60f41fb93576acb95218dea7e0d71335aa6f1aed8747c580bbe67585e412040f

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2023, 19:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Size

1.2MB
MD5

a8b3e6726e785ec919f469daca0085c0
SHA1

68350dc9e43da9ce79a97af58d5c51629d7f341d
SHA256

60f41fb93576acb95218dea7e0d71335aa6f1aed8747c580bbe67585e412040f
SHA512

f7262e2e3e38c7d352007f81ec7bceadc2fe2bc0e372eb373766848e40c144e53405fbc276fea8746ed1673e5bfb28726ec6a88a971bcb2480b7966378140751
SSDEEP

12288:KXgvmzFHi0mo5aH0qMzd5807F7dsPJQPDHvd:KXgvOHi0mGaH0qSdPF7dG4V

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ossgjm.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ossgjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ossgjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ossgjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ossgjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ossgjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ossgjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ossgjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ossgjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe

Adds policy Run key to start application 2 TTPs 23 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\semitewibgyibp = "dwlogyxqqcbssncwnwpeh.exe"	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vejckshqgix = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hwhguidsowrearcsf.exe"	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vejckshqgix = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qgsshwsifokyvnzqek.exe"	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\semitewibgyibp = "aoywjwqezgamhxhw.exe"	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\semitewibgyibp = "oguwnecutecsrlzsiqiw.exe"	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vejckshqgix = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qgsshwsifokyvnzqek.exe"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vejckshqgix = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsfgwmjayifuslyqfmd.exe"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\semitewibgyibp = "qgsshwsifokyvnzqek.exe"	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vejckshqgix = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsfgwmjayifuslyqfmd.exe"	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vejckshqgix = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsfgwmjayifuslyqfmd.exe"	ossgjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\semitewibgyibp = "qgsshwsifokyvnzqek.exe"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vejckshqgix = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qgsshwsifokyvnzqek.exe"	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vejckshqgix = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aoywjwqezgamhxhw.exe"	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\semitewibgyibp = "oguwnecutecsrlzsiqiw.exe"	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\semitewibgyibp = "hwhguidsowrearcsf.exe"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\semitewibgyibp = "qgsshwsifokyvnzqek.exe"	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\semitewibgyibp = "aoywjwqezgamhxhw.exe"	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vejckshqgix = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hwhguidsowrearcsf.exe"	ossgjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\semitewibgyibp = "bsfgwmjayifuslyqfmd.exe"	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vejckshqgix = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aoywjwqezgamhxhw.exe"	ossgjm.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ossgjm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ossgjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ossgjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ossgjm.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	NEAS.a8b3e6726e785ec919f469daca0085c0.exe

Executes dropped EXE 2 IoCs

pid	Process
228	ossgjm.exe
4348	ossgjm.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sciclukuloem = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwlogyxqqcbssncwnwpeh.exe"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sciclukuloem = "bsfgwmjayifuslyqfmd.exe"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rcjeoypaswnwo = "oguwnecutecsrlzsiqiw.exe ."	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hwhguidsowrearcsf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qgsshwsifokyvnzqek.exe ."	ossgjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rcjeoypaswnwo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hwhguidsowrearcsf.exe ."	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qgsshwsifokyvnzqek = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oguwnecutecsrlzsiqiw.exe"	ossgjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rcjeoypaswnwo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aoywjwqezgamhxhw.exe ."	ossgjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rcjeoypaswnwo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hwhguidsowrearcsf.exe ."	ossgjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aoywjwqezgamhxhw = "qgsshwsifokyvnzqek.exe ."	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qgsshwsifokyvnzqek = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oguwnecutecsrlzsiqiw.exe"	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rcjeoypaswnwo = "bsfgwmjayifuslyqfmd.exe ."	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\viroamfsmslwqfo = "dwlogyxqqcbssncwnwpeh.exe"	ossgjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sciclukuloem = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hwhguidsowrearcsf.exe"	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qgsshwsifokyvnzqek = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aoywjwqezgamhxhw.exe"	ossgjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\viroamfsmslwqfo = "qgsshwsifokyvnzqek.exe"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rcjeoypaswnwo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aoywjwqezgamhxhw.exe ."	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aoywjwqezgamhxhw = "oguwnecutecsrlzsiqiw.exe ."	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hwhguidsowrearcsf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsfgwmjayifuslyqfmd.exe ."	ossgjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\viroamfsmslwqfo = "bsfgwmjayifuslyqfmd.exe"	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qgsshwsifokyvnzqek = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qgsshwsifokyvnzqek.exe"	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hwhguidsowrearcsf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hwhguidsowrearcsf.exe ."	ossgjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rcjeoypaswnwo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwlogyxqqcbssncwnwpeh.exe ."	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sciclukuloem = "qgsshwsifokyvnzqek.exe"	ossgjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sciclukuloem = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aoywjwqezgamhxhw.exe"	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hwhguidsowrearcsf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oguwnecutecsrlzsiqiw.exe ."	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sciclukuloem = "aoywjwqezgamhxhw.exe"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rcjeoypaswnwo = "qgsshwsifokyvnzqek.exe ."	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rcjeoypaswnwo = "bsfgwmjayifuslyqfmd.exe ."	ossgjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sciclukuloem = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwlogyxqqcbssncwnwpeh.exe"	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sciclukuloem = "aoywjwqezgamhxhw.exe"	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qgsshwsifokyvnzqek = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hwhguidsowrearcsf.exe"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qgsshwsifokyvnzqek = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hwhguidsowrearcsf.exe"	ossgjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sciclukuloem = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aoywjwqezgamhxhw.exe"	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hwhguidsowrearcsf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qgsshwsifokyvnzqek.exe ."	ossgjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\viroamfsmslwqfo = "oguwnecutecsrlzsiqiw.exe"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\viroamfsmslwqfo = "qgsshwsifokyvnzqek.exe"	ossgjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sciclukuloem = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwlogyxqqcbssncwnwpeh.exe"	ossgjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sciclukuloem = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsfgwmjayifuslyqfmd.exe"	ossgjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rcjeoypaswnwo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qgsshwsifokyvnzqek.exe ."	ossgjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\viroamfsmslwqfo = "oguwnecutecsrlzsiqiw.exe"	ossgjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\viroamfsmslwqfo = "bsfgwmjayifuslyqfmd.exe"	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hwhguidsowrearcsf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qgsshwsifokyvnzqek.exe ."	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sciclukuloem = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qgsshwsifokyvnzqek.exe"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\viroamfsmslwqfo = "dwlogyxqqcbssncwnwpeh.exe"	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qgsshwsifokyvnzqek = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qgsshwsifokyvnzqek.exe"	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qgsshwsifokyvnzqek = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsfgwmjayifuslyqfmd.exe"	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sciclukuloem = "bsfgwmjayifuslyqfmd.exe"	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sciclukuloem = "aoywjwqezgamhxhw.exe"	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sciclukuloem = "oguwnecutecsrlzsiqiw.exe"	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sciclukuloem = "qgsshwsifokyvnzqek.exe"	ossgjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\viroamfsmslwqfo = "hwhguidsowrearcsf.exe"	ossgjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aoywjwqezgamhxhw = "bsfgwmjayifuslyqfmd.exe ."	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hwhguidsowrearcsf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oguwnecutecsrlzsiqiw.exe ."	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hwhguidsowrearcsf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aoywjwqezgamhxhw.exe ."	ossgjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aoywjwqezgamhxhw = "dwlogyxqqcbssncwnwpeh.exe ."	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sciclukuloem = "oguwnecutecsrlzsiqiw.exe"	ossgjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rcjeoypaswnwo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oguwnecutecsrlzsiqiw.exe ."	ossgjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aoywjwqezgamhxhw = "oguwnecutecsrlzsiqiw.exe ."	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hwhguidsowrearcsf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwlogyxqqcbssncwnwpeh.exe ."	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rcjeoypaswnwo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwlogyxqqcbssncwnwpeh.exe ."	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aoywjwqezgamhxhw = "bsfgwmjayifuslyqfmd.exe ."	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qgsshwsifokyvnzqek = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsfgwmjayifuslyqfmd.exe"	ossgjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sciclukuloem = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oguwnecutecsrlzsiqiw.exe"	ossgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rcjeoypaswnwo = "dwlogyxqqcbssncwnwpeh.exe ."	ossgjm.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ossgjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ossgjm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ossgjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ossgjm.exe

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
52	www.showmyipaddress.com
58	whatismyip.everdot.org
63	whatismyip.everdot.org
64	whatismyipaddress.com
69	whatismyip.everdot.org

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\aimelsgodesynxbkqowaszgucrsgmblp.eck	ossgjm.exe
File created	C:\Windows\SysWOW64\aimelsgodesynxbkqowaszgucrsgmblp.eck	ossgjm.exe
File opened for modification	C:\Windows\SysWOW64\fcvcyuxuyormqpigbolel.dgd	ossgjm.exe
File created	C:\Windows\SysWOW64\fcvcyuxuyormqpigbolel.dgd	ossgjm.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\fcvcyuxuyormqpigbolel.dgd	ossgjm.exe
File created	C:\Program Files (x86)\fcvcyuxuyormqpigbolel.dgd	ossgjm.exe
File opened for modification	C:\Program Files (x86)\aimelsgodesynxbkqowaszgucrsgmblp.eck	ossgjm.exe
File created	C:\Program Files (x86)\aimelsgodesynxbkqowaszgucrsgmblp.eck	ossgjm.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\fcvcyuxuyormqpigbolel.dgd	ossgjm.exe
File created	C:\Windows\fcvcyuxuyormqpigbolel.dgd	ossgjm.exe
File opened for modification	C:\Windows\aimelsgodesynxbkqowaszgucrsgmblp.eck	ossgjm.exe
File created	C:\Windows\aimelsgodesynxbkqowaszgucrsgmblp.eck	ossgjm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Key created	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings	ossgjm.exe
Key created	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings	ossgjm.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
228	ossgjm.exe
228	ossgjm.exe
228	ossgjm.exe
228	ossgjm.exe
228	ossgjm.exe
228	ossgjm.exe
228	ossgjm.exe
228	ossgjm.exe
228	ossgjm.exe
228	ossgjm.exe
228	ossgjm.exe
228	ossgjm.exe
228	ossgjm.exe
228	ossgjm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	228	ossgjm.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 228	4424	NEAS.a8b3e6726e785ec919f469daca0085c0.exe	92
PID 4424 wrote to memory of 228	4424	NEAS.a8b3e6726e785ec919f469daca0085c0.exe	92
PID 4424 wrote to memory of 228	4424	NEAS.a8b3e6726e785ec919f469daca0085c0.exe	92
PID 4424 wrote to memory of 4348	4424	NEAS.a8b3e6726e785ec919f469daca0085c0.exe	93
PID 4424 wrote to memory of 4348	4424	NEAS.a8b3e6726e785ec919f469daca0085c0.exe	93
PID 4424 wrote to memory of 4348	4424	NEAS.a8b3e6726e785ec919f469daca0085c0.exe	93

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ossgjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ossgjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ossgjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ossgjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ossgjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ossgjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ossgjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ossgjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ossgjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ossgjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ossgjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ossgjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ossgjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ossgjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ossgjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ossgjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ossgjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ossgjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ossgjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ossgjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ossgjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ossgjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ossgjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ossgjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ossgjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ossgjm.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.a8b3e6726e785ec919f469daca0085c0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a8b3e6726e785ec919f469daca0085c0.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4424
- C:\Users\Admin\AppData\Local\Temp\ossgjm.exe
  "C:\Users\Admin\AppData\Local\Temp\ossgjm.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:228
- C:\Users\Admin\AppData\Local\Temp\ossgjm.exe
  "C:\Users\Admin\AppData\Local\Temp\ossgjm.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Modifies registry class
  - System policy modification
  PID:4348

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\fcvcyuxuyormqpigbolel.dgd

Filesize
280B

MD5
a8d7593af22534f7fd4ef253ff9177b8

SHA1
5588c229d57629dc5d3d5e49a63cc5cf254a62f8

SHA256
aa0a95028ae5c20cab6203d6d3dd4b8857aefdfca6fe8bd6f2d851a63b136514

SHA512
1317e981b6b9064f1d62ec7ffd22d3de63919e6bd98aa4ff1c447d16c51e72455d3a79c4be3596cf7a36c8e3badea67fff7d77a5d621a453724c974a501b302e

Download Submit
C:\Program Files (x86)\fcvcyuxuyormqpigbolel.dgd

Filesize
280B

MD5
3b1f1a84ce9d4141c3a1fab6b2f95d96

SHA1
17729bfaeeaadd4fae9ca5cd177fcfa92ebbfcb9

SHA256
31ac704abe695378685b092ce5d594bb7854b966721149d8d0973ea2535defa3

SHA512
467dc701847cd7bf576b7cb2889297cd6a3ee31515bf064fea8c929ef800289612e0487980159f6567680019a29075da9c3c8db0382ce6ce9dfeb736fb49e4d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ossgjm.exe

Filesize
2.0MB

MD5
f70cf0a57d33689a410d59bf80b3b84a

SHA1
466d794c02f5d3343920f62df014118a418fe5b8

SHA256
18c24888616a73c6748ca75d8971caac4afa7928c88e5c14f0287197510ae89f

SHA512
fbeb29e2869c5a668757dd2c698e97032cf0937cb12bcd07569cd2a1b8d79a14967bd2a9f957d21b6e7a868a6003da417bec595f32276a313accf51887aec873

Download Submit
C:\Users\Admin\AppData\Local\Temp\ossgjm.exe

Filesize
2.0MB

MD5
f70cf0a57d33689a410d59bf80b3b84a

SHA1
466d794c02f5d3343920f62df014118a418fe5b8

SHA256
18c24888616a73c6748ca75d8971caac4afa7928c88e5c14f0287197510ae89f

SHA512
fbeb29e2869c5a668757dd2c698e97032cf0937cb12bcd07569cd2a1b8d79a14967bd2a9f957d21b6e7a868a6003da417bec595f32276a313accf51887aec873

Download Submit
C:\Users\Admin\AppData\Local\Temp\ossgjm.exe

Filesize
2.0MB

MD5
f70cf0a57d33689a410d59bf80b3b84a

SHA1
466d794c02f5d3343920f62df014118a418fe5b8

SHA256
18c24888616a73c6748ca75d8971caac4afa7928c88e5c14f0287197510ae89f

SHA512
fbeb29e2869c5a668757dd2c698e97032cf0937cb12bcd07569cd2a1b8d79a14967bd2a9f957d21b6e7a868a6003da417bec595f32276a313accf51887aec873

Download Submit
C:\Users\Admin\AppData\Local\Temp\ossgjm.exe

Filesize
2.0MB

MD5
f70cf0a57d33689a410d59bf80b3b84a

SHA1
466d794c02f5d3343920f62df014118a418fe5b8

SHA256
18c24888616a73c6748ca75d8971caac4afa7928c88e5c14f0287197510ae89f

SHA512
fbeb29e2869c5a668757dd2c698e97032cf0937cb12bcd07569cd2a1b8d79a14967bd2a9f957d21b6e7a868a6003da417bec595f32276a313accf51887aec873

Download Submit
C:\Users\Admin\AppData\Local\aimelsgodesynxbkqowaszgucrsgmblp.eck

Filesize
4KB

MD5
8f00c17dcfa3b974f71b1a5a8d4ef09c

SHA1
f6f6d6d9fd015b43fe54064cbff33a4b12abec0d

SHA256
e4b49fd27193848424491cab082c6cde3369746dfc4e54a5cc2f9464f1f36323

SHA512
ac5760d111d2351fb11d70b7b1a102e50ce0378bd0adb3163622acf7580835255e4e7812f8e38e69f5b5835fcca7f356e178ad4af09ace0abd245578f6f4fb2d

Download Submit
C:\Users\Admin\AppData\Local\fcvcyuxuyormqpigbolel.dgd

Filesize
280B

MD5
058ecd3221c6200252464abc82ac7405

SHA1
8e36492a1b9871566b2bdc03412196bbb1566a4c

SHA256
4490dd89f8527f82f754934134b281780ff1fa5ee776122d43e67e505e4607e2

SHA512
5c93d930da0e31edaf80bc7edcf6d177e629f2d27f2b7e3e834637490f6f09df5882997bcbcdbb62d42c28e4787895af0ea96da6a4e925cb26d3c5ae7de755f5

Download Submit
C:\Users\Admin\AppData\Local\fcvcyuxuyormqpigbolel.dgd

Filesize
280B

MD5
074eeb540b050229c3db1fea490f858f

SHA1
0def9bdd4e0669f59e6267c8c5254dc5dd997f9c

SHA256
80b5ec9d85ea9f7bcef723f5d53cce3ce5c3e7ec6a0d3472f6e56b3f5f923e28

SHA512
00ae1c43be792ff056ad6678786a3617411d9071209e5aaca73b7cd08fd5512c86c658e4aaf265bc1296dfc104b6db1a0a378467bbff0dfbcbb6c40bc8627b98

Download Submit