a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

Analysis

max time kernel
152s
max time network
194s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 11:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
Size

488KB
MD5

7ffd687e3046eba7d819628442e83fa3
SHA1

819ab64fe969ee3d37ecf205875f4d686af9a34b
SHA256

a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2
SHA512

5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb
SSDEEP

12288:x6bvdl0zCB8EDItMTzwg7lMQsvNuqZBRbZEYTwdD7IjLgB:SvdezCByqTtlMQsFuqzRbzI7IE

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	cchfzisvmmr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ygkty.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ygkty.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ygkty.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cchfzisvmmr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cchfzisvmmr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cchfzisvmmr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ygkty.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ygkty.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ygkty.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cchfzisvmmr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ygkty.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ygkty.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ygkty.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ygkty.exe

Adds policy Run key to start application 2 TTPs 17 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mcofsckaolnuu = "wskhaqeauxfsyarjuhd.exe"	cchfzisvmmr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\virfpwbozt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwmhymysklrcggvlu.exe"	cchfzisvmmr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\virfpwbozt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ywqpkcsqmrbqycvpcrpji.exe"	ygkty.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mcofsckaolnuu = "jgzxrixuptcqxaslxlib.exe"	ygkty.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mcofsckaolnuu = "cwmhymysklrcggvlu.exe"	ygkty.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ygkty.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ygkty.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mcofsckaolnuu = "vodxnalevvaknmap.exe"	ygkty.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cchfzisvmmr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mcofsckaolnuu = "ywqpkcsqmrbqycvpcrpji.exe"	ygkty.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\virfpwbozt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vodxnalevvaknmap.exe"	ygkty.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mcofsckaolnuu = "jgzxrixuptcqxaslxlib.exe"	ygkty.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\virfpwbozt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgxtlanibdkwbcsjtf.exe"	ygkty.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\virfpwbozt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgzxrixuptcqxaslxlib.exe"	ygkty.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\virfpwbozt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgzxrixuptcqxaslxlib.exe"	ygkty.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mcofsckaolnuu = "lgxtlanibdkwbcsjtf.exe"	ygkty.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\virfpwbozt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ywqpkcsqmrbqycvpcrpji.exe"	ygkty.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cchfzisvmmr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cchfzisvmmr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ygkty.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ygkty.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ygkty.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ygkty.exe

Executes dropped EXE 3 IoCs

pid	Process
2032	cchfzisvmmr.exe
460	ygkty.exe
564	ygkty.exe

Loads dropped DLL 6 IoCs

pid	Process
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
2032	cchfzisvmmr.exe
2032	cchfzisvmmr.exe
2032	cchfzisvmmr.exe
2032	cchfzisvmmr.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qeodowcqcxx = "vodxnalevvaknmap.exe"	ygkty.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qiwpeqasihluwuh = "ywqpkcsqmrbqycvpcrpji.exe ."	ygkty.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncndpyfuhdek = "jgzxrixuptcqxaslxlib.exe ."	ygkty.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\nerjxirixvyghe = "lgxtlanibdkwbcsjtf.exe"	ygkty.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vodxnalevvaknmap = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwmhymysklrcggvlu.exe ."	ygkty.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qeodowcqcxx = "cwmhymysklrcggvlu.exe"	ygkty.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qeodowcqcxx = "wskhaqeauxfsyarjuhd.exe"	ygkty.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	ygkty.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qiwpeqasihluwuh = "vodxnalevvaknmap.exe ."	ygkty.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cwmhymysklrcggvlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wskhaqeauxfsyarjuhd.exe"	ygkty.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vodxnalevvaknmap = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vodxnalevvaknmap.exe ."	ygkty.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cwmhymysklrcggvlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ywqpkcsqmrbqycvpcrpji.exe"	cchfzisvmmr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ncndpyfuhdek = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwmhymysklrcggvlu.exe ."	ygkty.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\nerjxirixvyghe = "lgxtlanibdkwbcsjtf.exe"	ygkty.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeodowcqcxx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwmhymysklrcggvlu.exe"	ygkty.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ygkty.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeodowcqcxx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vodxnalevvaknmap.exe"	ygkty.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qeodowcqcxx = "lgxtlanibdkwbcsjtf.exe"	ygkty.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cwmhymysklrcggvlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgxtlanibdkwbcsjtf.exe"	ygkty.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qeodowcqcxx = "jgzxrixuptcqxaslxlib.exe"	ygkty.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeodowcqcxx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wskhaqeauxfsyarjuhd.exe"	ygkty.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qiwpeqasihluwuh = "cwmhymysklrcggvlu.exe ."	ygkty.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	cchfzisvmmr.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	cchfzisvmmr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qiwpeqasihluwuh = "cwmhymysklrcggvlu.exe ."	ygkty.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qiwpeqasihluwuh = "wskhaqeauxfsyarjuhd.exe ."	ygkty.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ncndpyfuhdek = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wskhaqeauxfsyarjuhd.exe ."	ygkty.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ncndpyfuhdek = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgzxrixuptcqxaslxlib.exe ."	ygkty.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncndpyfuhdek = "cwmhymysklrcggvlu.exe ."	cchfzisvmmr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\nerjxirixvyghe = "cwmhymysklrcggvlu.exe"	cchfzisvmmr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qiwpeqasihluwuh = "wskhaqeauxfsyarjuhd.exe ."	cchfzisvmmr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeodowcqcxx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vodxnalevvaknmap.exe"	cchfzisvmmr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncndpyfuhdek = "ywqpkcsqmrbqycvpcrpji.exe ."	ygkty.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cwmhymysklrcggvlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgzxrixuptcqxaslxlib.exe"	ygkty.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncndpyfuhdek = "lgxtlanibdkwbcsjtf.exe ."	ygkty.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncndpyfuhdek = "cwmhymysklrcggvlu.exe ."	ygkty.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\nerjxirixvyghe = "wskhaqeauxfsyarjuhd.exe"	ygkty.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cwmhymysklrcggvlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ywqpkcsqmrbqycvpcrpji.exe"	ygkty.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	cchfzisvmmr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ygkty.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncndpyfuhdek = "lgxtlanibdkwbcsjtf.exe ."	ygkty.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cwmhymysklrcggvlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vodxnalevvaknmap.exe"	ygkty.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vodxnalevvaknmap = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwmhymysklrcggvlu.exe ."	ygkty.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	ygkty.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeodowcqcxx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwmhymysklrcggvlu.exe"	ygkty.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vodxnalevvaknmap = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ywqpkcsqmrbqycvpcrpji.exe ."	ygkty.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qiwpeqasihluwuh = "lgxtlanibdkwbcsjtf.exe ."	ygkty.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vodxnalevvaknmap = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wskhaqeauxfsyarjuhd.exe ."	cchfzisvmmr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cwmhymysklrcggvlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vodxnalevvaknmap.exe"	ygkty.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\nerjxirixvyghe = "ywqpkcsqmrbqycvpcrpji.exe"	ygkty.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\nerjxirixvyghe = "cwmhymysklrcggvlu.exe"	ygkty.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncndpyfuhdek = "cwmhymysklrcggvlu.exe ."	ygkty.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cwmhymysklrcggvlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwmhymysklrcggvlu.exe"	ygkty.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ncndpyfuhdek = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgxtlanibdkwbcsjtf.exe ."	cchfzisvmmr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncndpyfuhdek = "vodxnalevvaknmap.exe ."	ygkty.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\nerjxirixvyghe = "ywqpkcsqmrbqycvpcrpji.exe"	ygkty.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	ygkty.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ncndpyfuhdek = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgxtlanibdkwbcsjtf.exe ."	ygkty.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ncndpyfuhdek = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ywqpkcsqmrbqycvpcrpji.exe ."	ygkty.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vodxnalevvaknmap = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgzxrixuptcqxaslxlib.exe ."	ygkty.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qeodowcqcxx = "ywqpkcsqmrbqycvpcrpji.exe"	cchfzisvmmr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ygkty.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ygkty.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qeodowcqcxx = "jgzxrixuptcqxaslxlib.exe"	ygkty.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ygkty.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cchfzisvmmr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cchfzisvmmr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ygkty.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ygkty.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ygkty.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	whatismyip.everdot.org
6	whatismyipaddress.com
9	www.showmyipaddress.com

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mcofsckaolnuuqbnszpbsfpxnbyahhdoafm.ofs	ygkty.exe
File opened for modification	C:\Windows\SysWOW64\wskhaqeauxfsyarjuhd.exe	cchfzisvmmr.exe
File opened for modification	C:\Windows\SysWOW64\cwmhymysklrcggvlu.exe	ygkty.exe
File opened for modification	C:\Windows\SysWOW64\pojjfypolrcsbgavjzyttp.exe	ygkty.exe
File opened for modification	C:\Windows\SysWOW64\lgxtlanibdkwbcsjtf.exe	ygkty.exe
File opened for modification	C:\Windows\SysWOW64\pojjfypolrcsbgavjzyttp.exe	ygkty.exe
File created	C:\Windows\SysWOW64\dijprqnsvhyujuuvplqrxzyv.dpg	ygkty.exe
File opened for modification	C:\Windows\SysWOW64\cwmhymysklrcggvlu.exe	cchfzisvmmr.exe
File opened for modification	C:\Windows\SysWOW64\lgxtlanibdkwbcsjtf.exe	cchfzisvmmr.exe
File opened for modification	C:\Windows\SysWOW64\jgzxrixuptcqxaslxlib.exe	cchfzisvmmr.exe
File opened for modification	C:\Windows\SysWOW64\ywqpkcsqmrbqycvpcrpji.exe	cchfzisvmmr.exe
File opened for modification	C:\Windows\SysWOW64\ywqpkcsqmrbqycvpcrpji.exe	ygkty.exe
File opened for modification	C:\Windows\SysWOW64\vodxnalevvaknmap.exe	ygkty.exe
File opened for modification	C:\Windows\SysWOW64\jgzxrixuptcqxaslxlib.exe	ygkty.exe
File opened for modification	C:\Windows\SysWOW64\vodxnalevvaknmap.exe	ygkty.exe
File opened for modification	C:\Windows\SysWOW64\cwmhymysklrcggvlu.exe	ygkty.exe
File opened for modification	C:\Windows\SysWOW64\wskhaqeauxfsyarjuhd.exe	ygkty.exe
File opened for modification	C:\Windows\SysWOW64\dijprqnsvhyujuuvplqrxzyv.dpg	ygkty.exe
File created	C:\Windows\SysWOW64\mcofsckaolnuuqbnszpbsfpxnbyahhdoafm.ofs	ygkty.exe
File opened for modification	C:\Windows\SysWOW64\vodxnalevvaknmap.exe	cchfzisvmmr.exe
File opened for modification	C:\Windows\SysWOW64\pojjfypolrcsbgavjzyttp.exe	cchfzisvmmr.exe
File opened for modification	C:\Windows\SysWOW64\lgxtlanibdkwbcsjtf.exe	ygkty.exe
File opened for modification	C:\Windows\SysWOW64\wskhaqeauxfsyarjuhd.exe	ygkty.exe
File opened for modification	C:\Windows\SysWOW64\ywqpkcsqmrbqycvpcrpji.exe	ygkty.exe
File opened for modification	C:\Windows\SysWOW64\jgzxrixuptcqxaslxlib.exe	ygkty.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\mcofsckaolnuuqbnszpbsfpxnbyahhdoafm.ofs	ygkty.exe
File created	C:\Program Files (x86)\mcofsckaolnuuqbnszpbsfpxnbyahhdoafm.ofs	ygkty.exe
File opened for modification	C:\Program Files (x86)\dijprqnsvhyujuuvplqrxzyv.dpg	ygkty.exe
File created	C:\Program Files (x86)\dijprqnsvhyujuuvplqrxzyv.dpg	ygkty.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\wskhaqeauxfsyarjuhd.exe	cchfzisvmmr.exe
File opened for modification	C:\Windows\pojjfypolrcsbgavjzyttp.exe	cchfzisvmmr.exe
File opened for modification	C:\Windows\cwmhymysklrcggvlu.exe	ygkty.exe
File opened for modification	C:\Windows\ywqpkcsqmrbqycvpcrpji.exe	ygkty.exe
File opened for modification	C:\Windows\lgxtlanibdkwbcsjtf.exe	ygkty.exe
File opened for modification	C:\Windows\dijprqnsvhyujuuvplqrxzyv.dpg	ygkty.exe
File opened for modification	C:\Windows\cwmhymysklrcggvlu.exe	cchfzisvmmr.exe
File opened for modification	C:\Windows\wskhaqeauxfsyarjuhd.exe	ygkty.exe
File opened for modification	C:\Windows\jgzxrixuptcqxaslxlib.exe	ygkty.exe
File opened for modification	C:\Windows\vodxnalevvaknmap.exe	ygkty.exe
File opened for modification	C:\Windows\cwmhymysklrcggvlu.exe	ygkty.exe
File opened for modification	C:\Windows\jgzxrixuptcqxaslxlib.exe	ygkty.exe
File opened for modification	C:\Windows\ywqpkcsqmrbqycvpcrpji.exe	ygkty.exe
File opened for modification	C:\Windows\vodxnalevvaknmap.exe	cchfzisvmmr.exe
File opened for modification	C:\Windows\ywqpkcsqmrbqycvpcrpji.exe	cchfzisvmmr.exe
File opened for modification	C:\Windows\wskhaqeauxfsyarjuhd.exe	ygkty.exe
File opened for modification	C:\Windows\pojjfypolrcsbgavjzyttp.exe	ygkty.exe
File created	C:\Windows\dijprqnsvhyujuuvplqrxzyv.dpg	ygkty.exe
File opened for modification	C:\Windows\mcofsckaolnuuqbnszpbsfpxnbyahhdoafm.ofs	ygkty.exe
File created	C:\Windows\mcofsckaolnuuqbnszpbsfpxnbyahhdoafm.ofs	ygkty.exe
File opened for modification	C:\Windows\jgzxrixuptcqxaslxlib.exe	cchfzisvmmr.exe
File opened for modification	C:\Windows\vodxnalevvaknmap.exe	ygkty.exe
File opened for modification	C:\Windows\lgxtlanibdkwbcsjtf.exe	ygkty.exe
File opened for modification	C:\Windows\pojjfypolrcsbgavjzyttp.exe	ygkty.exe
File opened for modification	C:\Windows\lgxtlanibdkwbcsjtf.exe	cchfzisvmmr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
460	ygkty.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	460	ygkty.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 2032	1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe	28
PID 1788 wrote to memory of 2032	1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe	28
PID 1788 wrote to memory of 2032	1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe	28
PID 1788 wrote to memory of 2032	1788	a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe	28
PID 2032 wrote to memory of 460	2032	cchfzisvmmr.exe	29
PID 2032 wrote to memory of 460	2032	cchfzisvmmr.exe	29
PID 2032 wrote to memory of 460	2032	cchfzisvmmr.exe	29
PID 2032 wrote to memory of 460	2032	cchfzisvmmr.exe	29
PID 2032 wrote to memory of 564	2032	cchfzisvmmr.exe	30
PID 2032 wrote to memory of 564	2032	cchfzisvmmr.exe	30
PID 2032 wrote to memory of 564	2032	cchfzisvmmr.exe	30
PID 2032 wrote to memory of 564	2032	cchfzisvmmr.exe	30

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	cchfzisvmmr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ygkty.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ygkty.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ygkty.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cchfzisvmmr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ygkty.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ygkty.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ygkty.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ygkty.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ygkty.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	cchfzisvmmr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	cchfzisvmmr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ygkty.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ygkty.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cchfzisvmmr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ygkty.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ygkty.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cchfzisvmmr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cchfzisvmmr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	cchfzisvmmr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	cchfzisvmmr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ygkty.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ygkty.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ygkty.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ygkty.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ygkty.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ygkty.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cchfzisvmmr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cchfzisvmmr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	cchfzisvmmr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ygkty.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ygkty.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ygkty.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	cchfzisvmmr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ygkty.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ygkty.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ygkty.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ygkty.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ygkty.exe

C:\Users\Admin\AppData\Local\Temp\a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe
"C:\Users\Admin\AppData\Local\Temp\a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Users\Admin\AppData\Local\Temp\cchfzisvmmr.exe
  "C:\Users\Admin\AppData\Local\Temp\cchfzisvmmr.exe" "c:\users\admin\appdata\local\temp\a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2032
- - C:\Users\Admin\AppData\Local\Temp\ygkty.exe
    "C:\Users\Admin\AppData\Local\Temp\ygkty.exe" "-C:\Users\Admin\AppData\Local\Temp\vodxnalevvaknmap.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:460
- - C:\Users\Admin\AppData\Local\Temp\ygkty.exe
    "C:\Users\Admin\AppData\Local\Temp\ygkty.exe" "-C:\Users\Admin\AppData\Local\Temp\vodxnalevvaknmap.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cchfzisvmmr.exe

Filesize
320KB

MD5
89ec3461ef4a893428c32f89de78b396

SHA1
8067cdc0901f0dc5bc1bb67a1c9037f502ea85f9

SHA256
1849989ee704cda3b552b5021f3165012978d26d0daf7d22a09805deb6be2d0b

SHA512
7804fa36e1f050115b00d21a9a94cf92436260a385da67106b0c73eb350abafca53f2dec42d377d4eccc095dd75ac92e841fb66e874e656e412cd71ed7909fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cchfzisvmmr.exe

Filesize
320KB

MD5
89ec3461ef4a893428c32f89de78b396

SHA1
8067cdc0901f0dc5bc1bb67a1c9037f502ea85f9

SHA256
1849989ee704cda3b552b5021f3165012978d26d0daf7d22a09805deb6be2d0b

SHA512
7804fa36e1f050115b00d21a9a94cf92436260a385da67106b0c73eb350abafca53f2dec42d377d4eccc095dd75ac92e841fb66e874e656e412cd71ed7909fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwmhymysklrcggvlu.exe

Filesize
488KB

MD5
7ffd687e3046eba7d819628442e83fa3

SHA1
819ab64fe969ee3d37ecf205875f4d686af9a34b

SHA256
a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

SHA512
5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgzxrixuptcqxaslxlib.exe

Filesize
488KB

MD5
7ffd687e3046eba7d819628442e83fa3

SHA1
819ab64fe969ee3d37ecf205875f4d686af9a34b

SHA256
a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

SHA512
5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgzxrixuptcqxaslxlib.exe

Filesize
488KB

MD5
7ffd687e3046eba7d819628442e83fa3

SHA1
819ab64fe969ee3d37ecf205875f4d686af9a34b

SHA256
a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

SHA512
5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgzxrixuptcqxaslxlib.exe

Filesize
488KB

MD5
7ffd687e3046eba7d819628442e83fa3

SHA1
819ab64fe969ee3d37ecf205875f4d686af9a34b

SHA256
a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

SHA512
5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgxtlanibdkwbcsjtf.exe

Filesize
488KB

MD5
7ffd687e3046eba7d819628442e83fa3

SHA1
819ab64fe969ee3d37ecf205875f4d686af9a34b

SHA256
a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

SHA512
5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgxtlanibdkwbcsjtf.exe

Filesize
488KB

MD5
7ffd687e3046eba7d819628442e83fa3

SHA1
819ab64fe969ee3d37ecf205875f4d686af9a34b

SHA256
a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

SHA512
5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\pojjfypolrcsbgavjzyttp.exe

Filesize
488KB

MD5
7ffd687e3046eba7d819628442e83fa3

SHA1
819ab64fe969ee3d37ecf205875f4d686af9a34b

SHA256
a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

SHA512
5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\pojjfypolrcsbgavjzyttp.exe

Filesize
488KB

MD5
7ffd687e3046eba7d819628442e83fa3

SHA1
819ab64fe969ee3d37ecf205875f4d686af9a34b

SHA256
a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

SHA512
5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\pojjfypolrcsbgavjzyttp.exe

Filesize
488KB

MD5
7ffd687e3046eba7d819628442e83fa3

SHA1
819ab64fe969ee3d37ecf205875f4d686af9a34b

SHA256
a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

SHA512
5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vodxnalevvaknmap.exe

Filesize
488KB

MD5
7ffd687e3046eba7d819628442e83fa3

SHA1
819ab64fe969ee3d37ecf205875f4d686af9a34b

SHA256
a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

SHA512
5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wskhaqeauxfsyarjuhd.exe

Filesize
488KB

MD5
7ffd687e3046eba7d819628442e83fa3

SHA1
819ab64fe969ee3d37ecf205875f4d686af9a34b

SHA256
a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

SHA512
5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wskhaqeauxfsyarjuhd.exe

Filesize
488KB

MD5
7ffd687e3046eba7d819628442e83fa3

SHA1
819ab64fe969ee3d37ecf205875f4d686af9a34b

SHA256
a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

SHA512
5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wskhaqeauxfsyarjuhd.exe

Filesize
488KB

MD5
7ffd687e3046eba7d819628442e83fa3

SHA1
819ab64fe969ee3d37ecf205875f4d686af9a34b

SHA256
a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

SHA512
5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygkty.exe

Filesize
712KB

MD5
01e14a25b6275193b5515a0d128f83f3

SHA1
fba7e0d867ade8842f3a10961f42e9867d3cebaf

SHA256
d7145ff57aca4657d52e3f3614035b34e8536fcd2ae9bc134b05f51f6d07654a

SHA512
8a1cb8be87d19ba35e9c2fcc70072ac85e840695389d0f34e6e6cb3d3183c037e02de525dbb0e5fc56f0278e4d9e4495cbe84916b20140a1b5587f15aaddfef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygkty.exe

Filesize
712KB

MD5
01e14a25b6275193b5515a0d128f83f3

SHA1
fba7e0d867ade8842f3a10961f42e9867d3cebaf

SHA256
d7145ff57aca4657d52e3f3614035b34e8536fcd2ae9bc134b05f51f6d07654a

SHA512
8a1cb8be87d19ba35e9c2fcc70072ac85e840695389d0f34e6e6cb3d3183c037e02de525dbb0e5fc56f0278e4d9e4495cbe84916b20140a1b5587f15aaddfef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywqpkcsqmrbqycvpcrpji.exe

Filesize
488KB

MD5
7ffd687e3046eba7d819628442e83fa3

SHA1
819ab64fe969ee3d37ecf205875f4d686af9a34b

SHA256
a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

SHA512
5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywqpkcsqmrbqycvpcrpji.exe

Filesize
488KB

MD5
7ffd687e3046eba7d819628442e83fa3

SHA1
819ab64fe969ee3d37ecf205875f4d686af9a34b

SHA256
a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

SHA512
5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywqpkcsqmrbqycvpcrpji.exe

Filesize
488KB

MD5
7ffd687e3046eba7d819628442e83fa3

SHA1
819ab64fe969ee3d37ecf205875f4d686af9a34b

SHA256
a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

SHA512
5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

Download Submit
C:\Windows\SysWOW64\cwmhymysklrcggvlu.exe

Filesize
488KB

MD5
7ffd687e3046eba7d819628442e83fa3

SHA1
819ab64fe969ee3d37ecf205875f4d686af9a34b

SHA256
a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

SHA512
5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

Download Submit
C:\Windows\SysWOW64\jgzxrixuptcqxaslxlib.exe

Filesize
488KB

MD5
7ffd687e3046eba7d819628442e83fa3

SHA1
819ab64fe969ee3d37ecf205875f4d686af9a34b

SHA256
a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

SHA512
5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

Download Submit
C:\Windows\SysWOW64\lgxtlanibdkwbcsjtf.exe

Filesize
488KB

MD5
7ffd687e3046eba7d819628442e83fa3

SHA1
819ab64fe969ee3d37ecf205875f4d686af9a34b

SHA256
a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

SHA512
5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

Download Submit
C:\Windows\SysWOW64\pojjfypolrcsbgavjzyttp.exe

Filesize
488KB

MD5
7ffd687e3046eba7d819628442e83fa3

SHA1
819ab64fe969ee3d37ecf205875f4d686af9a34b

SHA256
a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

SHA512
5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

Download Submit
C:\Windows\SysWOW64\vodxnalevvaknmap.exe

Filesize
488KB

MD5
7ffd687e3046eba7d819628442e83fa3

SHA1
819ab64fe969ee3d37ecf205875f4d686af9a34b

SHA256
a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

SHA512
5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

Download Submit
C:\Windows\SysWOW64\wskhaqeauxfsyarjuhd.exe

Filesize
488KB

MD5
7ffd687e3046eba7d819628442e83fa3

SHA1
819ab64fe969ee3d37ecf205875f4d686af9a34b

SHA256
a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

SHA512
5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

Download Submit
C:\Windows\SysWOW64\ywqpkcsqmrbqycvpcrpji.exe

Filesize
488KB

MD5
7ffd687e3046eba7d819628442e83fa3

SHA1
819ab64fe969ee3d37ecf205875f4d686af9a34b

SHA256
a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

SHA512
5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

Download Submit
C:\Windows\cwmhymysklrcggvlu.exe

Filesize
488KB

MD5
7ffd687e3046eba7d819628442e83fa3

SHA1
819ab64fe969ee3d37ecf205875f4d686af9a34b

SHA256
a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

SHA512
5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

Download Submit
C:\Windows\cwmhymysklrcggvlu.exe

Filesize
488KB

MD5
7ffd687e3046eba7d819628442e83fa3

SHA1
819ab64fe969ee3d37ecf205875f4d686af9a34b

SHA256
a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

SHA512
5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

Download Submit
C:\Windows\jgzxrixuptcqxaslxlib.exe

Filesize
488KB

MD5
7ffd687e3046eba7d819628442e83fa3

SHA1
819ab64fe969ee3d37ecf205875f4d686af9a34b

SHA256
a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

SHA512
5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

Download Submit
C:\Windows\jgzxrixuptcqxaslxlib.exe

Filesize
488KB

MD5
7ffd687e3046eba7d819628442e83fa3

SHA1
819ab64fe969ee3d37ecf205875f4d686af9a34b

SHA256
a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

SHA512
5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

Download Submit
C:\Windows\lgxtlanibdkwbcsjtf.exe

Filesize
488KB

MD5
7ffd687e3046eba7d819628442e83fa3

SHA1
819ab64fe969ee3d37ecf205875f4d686af9a34b

SHA256
a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

SHA512
5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

Download Submit
C:\Windows\lgxtlanibdkwbcsjtf.exe

Filesize
488KB

MD5
7ffd687e3046eba7d819628442e83fa3

SHA1
819ab64fe969ee3d37ecf205875f4d686af9a34b

SHA256
a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

SHA512
5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

Download Submit
C:\Windows\pojjfypolrcsbgavjzyttp.exe

Filesize
488KB

MD5
7ffd687e3046eba7d819628442e83fa3

SHA1
819ab64fe969ee3d37ecf205875f4d686af9a34b

SHA256
a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

SHA512
5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

Download Submit
C:\Windows\pojjfypolrcsbgavjzyttp.exe

Filesize
488KB

MD5
7ffd687e3046eba7d819628442e83fa3

SHA1
819ab64fe969ee3d37ecf205875f4d686af9a34b

SHA256
a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

SHA512
5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

Download Submit
C:\Windows\vodxnalevvaknmap.exe

Filesize
488KB

MD5
7ffd687e3046eba7d819628442e83fa3

SHA1
819ab64fe969ee3d37ecf205875f4d686af9a34b

SHA256
a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

SHA512
5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

Download Submit
C:\Windows\vodxnalevvaknmap.exe

Filesize
488KB

MD5
7ffd687e3046eba7d819628442e83fa3

SHA1
819ab64fe969ee3d37ecf205875f4d686af9a34b

SHA256
a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

SHA512
5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

Download Submit
C:\Windows\wskhaqeauxfsyarjuhd.exe

Filesize
488KB

MD5
7ffd687e3046eba7d819628442e83fa3

SHA1
819ab64fe969ee3d37ecf205875f4d686af9a34b

SHA256
a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

SHA512
5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

Download Submit
C:\Windows\wskhaqeauxfsyarjuhd.exe

Filesize
488KB

MD5
7ffd687e3046eba7d819628442e83fa3

SHA1
819ab64fe969ee3d37ecf205875f4d686af9a34b

SHA256
a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

SHA512
5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

Download Submit
C:\Windows\ywqpkcsqmrbqycvpcrpji.exe

Filesize
488KB

MD5
7ffd687e3046eba7d819628442e83fa3

SHA1
819ab64fe969ee3d37ecf205875f4d686af9a34b

SHA256
a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

SHA512
5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

Download Submit
C:\Windows\ywqpkcsqmrbqycvpcrpji.exe

Filesize
488KB

MD5
7ffd687e3046eba7d819628442e83fa3

SHA1
819ab64fe969ee3d37ecf205875f4d686af9a34b

SHA256
a5c959fb4abc3a06f9b9722f381dda6db90a4ce7c58a975a19333f85f45c46f2

SHA512
5ed136a8b87d6758e87e179943f01b03a384ff24ae995d04d0226c7059586bf15cc3e35ba0f61a2345701fcd051d8407ba0ec65cec596971557ef0fa69d214eb

Download Submit
\Users\Admin\AppData\Local\Temp\cchfzisvmmr.exe

Filesize
320KB

MD5
89ec3461ef4a893428c32f89de78b396

SHA1
8067cdc0901f0dc5bc1bb67a1c9037f502ea85f9

SHA256
1849989ee704cda3b552b5021f3165012978d26d0daf7d22a09805deb6be2d0b

SHA512
7804fa36e1f050115b00d21a9a94cf92436260a385da67106b0c73eb350abafca53f2dec42d377d4eccc095dd75ac92e841fb66e874e656e412cd71ed7909fe8

Download Submit
\Users\Admin\AppData\Local\Temp\cchfzisvmmr.exe

Filesize
320KB

MD5
89ec3461ef4a893428c32f89de78b396

SHA1
8067cdc0901f0dc5bc1bb67a1c9037f502ea85f9

SHA256
1849989ee704cda3b552b5021f3165012978d26d0daf7d22a09805deb6be2d0b

SHA512
7804fa36e1f050115b00d21a9a94cf92436260a385da67106b0c73eb350abafca53f2dec42d377d4eccc095dd75ac92e841fb66e874e656e412cd71ed7909fe8

Download Submit
\Users\Admin\AppData\Local\Temp\ygkty.exe

Filesize
712KB

MD5
01e14a25b6275193b5515a0d128f83f3

SHA1
fba7e0d867ade8842f3a10961f42e9867d3cebaf

SHA256
d7145ff57aca4657d52e3f3614035b34e8536fcd2ae9bc134b05f51f6d07654a

SHA512
8a1cb8be87d19ba35e9c2fcc70072ac85e840695389d0f34e6e6cb3d3183c037e02de525dbb0e5fc56f0278e4d9e4495cbe84916b20140a1b5587f15aaddfef6

Download Submit
\Users\Admin\AppData\Local\Temp\ygkty.exe

Filesize
712KB

MD5
01e14a25b6275193b5515a0d128f83f3

SHA1
fba7e0d867ade8842f3a10961f42e9867d3cebaf

SHA256
d7145ff57aca4657d52e3f3614035b34e8536fcd2ae9bc134b05f51f6d07654a

SHA512
8a1cb8be87d19ba35e9c2fcc70072ac85e840695389d0f34e6e6cb3d3183c037e02de525dbb0e5fc56f0278e4d9e4495cbe84916b20140a1b5587f15aaddfef6

Download Submit
\Users\Admin\AppData\Local\Temp\ygkty.exe

Filesize
712KB

MD5
01e14a25b6275193b5515a0d128f83f3

SHA1
fba7e0d867ade8842f3a10961f42e9867d3cebaf

SHA256
d7145ff57aca4657d52e3f3614035b34e8536fcd2ae9bc134b05f51f6d07654a

SHA512
8a1cb8be87d19ba35e9c2fcc70072ac85e840695389d0f34e6e6cb3d3183c037e02de525dbb0e5fc56f0278e4d9e4495cbe84916b20140a1b5587f15aaddfef6

Download Submit
\Users\Admin\AppData\Local\Temp\ygkty.exe

Filesize
712KB

MD5
01e14a25b6275193b5515a0d128f83f3

SHA1
fba7e0d867ade8842f3a10961f42e9867d3cebaf

SHA256
d7145ff57aca4657d52e3f3614035b34e8536fcd2ae9bc134b05f51f6d07654a

SHA512
8a1cb8be87d19ba35e9c2fcc70072ac85e840695389d0f34e6e6cb3d3183c037e02de525dbb0e5fc56f0278e4d9e4495cbe84916b20140a1b5587f15aaddfef6

Download Submit
memory/1788-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download