291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152

Analysis

max time kernel
239s
max time network
312s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28/11/2022, 05:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
Size

576KB
MD5

440f974300b8cdf663abe985b53ecc1f
SHA1

ec5c998fda4ad192c5c057975b64563073867d50
SHA256

291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152
SHA512

99d0aa5aa33b8f163b3acd94470535f223e2dd5574544938f105d39282c821669b48b1a63122d5e771763f5f15b4abcbf11e465b15a4e881c3e45f3f1efa8bfc
SSDEEP

12288:gQMFG+2gef5x/xQTB2OfDKC7Wgc9K/tUx70:gQj+29VgfDnK5StUxA

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	hyjhodvyrit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	yeqtxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	yeqtxkq.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	hyjhodvyrit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	yeqtxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	yeqtxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	yeqtxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	yeqtxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	yeqtxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hyjhodvyrit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	hyjhodvyrit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	hyjhodvyrit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yeqtxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yeqtxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	yeqtxkq.exe

Adds policy Run key to start application 2 TTPs 17 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgalxsgpgmhwyjc = "nebpectfzigydrnmwh.exe"	yeqtxkq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	yeqtxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgalxsgpgmhwyjc = "xmhtgcrbtawmpbvs.exe"	yeqtxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\parzialrfiam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\auuldeynkwxsarqsftnne.exe"	yeqtxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\parzialrfiam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\auuldeynkwxsarqsftnne.exe"	hyjhodvyrit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\parzialrfiam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xmhtgcrbtawmpbvs.exe"	yeqtxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\parzialrfiam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\auuldeynkwxsarqsftnne.exe"	yeqtxkq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	yeqtxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgalxsgpgmhwyjc = "euqdroepiqneivqox.exe"	hyjhodvyrit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\parzialrfiam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\euqdroepiqneivqox.exe"	yeqtxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgalxsgpgmhwyjc = "nebpectfzigydrnmwh.exe"	yeqtxkq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	hyjhodvyrit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\parzialrfiam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\euqdroepiqneivqox.exe"	hyjhodvyrit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgalxsgpgmhwyjc = "ledtkkdrnyyszpnoangf.exe"	yeqtxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\parzialrfiam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\euqdroepiqneivqox.exe"	yeqtxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgalxsgpgmhwyjc = "ledtkkdrnyyszpnoangf.exe"	yeqtxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgalxsgpgmhwyjc = "ledtkkdrnyyszpnoangf.exe"	hyjhodvyrit.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yeqtxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yeqtxkq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hyjhodvyrit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hyjhodvyrit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yeqtxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yeqtxkq.exe

Executes dropped EXE 3 IoCs

pid	Process
1064	hyjhodvyrit.exe
776	yeqtxkq.exe
840	yeqtxkq.exe

Loads dropped DLL 6 IoCs

pid	Process
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
1064	hyjhodvyrit.exe
1064	hyjhodvyrit.exe
1064	hyjhodvyrit.exe
1064	hyjhodvyrit.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\oasbleqxmqjww = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqodtskxscbuapmmxjb.exe"	yeqtxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nebpectfzigydrnmwh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\euqdroepiqneivqox.exe ."	yeqtxkq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pcvfqkxfvauijt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqodtskxscbuapmmxjb.exe ."	yeqtxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oasbleqxmqjww = "yqodtskxscbuapmmxjb.exe"	hyjhodvyrit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\euqdroepiqneivqox = "euqdroepiqneivqox.exe ."	hyjhodvyrit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcvfqkxfvauijt = "auuldeynkwxsarqsftnne.exe ."	yeqtxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nebpectfzigydrnmwh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ledtkkdrnyyszpnoangf.exe ."	yeqtxkq.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	hyjhodvyrit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yqodtskxscbuapmmxjb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\euqdroepiqneivqox.exe"	hyjhodvyrit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yqodtskxscbuapmmxjb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\auuldeynkwxsarqsftnne.exe"	yeqtxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oasbleqxmqjww = "nebpectfzigydrnmwh.exe"	yeqtxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yqodtskxscbuapmmxjb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqodtskxscbuapmmxjb.exe"	hyjhodvyrit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\oasbleqxmqjww = "C:\\Users\\Admin\\AppData\\Local\\Temp\\auuldeynkwxsarqsftnne.exe"	hyjhodvyrit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pcvfqkxfvauijt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\euqdroepiqneivqox.exe ."	yeqtxkq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\euqdroepiqneivqox = "nebpectfzigydrnmwh.exe ."	yeqtxkq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pcvfqkxfvauijt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nebpectfzigydrnmwh.exe ."	yeqtxkq.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	hyjhodvyrit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\oasbleqxmqjww = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqodtskxscbuapmmxjb.exe"	hyjhodvyrit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nebpectfzigydrnmwh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\euqdroepiqneivqox.exe ."	yeqtxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nebpectfzigydrnmwh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nebpectfzigydrnmwh.exe ."	yeqtxkq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pcvfqkxfvauijt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xmhtgcrbtawmpbvs.exe ."	yeqtxkq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xmhtgcrbtawmpbvs = "yqodtskxscbuapmmxjb.exe"	yeqtxkq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xmhtgcrbtawmpbvs = "ledtkkdrnyyszpnoangf.exe"	yeqtxkq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	yeqtxkq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pcvfqkxfvauijt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nebpectfzigydrnmwh.exe ."	hyjhodvyrit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcvfqkxfvauijt = "xmhtgcrbtawmpbvs.exe ."	yeqtxkq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hyjhodvyrit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oasbleqxmqjww = "nebpectfzigydrnmwh.exe"	hyjhodvyrit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\euqdroepiqneivqox = "xmhtgcrbtawmpbvs.exe ."	yeqtxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yqodtskxscbuapmmxjb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ledtkkdrnyyszpnoangf.exe"	yeqtxkq.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	yeqtxkq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\oasbleqxmqjww = "C:\\Users\\Admin\\AppData\\Local\\Temp\\euqdroepiqneivqox.exe"	yeqtxkq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xmhtgcrbtawmpbvs = "yqodtskxscbuapmmxjb.exe"	hyjhodvyrit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcvfqkxfvauijt = "ledtkkdrnyyszpnoangf.exe ."	hyjhodvyrit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xmhtgcrbtawmpbvs = "euqdroepiqneivqox.exe"	hyjhodvyrit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nebpectfzigydrnmwh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqodtskxscbuapmmxjb.exe ."	hyjhodvyrit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	yeqtxkq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	yeqtxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oasbleqxmqjww = "euqdroepiqneivqox.exe"	yeqtxkq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	hyjhodvyrit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcvfqkxfvauijt = "yqodtskxscbuapmmxjb.exe ."	hyjhodvyrit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pcvfqkxfvauijt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\euqdroepiqneivqox.exe ."	hyjhodvyrit.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	yeqtxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcvfqkxfvauijt = "nebpectfzigydrnmwh.exe ."	yeqtxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yqodtskxscbuapmmxjb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xmhtgcrbtawmpbvs.exe"	yeqtxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nebpectfzigydrnmwh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\auuldeynkwxsarqsftnne.exe ."	hyjhodvyrit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	yeqtxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcvfqkxfvauijt = "ledtkkdrnyyszpnoangf.exe ."	yeqtxkq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xmhtgcrbtawmpbvs = "nebpectfzigydrnmwh.exe"	yeqtxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcvfqkxfvauijt = "euqdroepiqneivqox.exe ."	yeqtxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nebpectfzigydrnmwh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqodtskxscbuapmmxjb.exe ."	yeqtxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcvfqkxfvauijt = "euqdroepiqneivqox.exe ."	yeqtxkq.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	yeqtxkq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pcvfqkxfvauijt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\auuldeynkwxsarqsftnne.exe ."	yeqtxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oasbleqxmqjww = "nebpectfzigydrnmwh.exe"	yeqtxkq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\oasbleqxmqjww = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nebpectfzigydrnmwh.exe"	yeqtxkq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\euqdroepiqneivqox = "yqodtskxscbuapmmxjb.exe ."	yeqtxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yqodtskxscbuapmmxjb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xmhtgcrbtawmpbvs.exe"	yeqtxkq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\oasbleqxmqjww = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xmhtgcrbtawmpbvs.exe"	yeqtxkq.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	yeqtxkq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pcvfqkxfvauijt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\auuldeynkwxsarqsftnne.exe ."	yeqtxkq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\euqdroepiqneivqox = "ledtkkdrnyyszpnoangf.exe ."	yeqtxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yqodtskxscbuapmmxjb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ledtkkdrnyyszpnoangf.exe"	yeqtxkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oasbleqxmqjww = "auuldeynkwxsarqsftnne.exe"	yeqtxkq.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hyjhodvyrit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hyjhodvyrit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yeqtxkq.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	yeqtxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yeqtxkq.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	yeqtxkq.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	whatismyip.everdot.org
6	www.showmyipaddress.com
8	whatismyipaddress.com

Drops file in System32 directory 46 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\nebpectfzigydrnmwh.exe	yeqtxkq.exe
File opened for modification	C:\Windows\SysWOW64\yqodtskxscbuapmmxjb.exe	yeqtxkq.exe
File opened for modification	C:\Windows\SysWOW64\euqdroepiqneivqox.exe	yeqtxkq.exe
File created	C:\Windows\SysWOW64\yqodtskxscbuapmmxjb.exe	yeqtxkq.exe
File opened for modification	C:\Windows\SysWOW64\auuldeynkwxsarqsftnne.exe	yeqtxkq.exe
File created	C:\Windows\SysWOW64\auuldeynkwxsarqsftnne.exe	yeqtxkq.exe
File opened for modification	C:\Windows\SysWOW64\xmhtgcrbtawmpbvs.exe	yeqtxkq.exe
File created	C:\Windows\SysWOW64\ledtkkdrnyyszpnoangf.exe	yeqtxkq.exe
File opened for modification	C:\Windows\SysWOW64\rmnfyavljwyudvvymbwxpi.exe	yeqtxkq.exe
File opened for modification	C:\Windows\SysWOW64\auuldeynkwxsarqsftnne.exe	hyjhodvyrit.exe
File opened for modification	C:\Windows\SysWOW64\euqdroepiqneivqox.exe	yeqtxkq.exe
File created	C:\Windows\SysWOW64\euqdroepiqneivqox.exe	yeqtxkq.exe
File created	C:\Windows\SysWOW64\yqodtskxscbuapmmxjb.exe	yeqtxkq.exe
File created	C:\Windows\SysWOW64\rmnfyavljwyudvvymbwxpi.exe	yeqtxkq.exe
File created	C:\Windows\SysWOW64\nebpectfzigydrnmwh.exe	yeqtxkq.exe
File opened for modification	C:\Windows\SysWOW64\yqodtskxscbuapmmxjb.exe	hyjhodvyrit.exe
File created	C:\Windows\SysWOW64\nebpectfzigydrnmwh.exe	hyjhodvyrit.exe
File created	C:\Windows\SysWOW64\euqdroepiqneivqox.exe	yeqtxkq.exe
File created	C:\Windows\SysWOW64\rmnfyavljwyudvvymbwxpi.exe	yeqtxkq.exe
File opened for modification	C:\Windows\SysWOW64\euqdroepiqneivqox.exe	hyjhodvyrit.exe
File created	C:\Windows\SysWOW64\ledtkkdrnyyszpnoangf.exe	hyjhodvyrit.exe
File created	C:\Windows\SysWOW64\xmhtgcrbtawmpbvs.exe	yeqtxkq.exe
File opened for modification	C:\Windows\SysWOW64\rmnfyavljwyudvvymbwxpi.exe	yeqtxkq.exe
File created	C:\Windows\SysWOW64\pcvfqkxfvauijtlgmtgzjuobjzeymnxpkqxk.nys	yeqtxkq.exe
File opened for modification	C:\Windows\SysWOW64\ledtkkdrnyyszpnoangf.exe	hyjhodvyrit.exe
File created	C:\Windows\SysWOW64\yqodtskxscbuapmmxjb.exe	hyjhodvyrit.exe
File created	C:\Windows\SysWOW64\nebpectfzigydrnmwh.exe	yeqtxkq.exe
File opened for modification	C:\Windows\SysWOW64\xmhtgcrbtawmpbvs.exe	hyjhodvyrit.exe
File created	C:\Windows\SysWOW64\euqdroepiqneivqox.exe	hyjhodvyrit.exe
File opened for modification	C:\Windows\SysWOW64\nebpectfzigydrnmwh.exe	hyjhodvyrit.exe
File opened for modification	C:\Windows\SysWOW64\rmnfyavljwyudvvymbwxpi.exe	hyjhodvyrit.exe
File opened for modification	C:\Windows\SysWOW64\ledtkkdrnyyszpnoangf.exe	yeqtxkq.exe
File created	C:\Windows\SysWOW64\ledtkkdrnyyszpnoangf.exe	yeqtxkq.exe
File opened for modification	C:\Windows\SysWOW64\auuldeynkwxsarqsftnne.exe	yeqtxkq.exe
File created	C:\Windows\SysWOW64\auuldeynkwxsarqsftnne.exe	yeqtxkq.exe
File created	C:\Windows\SysWOW64\xmhtgcrbtawmpbvs.exe	hyjhodvyrit.exe
File opened for modification	C:\Windows\SysWOW64\nebpectfzigydrnmwh.exe	yeqtxkq.exe
File opened for modification	C:\Windows\SysWOW64\kmuttcebgajmcbisnjltssbda.zil	yeqtxkq.exe
File opened for modification	C:\Windows\SysWOW64\xmhtgcrbtawmpbvs.exe	yeqtxkq.exe
File created	C:\Windows\SysWOW64\rmnfyavljwyudvvymbwxpi.exe	hyjhodvyrit.exe
File created	C:\Windows\SysWOW64\xmhtgcrbtawmpbvs.exe	yeqtxkq.exe
File opened for modification	C:\Windows\SysWOW64\yqodtskxscbuapmmxjb.exe	yeqtxkq.exe
File opened for modification	C:\Windows\SysWOW64\ledtkkdrnyyszpnoangf.exe	yeqtxkq.exe
File created	C:\Windows\SysWOW64\kmuttcebgajmcbisnjltssbda.zil	yeqtxkq.exe
File opened for modification	C:\Windows\SysWOW64\pcvfqkxfvauijtlgmtgzjuobjzeymnxpkqxk.nys	yeqtxkq.exe
File created	C:\Windows\SysWOW64\auuldeynkwxsarqsftnne.exe	hyjhodvyrit.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\kmuttcebgajmcbisnjltssbda.zil	yeqtxkq.exe
File created	C:\Program Files (x86)\kmuttcebgajmcbisnjltssbda.zil	yeqtxkq.exe
File opened for modification	C:\Program Files (x86)\pcvfqkxfvauijtlgmtgzjuobjzeymnxpkqxk.nys	yeqtxkq.exe
File created	C:\Program Files (x86)\pcvfqkxfvauijtlgmtgzjuobjzeymnxpkqxk.nys	yeqtxkq.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\euqdroepiqneivqox.exe	yeqtxkq.exe
File opened for modification	C:\Windows\yqodtskxscbuapmmxjb.exe	yeqtxkq.exe
File opened for modification	C:\Windows\auuldeynkwxsarqsftnne.exe	yeqtxkq.exe
File opened for modification	C:\Windows\xmhtgcrbtawmpbvs.exe	hyjhodvyrit.exe
File opened for modification	C:\Windows\yqodtskxscbuapmmxjb.exe	hyjhodvyrit.exe
File opened for modification	C:\Windows\rmnfyavljwyudvvymbwxpi.exe	hyjhodvyrit.exe
File opened for modification	C:\Windows\nebpectfzigydrnmwh.exe	yeqtxkq.exe
File opened for modification	C:\Windows\nebpectfzigydrnmwh.exe	yeqtxkq.exe
File opened for modification	C:\Windows\ledtkkdrnyyszpnoangf.exe	yeqtxkq.exe
File opened for modification	C:\Windows\euqdroepiqneivqox.exe	hyjhodvyrit.exe
File created	C:\Windows\nebpectfzigydrnmwh.exe	hyjhodvyrit.exe
File opened for modification	C:\Windows\auuldeynkwxsarqsftnne.exe	hyjhodvyrit.exe
File created	C:\Windows\yqodtskxscbuapmmxjb.exe	hyjhodvyrit.exe
File opened for modification	C:\Windows\auuldeynkwxsarqsftnne.exe	yeqtxkq.exe
File opened for modification	C:\Windows\rmnfyavljwyudvvymbwxpi.exe	yeqtxkq.exe
File created	C:\Windows\ledtkkdrnyyszpnoangf.exe	hyjhodvyrit.exe
File opened for modification	C:\Windows\yqodtskxscbuapmmxjb.exe	yeqtxkq.exe
File opened for modification	C:\Windows\euqdroepiqneivqox.exe	yeqtxkq.exe
File created	C:\Windows\xmhtgcrbtawmpbvs.exe	hyjhodvyrit.exe
File created	C:\Windows\euqdroepiqneivqox.exe	hyjhodvyrit.exe
File opened for modification	C:\Windows\rmnfyavljwyudvvymbwxpi.exe	yeqtxkq.exe
File created	C:\Windows\pcvfqkxfvauijtlgmtgzjuobjzeymnxpkqxk.nys	yeqtxkq.exe
File created	C:\Windows\auuldeynkwxsarqsftnne.exe	hyjhodvyrit.exe
File opened for modification	C:\Windows\kmuttcebgajmcbisnjltssbda.zil	yeqtxkq.exe
File opened for modification	C:\Windows\pcvfqkxfvauijtlgmtgzjuobjzeymnxpkqxk.nys	yeqtxkq.exe
File opened for modification	C:\Windows\xmhtgcrbtawmpbvs.exe	yeqtxkq.exe
File opened for modification	C:\Windows\ledtkkdrnyyszpnoangf.exe	yeqtxkq.exe
File opened for modification	C:\Windows\xmhtgcrbtawmpbvs.exe	yeqtxkq.exe
File created	C:\Windows\kmuttcebgajmcbisnjltssbda.zil	yeqtxkq.exe
File opened for modification	C:\Windows\nebpectfzigydrnmwh.exe	hyjhodvyrit.exe
File opened for modification	C:\Windows\ledtkkdrnyyszpnoangf.exe	hyjhodvyrit.exe
File created	C:\Windows\rmnfyavljwyudvvymbwxpi.exe	hyjhodvyrit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
840	yeqtxkq.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	840	yeqtxkq.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 360 wrote to memory of 1064	360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe	28
PID 360 wrote to memory of 1064	360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe	28
PID 360 wrote to memory of 1064	360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe	28
PID 360 wrote to memory of 1064	360	291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe	28
PID 1064 wrote to memory of 776	1064	hyjhodvyrit.exe	29
PID 1064 wrote to memory of 776	1064	hyjhodvyrit.exe	29
PID 1064 wrote to memory of 776	1064	hyjhodvyrit.exe	29
PID 1064 wrote to memory of 776	1064	hyjhodvyrit.exe	29
PID 1064 wrote to memory of 840	1064	hyjhodvyrit.exe	30
PID 1064 wrote to memory of 840	1064	hyjhodvyrit.exe	30
PID 1064 wrote to memory of 840	1064	hyjhodvyrit.exe	30
PID 1064 wrote to memory of 840	1064	hyjhodvyrit.exe	30

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	yeqtxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	yeqtxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	hyjhodvyrit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	yeqtxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	yeqtxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	yeqtxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	yeqtxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	yeqtxkq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	hyjhodvyrit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	hyjhodvyrit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yeqtxkq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	yeqtxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hyjhodvyrit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hyjhodvyrit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	hyjhodvyrit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	hyjhodvyrit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	yeqtxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	yeqtxkq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	hyjhodvyrit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	hyjhodvyrit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	hyjhodvyrit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	hyjhodvyrit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	yeqtxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	yeqtxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	yeqtxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	yeqtxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	hyjhodvyrit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	yeqtxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yeqtxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yeqtxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	yeqtxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	yeqtxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	yeqtxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	yeqtxkq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	yeqtxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	hyjhodvyrit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	yeqtxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yeqtxkq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	yeqtxkq.exe

C:\Users\Admin\AppData\Local\Temp\291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe
"C:\Users\Admin\AppData\Local\Temp\291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:360
- C:\Users\Admin\AppData\Local\Temp\hyjhodvyrit.exe
  "C:\Users\Admin\AppData\Local\Temp\hyjhodvyrit.exe" "c:\users\admin\appdata\local\temp\291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1064
- - C:\Users\Admin\AppData\Local\Temp\yeqtxkq.exe
    "C:\Users\Admin\AppData\Local\Temp\yeqtxkq.exe" "-c:\users\admin\appdata\local\temp\291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:776
- - C:\Users\Admin\AppData\Local\Temp\yeqtxkq.exe
    "C:\Users\Admin\AppData\Local\Temp\yeqtxkq.exe" "-c:\users\admin\appdata\local\temp\291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\auuldeynkwxsarqsftnne.exe

Filesize
576KB

MD5
440f974300b8cdf663abe985b53ecc1f

SHA1
ec5c998fda4ad192c5c057975b64563073867d50

SHA256
291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152

SHA512
99d0aa5aa33b8f163b3acd94470535f223e2dd5574544938f105d39282c821669b48b1a63122d5e771763f5f15b4abcbf11e465b15a4e881c3e45f3f1efa8bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\euqdroepiqneivqox.exe

Filesize
576KB

MD5
440f974300b8cdf663abe985b53ecc1f

SHA1
ec5c998fda4ad192c5c057975b64563073867d50

SHA256
291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152

SHA512
99d0aa5aa33b8f163b3acd94470535f223e2dd5574544938f105d39282c821669b48b1a63122d5e771763f5f15b4abcbf11e465b15a4e881c3e45f3f1efa8bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\hyjhodvyrit.exe

Filesize
320KB

MD5
304415df6ad55a90301aa8158e5e3582

SHA1
cc20ee7d5e8607f4fa0633093083ec0a68dcf3cd

SHA256
34a5f9e2b494b086abad2721019be271fa43350c9146f000e50fe554f170743d

SHA512
4ef2a9a8a3b36ba8c40a0bda9de415c76f985da34475f9110f7fe7b70a8e235d66ec6e15f76b45c5f75f5594fe05051d8112745e5031a18c817bd5d86212c687

Download Submit
C:\Users\Admin\AppData\Local\Temp\hyjhodvyrit.exe

Filesize
320KB

MD5
304415df6ad55a90301aa8158e5e3582

SHA1
cc20ee7d5e8607f4fa0633093083ec0a68dcf3cd

SHA256
34a5f9e2b494b086abad2721019be271fa43350c9146f000e50fe554f170743d

SHA512
4ef2a9a8a3b36ba8c40a0bda9de415c76f985da34475f9110f7fe7b70a8e235d66ec6e15f76b45c5f75f5594fe05051d8112745e5031a18c817bd5d86212c687

Download Submit
C:\Users\Admin\AppData\Local\Temp\ledtkkdrnyyszpnoangf.exe

Filesize
576KB

MD5
440f974300b8cdf663abe985b53ecc1f

SHA1
ec5c998fda4ad192c5c057975b64563073867d50

SHA256
291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152

SHA512
99d0aa5aa33b8f163b3acd94470535f223e2dd5574544938f105d39282c821669b48b1a63122d5e771763f5f15b4abcbf11e465b15a4e881c3e45f3f1efa8bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nebpectfzigydrnmwh.exe

Filesize
576KB

MD5
440f974300b8cdf663abe985b53ecc1f

SHA1
ec5c998fda4ad192c5c057975b64563073867d50

SHA256
291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152

SHA512
99d0aa5aa33b8f163b3acd94470535f223e2dd5574544938f105d39282c821669b48b1a63122d5e771763f5f15b4abcbf11e465b15a4e881c3e45f3f1efa8bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\rmnfyavljwyudvvymbwxpi.exe

Filesize
576KB

MD5
440f974300b8cdf663abe985b53ecc1f

SHA1
ec5c998fda4ad192c5c057975b64563073867d50

SHA256
291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152

SHA512
99d0aa5aa33b8f163b3acd94470535f223e2dd5574544938f105d39282c821669b48b1a63122d5e771763f5f15b4abcbf11e465b15a4e881c3e45f3f1efa8bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmhtgcrbtawmpbvs.exe

Filesize
576KB

MD5
440f974300b8cdf663abe985b53ecc1f

SHA1
ec5c998fda4ad192c5c057975b64563073867d50

SHA256
291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152

SHA512
99d0aa5aa33b8f163b3acd94470535f223e2dd5574544938f105d39282c821669b48b1a63122d5e771763f5f15b4abcbf11e465b15a4e881c3e45f3f1efa8bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\yeqtxkq.exe

Filesize
724KB

MD5
a02f5b7cb4a6f0473233c953795cb588

SHA1
8eb74e9510fb4fc397f3db7087c987ec7f25b37b

SHA256
51afd736471f29c6943bad0944fcc534601d7c5da9d803b19d5f1338d45b76f9

SHA512
c40e62c3f978c0eafc9428c3d5ee449b0a17b710fb11bce3d7fe318f9ba8cbd35b06bcf54097b57148fdbbfb84e2217098a5c454108656e16f402516067290ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\yeqtxkq.exe

Filesize
724KB

MD5
a02f5b7cb4a6f0473233c953795cb588

SHA1
8eb74e9510fb4fc397f3db7087c987ec7f25b37b

SHA256
51afd736471f29c6943bad0944fcc534601d7c5da9d803b19d5f1338d45b76f9

SHA512
c40e62c3f978c0eafc9428c3d5ee449b0a17b710fb11bce3d7fe318f9ba8cbd35b06bcf54097b57148fdbbfb84e2217098a5c454108656e16f402516067290ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\yqodtskxscbuapmmxjb.exe

Filesize
576KB

MD5
440f974300b8cdf663abe985b53ecc1f

SHA1
ec5c998fda4ad192c5c057975b64563073867d50

SHA256
291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152

SHA512
99d0aa5aa33b8f163b3acd94470535f223e2dd5574544938f105d39282c821669b48b1a63122d5e771763f5f15b4abcbf11e465b15a4e881c3e45f3f1efa8bfc

Download Submit
C:\Windows\SysWOW64\auuldeynkwxsarqsftnne.exe

Filesize
576KB

MD5
440f974300b8cdf663abe985b53ecc1f

SHA1
ec5c998fda4ad192c5c057975b64563073867d50

SHA256
291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152

SHA512
99d0aa5aa33b8f163b3acd94470535f223e2dd5574544938f105d39282c821669b48b1a63122d5e771763f5f15b4abcbf11e465b15a4e881c3e45f3f1efa8bfc

Download Submit
C:\Windows\SysWOW64\euqdroepiqneivqox.exe

Filesize
576KB

MD5
440f974300b8cdf663abe985b53ecc1f

SHA1
ec5c998fda4ad192c5c057975b64563073867d50

SHA256
291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152

SHA512
99d0aa5aa33b8f163b3acd94470535f223e2dd5574544938f105d39282c821669b48b1a63122d5e771763f5f15b4abcbf11e465b15a4e881c3e45f3f1efa8bfc

Download Submit
C:\Windows\SysWOW64\ledtkkdrnyyszpnoangf.exe

Filesize
576KB

MD5
440f974300b8cdf663abe985b53ecc1f

SHA1
ec5c998fda4ad192c5c057975b64563073867d50

SHA256
291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152

SHA512
99d0aa5aa33b8f163b3acd94470535f223e2dd5574544938f105d39282c821669b48b1a63122d5e771763f5f15b4abcbf11e465b15a4e881c3e45f3f1efa8bfc

Download Submit
C:\Windows\SysWOW64\nebpectfzigydrnmwh.exe

Filesize
576KB

MD5
440f974300b8cdf663abe985b53ecc1f

SHA1
ec5c998fda4ad192c5c057975b64563073867d50

SHA256
291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152

SHA512
99d0aa5aa33b8f163b3acd94470535f223e2dd5574544938f105d39282c821669b48b1a63122d5e771763f5f15b4abcbf11e465b15a4e881c3e45f3f1efa8bfc

Download Submit
C:\Windows\SysWOW64\rmnfyavljwyudvvymbwxpi.exe

Filesize
576KB

MD5
440f974300b8cdf663abe985b53ecc1f

SHA1
ec5c998fda4ad192c5c057975b64563073867d50

SHA256
291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152

SHA512
99d0aa5aa33b8f163b3acd94470535f223e2dd5574544938f105d39282c821669b48b1a63122d5e771763f5f15b4abcbf11e465b15a4e881c3e45f3f1efa8bfc

Download Submit
C:\Windows\SysWOW64\xmhtgcrbtawmpbvs.exe

Filesize
576KB

MD5
440f974300b8cdf663abe985b53ecc1f

SHA1
ec5c998fda4ad192c5c057975b64563073867d50

SHA256
291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152

SHA512
99d0aa5aa33b8f163b3acd94470535f223e2dd5574544938f105d39282c821669b48b1a63122d5e771763f5f15b4abcbf11e465b15a4e881c3e45f3f1efa8bfc

Download Submit
C:\Windows\SysWOW64\yqodtskxscbuapmmxjb.exe

Filesize
576KB

MD5
440f974300b8cdf663abe985b53ecc1f

SHA1
ec5c998fda4ad192c5c057975b64563073867d50

SHA256
291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152

SHA512
99d0aa5aa33b8f163b3acd94470535f223e2dd5574544938f105d39282c821669b48b1a63122d5e771763f5f15b4abcbf11e465b15a4e881c3e45f3f1efa8bfc

Download Submit
C:\Windows\auuldeynkwxsarqsftnne.exe

Filesize
576KB

MD5
440f974300b8cdf663abe985b53ecc1f

SHA1
ec5c998fda4ad192c5c057975b64563073867d50

SHA256
291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152

SHA512
99d0aa5aa33b8f163b3acd94470535f223e2dd5574544938f105d39282c821669b48b1a63122d5e771763f5f15b4abcbf11e465b15a4e881c3e45f3f1efa8bfc

Download Submit
C:\Windows\auuldeynkwxsarqsftnne.exe

Filesize
576KB

MD5
440f974300b8cdf663abe985b53ecc1f

SHA1
ec5c998fda4ad192c5c057975b64563073867d50

SHA256
291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152

SHA512
99d0aa5aa33b8f163b3acd94470535f223e2dd5574544938f105d39282c821669b48b1a63122d5e771763f5f15b4abcbf11e465b15a4e881c3e45f3f1efa8bfc

Download Submit
C:\Windows\euqdroepiqneivqox.exe

Filesize
576KB

MD5
440f974300b8cdf663abe985b53ecc1f

SHA1
ec5c998fda4ad192c5c057975b64563073867d50

SHA256
291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152

SHA512
99d0aa5aa33b8f163b3acd94470535f223e2dd5574544938f105d39282c821669b48b1a63122d5e771763f5f15b4abcbf11e465b15a4e881c3e45f3f1efa8bfc

Download Submit
C:\Windows\euqdroepiqneivqox.exe

Filesize
576KB

MD5
440f974300b8cdf663abe985b53ecc1f

SHA1
ec5c998fda4ad192c5c057975b64563073867d50

SHA256
291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152

SHA512
99d0aa5aa33b8f163b3acd94470535f223e2dd5574544938f105d39282c821669b48b1a63122d5e771763f5f15b4abcbf11e465b15a4e881c3e45f3f1efa8bfc

Download Submit
C:\Windows\ledtkkdrnyyszpnoangf.exe

Filesize
576KB

MD5
440f974300b8cdf663abe985b53ecc1f

SHA1
ec5c998fda4ad192c5c057975b64563073867d50

SHA256
291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152

SHA512
99d0aa5aa33b8f163b3acd94470535f223e2dd5574544938f105d39282c821669b48b1a63122d5e771763f5f15b4abcbf11e465b15a4e881c3e45f3f1efa8bfc

Download Submit
C:\Windows\ledtkkdrnyyszpnoangf.exe

Filesize
576KB

MD5
440f974300b8cdf663abe985b53ecc1f

SHA1
ec5c998fda4ad192c5c057975b64563073867d50

SHA256
291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152

SHA512
99d0aa5aa33b8f163b3acd94470535f223e2dd5574544938f105d39282c821669b48b1a63122d5e771763f5f15b4abcbf11e465b15a4e881c3e45f3f1efa8bfc

Download Submit
C:\Windows\nebpectfzigydrnmwh.exe

Filesize
576KB

MD5
440f974300b8cdf663abe985b53ecc1f

SHA1
ec5c998fda4ad192c5c057975b64563073867d50

SHA256
291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152

SHA512
99d0aa5aa33b8f163b3acd94470535f223e2dd5574544938f105d39282c821669b48b1a63122d5e771763f5f15b4abcbf11e465b15a4e881c3e45f3f1efa8bfc

Download Submit
C:\Windows\nebpectfzigydrnmwh.exe

Filesize
576KB

MD5
440f974300b8cdf663abe985b53ecc1f

SHA1
ec5c998fda4ad192c5c057975b64563073867d50

SHA256
291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152

SHA512
99d0aa5aa33b8f163b3acd94470535f223e2dd5574544938f105d39282c821669b48b1a63122d5e771763f5f15b4abcbf11e465b15a4e881c3e45f3f1efa8bfc

Download Submit
C:\Windows\rmnfyavljwyudvvymbwxpi.exe

Filesize
576KB

MD5
440f974300b8cdf663abe985b53ecc1f

SHA1
ec5c998fda4ad192c5c057975b64563073867d50

SHA256
291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152

SHA512
99d0aa5aa33b8f163b3acd94470535f223e2dd5574544938f105d39282c821669b48b1a63122d5e771763f5f15b4abcbf11e465b15a4e881c3e45f3f1efa8bfc

Download Submit
C:\Windows\rmnfyavljwyudvvymbwxpi.exe

Filesize
576KB

MD5
440f974300b8cdf663abe985b53ecc1f

SHA1
ec5c998fda4ad192c5c057975b64563073867d50

SHA256
291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152

SHA512
99d0aa5aa33b8f163b3acd94470535f223e2dd5574544938f105d39282c821669b48b1a63122d5e771763f5f15b4abcbf11e465b15a4e881c3e45f3f1efa8bfc

Download Submit
C:\Windows\xmhtgcrbtawmpbvs.exe

Filesize
576KB

MD5
440f974300b8cdf663abe985b53ecc1f

SHA1
ec5c998fda4ad192c5c057975b64563073867d50

SHA256
291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152

SHA512
99d0aa5aa33b8f163b3acd94470535f223e2dd5574544938f105d39282c821669b48b1a63122d5e771763f5f15b4abcbf11e465b15a4e881c3e45f3f1efa8bfc

Download Submit
C:\Windows\xmhtgcrbtawmpbvs.exe

Filesize
576KB

MD5
d35a63fc55924e491d7694eb234e8dde

SHA1
0d6043e19c15bfa8ea2891f992730548b81cbf54

SHA256
33ce82dd21b246b0137b8efe4548dbe34927bc55c7c58578f36e112beec0ef7c

SHA512
5b612186d973ef938ea8b07f7a82eee5c88332f886c64f1ad8795eb1352ec25ed3b24c9b3ba6d71c1be618a4395b838e69e54df033fde3565cb0bcebcf66bc2d

Download Submit
C:\Windows\yqodtskxscbuapmmxjb.exe

Filesize
576KB

MD5
440f974300b8cdf663abe985b53ecc1f

SHA1
ec5c998fda4ad192c5c057975b64563073867d50

SHA256
291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152

SHA512
99d0aa5aa33b8f163b3acd94470535f223e2dd5574544938f105d39282c821669b48b1a63122d5e771763f5f15b4abcbf11e465b15a4e881c3e45f3f1efa8bfc

Download Submit
C:\Windows\yqodtskxscbuapmmxjb.exe

Filesize
576KB

MD5
440f974300b8cdf663abe985b53ecc1f

SHA1
ec5c998fda4ad192c5c057975b64563073867d50

SHA256
291efe1132ef8f78612a46a5a6f51bafe9ad77bed8dfe729d7f9687f9205d152

SHA512
99d0aa5aa33b8f163b3acd94470535f223e2dd5574544938f105d39282c821669b48b1a63122d5e771763f5f15b4abcbf11e465b15a4e881c3e45f3f1efa8bfc

Download Submit
\Users\Admin\AppData\Local\Temp\hyjhodvyrit.exe

Filesize
320KB

MD5
304415df6ad55a90301aa8158e5e3582

SHA1
cc20ee7d5e8607f4fa0633093083ec0a68dcf3cd

SHA256
34a5f9e2b494b086abad2721019be271fa43350c9146f000e50fe554f170743d

SHA512
4ef2a9a8a3b36ba8c40a0bda9de415c76f985da34475f9110f7fe7b70a8e235d66ec6e15f76b45c5f75f5594fe05051d8112745e5031a18c817bd5d86212c687

Download Submit
\Users\Admin\AppData\Local\Temp\hyjhodvyrit.exe

Filesize
320KB

MD5
304415df6ad55a90301aa8158e5e3582

SHA1
cc20ee7d5e8607f4fa0633093083ec0a68dcf3cd

SHA256
34a5f9e2b494b086abad2721019be271fa43350c9146f000e50fe554f170743d

SHA512
4ef2a9a8a3b36ba8c40a0bda9de415c76f985da34475f9110f7fe7b70a8e235d66ec6e15f76b45c5f75f5594fe05051d8112745e5031a18c817bd5d86212c687

Download Submit
\Users\Admin\AppData\Local\Temp\yeqtxkq.exe

Filesize
724KB

MD5
a02f5b7cb4a6f0473233c953795cb588

SHA1
8eb74e9510fb4fc397f3db7087c987ec7f25b37b

SHA256
51afd736471f29c6943bad0944fcc534601d7c5da9d803b19d5f1338d45b76f9

SHA512
c40e62c3f978c0eafc9428c3d5ee449b0a17b710fb11bce3d7fe318f9ba8cbd35b06bcf54097b57148fdbbfb84e2217098a5c454108656e16f402516067290ce

Download Submit
\Users\Admin\AppData\Local\Temp\yeqtxkq.exe

Filesize
724KB

MD5
a02f5b7cb4a6f0473233c953795cb588

SHA1
8eb74e9510fb4fc397f3db7087c987ec7f25b37b

SHA256
51afd736471f29c6943bad0944fcc534601d7c5da9d803b19d5f1338d45b76f9

SHA512
c40e62c3f978c0eafc9428c3d5ee449b0a17b710fb11bce3d7fe318f9ba8cbd35b06bcf54097b57148fdbbfb84e2217098a5c454108656e16f402516067290ce

Download Submit
\Users\Admin\AppData\Local\Temp\yeqtxkq.exe

Filesize
724KB

MD5
a02f5b7cb4a6f0473233c953795cb588

SHA1
8eb74e9510fb4fc397f3db7087c987ec7f25b37b

SHA256
51afd736471f29c6943bad0944fcc534601d7c5da9d803b19d5f1338d45b76f9

SHA512
c40e62c3f978c0eafc9428c3d5ee449b0a17b710fb11bce3d7fe318f9ba8cbd35b06bcf54097b57148fdbbfb84e2217098a5c454108656e16f402516067290ce

Download Submit
\Users\Admin\AppData\Local\Temp\yeqtxkq.exe

Filesize
724KB

MD5
a02f5b7cb4a6f0473233c953795cb588

SHA1
8eb74e9510fb4fc397f3db7087c987ec7f25b37b

SHA256
51afd736471f29c6943bad0944fcc534601d7c5da9d803b19d5f1338d45b76f9

SHA512
c40e62c3f978c0eafc9428c3d5ee449b0a17b710fb11bce3d7fe318f9ba8cbd35b06bcf54097b57148fdbbfb84e2217098a5c454108656e16f402516067290ce

Download Submit
memory/360-54-0x0000000075C11000-0x0000000075C13000-memory.dmp

Filesize
8KB

Download