77d9b8374b0fc57ca4520

SHA1
a51bd285c4f2309533c6696fa3023843869b521d

SHA256
79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e

SHA512
2bb86aa6835d6c6d2f66ba53bf1dd4a66d008ed386a5ee485bc5a755ce2949aaea6910396d74f9a70b00660f9ed7c6c751c62f3604ded1ff12ffc114a8a3f970

Download Submit
C:\Users\Admin\AppData\Local\Temp\tlgafxunlegotplmvmzrmg.exe

Filesize
1016KB

MD5
5363730898d77d9b8374b0fc57ca4520

SHA1
a51bd285c4f2309533c6696fa3023843869b521d

SHA256
79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e

SHA512
2bb86aa6835d6c6d2f66ba53bf1dd4a66d008ed386a5ee485bc5a755ce2949aaea6910396d74f9a70b00660f9ed7c6c751c62f3604ded1ff12ffc114a8a3f970

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsmxiywcfcw.exe

Filesize
320KB

MD5
5f83482f3a0d759494c64011e28c9e17

SHA1
6f82e48dc2665b1510ac44a1d2510f38718ae0a5

SHA256
204a7eef1f08292dbc56da8d274e912b198093ccaf8178d42e858dd14a6c1455

SHA512
7a6a53748fe6daaeb786bd1769e4dc78009934dbc0d118598ced2a2dc911abc0db4404eee0d694f3583c0aeb8adadb5351a4be52f39ccf03f42354dd4ba4729a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsmxiywcfcw.exe

Filesize
320KB

MD5
5f83482f3a0d759494c64011e28c9e17

SHA1
6f82e48dc2665b1510ac44a1d2510f38718ae0a5

SHA256
204a7eef1f08292dbc56da8d274e912b198093ccaf8178d42e858dd14a6c1455

SHA512
7a6a53748fe6daaeb786bd1769e4dc78009934dbc0d118598ced2a2dc911abc0db4404eee0d694f3583c0aeb8adadb5351a4be52f39ccf03f42354dd4ba4729a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zlaonzqdviegfvlg.exe

Filesize
1016KB

MD5
5363730898d77d9b8374b0fc57ca4520

SHA1
a51bd285c4f2309533c6696fa3023843869b521d

SHA256
79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e

SHA512
2bb86aa6835d6c6d2f66ba53bf1dd4a66d008ed386a5ee485bc5a755ce2949aaea6910396d74f9a70b00660f9ed7c6c751c62f3604ded1ff12ffc114a8a3f970

Download Submit
C:\Windows\SysWOW64\aphyapjzukjoqjcague.exe

Filesize
1016KB

MD5
5363730898d77d9b8374b0fc57ca4520

SHA1
a51bd285c4f2309533c6696fa3023843869b521d

SHA256
79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e

SHA512
2bb86aa6835d6c6d2f66ba53bf1dd4a66d008ed386a5ee485bc5a755ce2949aaea6910396d74f9a70b00660f9ed7c6c751c62f3604ded1ff12ffc114a8a3f970

Download Submit
C:\Windows\SysWOW64\ctngkbxpmefmqlggoeqhb.exe

Filesize
1016KB

MD5
5363730898d77d9b8374b0fc57ca4520

SHA1
a51bd285c4f2309533c6696fa3023843869b521d

SHA256
79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e

SHA512
2bb86aa6835d6c6d2f66ba53bf1dd4a66d008ed386a5ee485bc5a755ce2949aaea6910396d74f9a70b00660f9ed7c6c751c62f3604ded1ff12ffc114a8a3f970

Download Submit
C:\Windows\SysWOW64\gtjyyldrkyvyypgcg.exe

Filesize
1016KB

MD5
5363730898d77d9b8374b0fc57ca4520

SHA1
a51bd285c4f2309533c6696fa3023843869b521d

SHA256
79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e

SHA512
2bb86aa6835d6c6d2f66ba53bf1dd4a66d008ed386a5ee485bc5a755ce2949aaea6910396d74f9a70b00660f9ed7c6c751c62f3604ded1ff12ffc114a8a3f970

Download Submit
C:\Windows\SysWOW64\ndworhctpggmpjdcjyjz.exe

Filesize
1016KB

MD5
5363730898d77d9b8374b0fc57ca4520

SHA1
a51bd285c4f2309533c6696fa3023843869b521d

SHA256
79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e

SHA512
2bb86aa6835d6c6d2f66ba53bf1dd4a66d008ed386a5ee485bc5a755ce2949aaea6910396d74f9a70b00660f9ed7c6c751c62f3604ded1ff12ffc114a8a3f970

Download Submit
C:\Windows\SysWOW64\pduklzshbqostldafs.exe

Filesize
1016KB

MD5
5363730898d77d9b8374b0fc57ca4520

SHA1
a51bd285c4f2309533c6696fa3023843869b521d

SHA256
79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e

SHA512
2bb86aa6835d6c6d2f66ba53bf1dd4a66d008ed386a5ee485bc5a755ce2949aaea6910396d74f9a70b00660f9ed7c6c751c62f3604ded1ff12ffc114a8a3f970

Download Submit
C:\Windows\SysWOW64\tlgafxunlegotplmvmzrmg.exe

Filesize
1016KB

MD5
5363730898d77d9b8374b0fc57ca4520

SHA1
a51bd285c4f2309533c6696fa3023843869b521d

SHA256
79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e

SHA512
2bb86aa6835d6c6d2f66ba53bf1dd4a66d008ed386a5ee485bc5a755ce2949aaea6910396d74f9a70b00660f9ed7c6c751c62f3604ded1ff12ffc114a8a3f970

Download Submit
C:\Windows\SysWOW64\zlaonzqdviegfvlg.exe

Filesize
1016KB

MD5
5363730898d77d9b8374b0fc57ca4520

SHA1
a51bd285c4f2309533c6696fa3023843869b521d

SHA256
79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e

SHA512
2bb86aa6835d6c6d2f66ba53bf1dd4a66d008ed386a5ee485bc5a755ce2949aaea6910396d74f9a70b00660f9ed7c6c751c62f3604ded1ff12ffc114a8a3f970

Download Submit
C:\Windows\aphyapjzukjoqjcague.exe

Filesize
1016KB

MD5
5363730898d77d9b8374b0fc57ca4520

SHA1
a51bd285c4f2309533c6696fa3023843869b521d

SHA256
79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e

SHA512
2bb86aa6835d6c6d2f66ba53bf1dd4a66d008ed386a5ee485bc5a755ce2949aaea6910396d74f9a70b00660f9ed7c6c751c62f3604ded1ff12ffc114a8a3f970

Download Submit
C:\Windows\aphyapjzukjoqjcague.exe

Filesize
1016KB

MD5
5363730898d77d9b8374b0fc57ca4520

SHA1
a51bd285c4f2309533c6696fa3023843869b521d

SHA256
79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e

SHA512
2bb86aa6835d6c6d2f66ba53bf1dd4a66d008ed386a5ee485bc5a755ce2949aaea6910396d74f9a70b00660f9ed7c6c751c62f3604ded1ff12ffc114a8a3f970

Download Submit
C:\Windows\ctngkbxpmefmqlggoeqhb.exe

Filesize
1016KB

MD5
5363730898d77d9b8374b0fc57ca4520

SHA1
a51bd285c4f2309533c6696fa3023843869b521d

SHA256
79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e

SHA512
2bb86aa6835d6c6d2f66ba53bf1dd4a66d008ed386a5ee485bc5a755ce2949aaea6910396d74f9a70b00660f9ed7c6c751c62f3604ded1ff12ffc114a8a3f970

Download Submit
C:\Windows\ctngkbxpmefmqlggoeqhb.exe

Filesize
1016KB

MD5
5363730898d77d9b8374b0fc57ca4520

SHA1
a51bd285c4f2309533c6696fa3023843869b521d

SHA256
79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e

SHA512
2bb86aa6835d6c6d2f66ba53bf1dd4a66d008ed386a5ee485bc5a755ce2949aaea6910396d74f9a70b00660f9ed7c6c751c62f3604ded1ff12ffc114a8a3f970

Download Submit
C:\Windows\gtjyyldrkyvyypgcg.exe

Filesize
1016KB

MD5
5363730898d77d9b8374b0fc57ca4520

SHA1
a51bd285c4f2309533c6696fa3023843869b521d

SHA256
79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e

SHA512
2bb86aa6835d6c6d2f66ba53bf1dd4a66d008ed386a5ee485bc5a755ce2949aaea6910396d74f9a70b00660f9ed7c6c751c62f3604ded1ff12ffc114a8a3f970

Download Submit
C:\Windows\gtjyyldrkyvyypgcg.exe

Filesize
1016KB

MD5
5363730898d77d9b8374b0fc57ca4520

SHA1
a51bd285c4f2309533c6696fa3023843869b521d

SHA256
79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e

SHA512
2bb86aa6835d6c6d2f66ba53bf1dd4a66d008ed386a5ee485bc5a755ce2949aaea6910396d74f9a70b00660f9ed7c6c751c62f3604ded1ff12ffc114a8a3f970

Download Submit
C:\Windows\ndworhctpggmpjdcjyjz.exe

Filesize
1016KB

MD5
5363730898d77d9b8374b0fc57ca4520

SHA1
a51bd285c4f2309533c6696fa3023843869b521d

SHA256
79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e

SHA512
2bb86aa6835d6c6d2f66ba53bf1dd4a66d008ed386a5ee485bc5a755ce2949aaea6910396d74f9a70b00660f9ed7c6c751c62f3604ded1ff12ffc114a8a3f970

Download Submit
C:\Windows\ndworhctpggmpjdcjyjz.exe

Filesize
1016KB

MD5
5363730898d77d9b8374b0fc57ca4520

SHA1
a51bd285c4f2309533c6696fa3023843869b521d

SHA256
79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e

SHA512
2bb86aa6835d6c6d2f66ba53bf1dd4a66d008ed386a5ee485bc5a755ce2949aaea6910396d74f9a70b00660f9ed7c6c751c62f3604ded1ff12ffc114a8a3f970

Download Submit
C:\Windows\pduklzshbqostldafs.exe

Filesize
1016KB

MD5
5363730898d77d9b8374b0fc57ca4520

SHA1
a51bd285c4f2309533c6696fa3023843869b521d

SHA256
79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e

SHA512
2bb86aa6835d6c6d2f66ba53bf1dd4a66d008ed386a5ee485bc5a755ce2949aaea6910396d74f9a70b00660f9ed7c6c751c62f3604ded1ff12ffc114a8a3f970

Download Submit
C:\Windows\pduklzshbqostldafs.exe

Filesize
1016KB

MD5
5363730898d77d9b8374b0fc57ca4520

SHA1
a51bd285c4f2309533c6696fa3023843869b521d

SHA256
79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e

SHA512
2bb86aa6835d6c6d2f66ba53bf1dd4a66d008ed386a5ee485bc5a755ce2949aaea6910396d74f9a70b00660f9ed7c6c751c62f3604ded1ff12ffc114a8a3f970

Download Submit
C:\Windows\tlgafxunlegotplmvmzrmg.exe

Filesize
1016KB

MD5
5363730898d77d9b8374b0fc57ca4520

SHA1
a51bd285c4f2309533c6696fa3023843869b521d

SHA256
79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e

SHA512
2bb86aa6835d6c6d2f66ba53bf1dd4a66d008ed386a5ee485bc5a755ce2949aaea6910396d74f9a70b00660f9ed7c6c751c62f3604ded1ff12ffc114a8a3f970

Download Submit
C:\Windows\tlgafxunlegotplmvmzrmg.exe

Filesize
1016KB

MD5
5363730898d77d9b8374b0fc57ca4520

SHA1
a51bd285c4f2309533c6696fa3023843869b521d

SHA256
79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e

SHA512
2bb86aa6835d6c6d2f66ba53bf1dd4a66d008ed386a5ee485bc5a755ce2949aaea6910396d74f9a70b00660f9ed7c6c751c62f3604ded1ff12ffc114a8a3f970

Download Submit
C:\Windows\zlaonzqdviegfvlg.exe

Filesize
1016KB

MD5
5363730898d77d9b8374b0fc57ca4520

SHA1
a51bd285c4f2309533c6696fa3023843869b521d

SHA256
79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e

SHA512
2bb86aa6835d6c6d2f66ba53bf1dd4a66d008ed386a5ee485bc5a755ce2949aaea6910396d74f9a70b00660f9ed7c6c751c62f3604ded1ff12ffc114a8a3f970

Download Submit
C:\Windows\zlaonzqdviegfvlg.exe

Filesize
1016KB

MD5
5363730898d77d9b8374b0fc57ca4520

SHA1
a51bd285c4f2309533c6696fa3023843869b521d

SHA256
79cb60306cffed3fa5841630284d7bb19e478548aa707c23f687f81d305ee16e

SHA512
2bb86aa6835d6c6d2f66ba53bf1dd4a66d008ed386a5ee485bc5a755ce2949aaea6910396d74f9a70b00660f9ed7c6c751c62f3604ded1ff12ffc114a8a3f970

Download Submit
\Users\Admin\AppData\Local\Temp\cdhky.exe

Filesize
712KB

MD5
e980bd0249783fefe2af247e38f19fe8

SHA1
42276a8698aa7764f02ceefde5efe49072943a00

SHA256
083a9761cd7f79b2f57d8779be2d0e96ef1b84d4ef2f3ec857447c46d293c985

SHA512
790d626491a5007c381ee44e178b14d9fd1653a6d58cb4a33e71a22eca568ec0fdc18f580a0c78cab71a3555f9a2c634577f49ed96212c0fc291fed81f4e552b

Download Submit
\Users\Admin\AppData\Local\Temp\cdhky.exe

Filesize
712KB

MD5
e980bd0249783fefe2af247e38f19fe8

SHA1
42276a8698aa7764f02ceefde5efe49072943a00

SHA256
083a9761cd7f79b2f57d8779be2d0e96ef1b84d4ef2f3ec857447c46d293c985

SHA512
790d626491a5007c381ee44e178b14d9fd1653a6d58cb4a33e71a22eca568ec0fdc18f580a0c78cab71a3555f9a2c634577f49ed96212c0fc291fed81f4e552b

Download Submit
\Users\Admin\AppData\Local\Temp\cdhky.exe

Filesize
712KB

MD5
e980bd0249783fefe2af247e38f19fe8

SHA1
42276a8698aa7764f02ceefde5efe49072943a00

SHA256
083a9761cd7f79b2f57d8779be2d0e96ef1b84d4ef2f3ec857447c46d293c985

SHA512
790d626491a5007c381ee44e178b14d9fd1653a6d58cb4a33e71a22eca568ec0fdc18f580a0c78cab71a3555f9a2c634577f49ed96212c0fc291fed81f4e552b

Download Submit
\Users\Admin\AppData\Local\Temp\cdhky.exe

Filesize
712KB

MD5
e980bd0249783fefe2af247e38f19fe8

SHA1
42276a8698aa7764f02ceefde5efe49072943a00

SHA256
083a9761cd7f79b2f57d8779be2d0e96ef1b84d4ef2f3ec857447c46d293c985

SHA512
790d626491a5007c381ee44e178b14d9fd1653a6d58cb4a33e71a22eca568ec0fdc18f580a0c78cab71a3555f9a2c634577f49ed96212c0fc291fed81f4e552b

Download Submit
\Users\Admin\AppData\Local\Temp\cdhky.exe

Filesize
712KB

MD5
e980bd0249783fefe2af247e38f19fe8

SHA1
42276a8698aa7764f02ceefde5efe49072943a00

SHA256
083a9761cd7f79b2f57d8779be2d0e96ef1b84d4ef2f3ec857447c46d293c985

SHA512
790d626491a5007c381ee44e178b14d9fd1653a6d58cb4a33e71a22eca568ec0fdc18f580a0c78cab71a3555f9a2c634577f49ed96212c0fc291fed81f4e552b

Download Submit
\Users\Admin\AppData\Local\Temp\cdhky.exe

Filesize
712KB

MD5
e980bd0249783fefe2af247e38f19fe8

SHA1
42276a8698aa7764f02ceefde5efe49072943a00

SHA256
083a9761cd7f79b2f57d8779be2d0e96ef1b84d4ef2f3ec857447c46d293c985

SHA512
790d626491a5007c381ee44e178b14d9fd1653a6d58cb4a33e71a22eca568ec0fdc18f580a0c78cab71a3555f9a2c634577f49ed96212c0fc291fed81f4e552b

Download Submit
\Users\Admin\AppData\Local\Temp\cdhky.exe

Filesize
712KB

MD5
e980bd0249783fefe2af247e38f19fe8

SHA1
42276a8698aa7764f02ceefde5efe49072943a00

SHA256
083a9761cd7f79b2f57d8779be2d0e96ef1b84d4ef2f3ec857447c46d293c985

SHA512
790d626491a5007c381ee44e178b14d9fd1653a6d58cb4a33e71a22eca568ec0fdc18f580a0c78cab71a3555f9a2c634577f49ed96212c0fc291fed81f4e552b

Download Submit
\Users\Admin\AppData\Local\Temp\cdhky.exe

Filesize
712KB

MD5
e980bd0249783fefe2af247e38f19fe8

SHA1
42276a8698aa7764f02ceefde5efe49072943a00

SHA256
083a9761cd7f79b2f57d8779be2d0e96ef1b84d4ef2f3ec857447c46d293c985

SHA512
790d626491a5007c381ee44e178b14d9fd1653a6d58cb4a33e71a22eca568ec0fdc18f580a0c78cab71a3555f9a2c634577f49ed96212c0fc291fed81f4e552b

Download Submit
\Users\Admin\AppData\Local\Temp\vsmxiywcfcw.exe

Filesize
320KB

MD5
5f83482f3a0d759494c64011e28c9e17

SHA1
6f82e48dc2665b1510ac44a1d2510f38718ae0a5

SHA256
204a7eef1f08292dbc56da8d274e912b198093ccaf8178d42e858dd14a6c1455

SHA512
7a6a53748fe6daaeb786bd1769e4dc78009934dbc0d118598ced2a2dc911abc0db4404eee0d694f3583c0aeb8adadb5351a4be52f39ccf03f42354dd4ba4729a

Download Submit
\Users\Admin\AppData\Local\Temp\vsmxiywcfcw.exe

Filesize
320KB

MD5
5f83482f3a0d759494c64011e28c9e17

SHA1
6f82e48dc2665b1510ac44a1d2510f38718ae0a5

SHA256
204a7eef1f08292dbc56da8d274e912b198093ccaf8178d42e858dd14a6c1455

SHA512
7a6a53748fe6daaeb786bd1769e4dc78009934dbc0d118598ced2a2dc911abc0db4404eee0d694f3583c0aeb8adadb5351a4be52f39ccf03f42354dd4ba4729a

Download Submit
memory/752-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/972-76-0x0000000000000000-mapping.dmp

Download
memory/1020-73-0x0000000000000000-mapping.dmp

Download
memory/1104-57-0x0000000000000000-mapping.dmp

Download
memory/1728-63-0x0000000000000000-mapping.dmp

Download
memory/1924-68-0x0000000000000000-mapping.dmp

Download