98c0aa5d72889e324c8651ee538e777a136d59d1f9abfbd4d59c20fc66ff0836

Analysis

max time kernel
151s
max time network
155s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 07:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11fc825e7ee3156e9ab4a47e01d05820.exe
Size

824KB
MD5

11fc825e7ee3156e9ab4a47e01d05820
SHA1

c0531cfd6e692227a1d1c91623e3842635477f8c
SHA256

98c0aa5d72889e324c8651ee538e777a136d59d1f9abfbd4d59c20fc66ff0836
SHA512

ced2c223281c8611f959b5527950c5e058da6561e12b3dfced9dbab16396212f37214ba1f7da88df584db1fdb93d4cd277ddd947558f46578b8bdee304083eba
SSDEEP

12288:PpUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqsIX+pd167QhEXn:PpUNr6YkVRFkgbeqeo68FhqtE6Eh

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	lmgghplyvwq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	lmgghplyvwq.exe

UAC bypass 3 TTPs 13 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lmgghplyvwq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	lmgghplyvwq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lmgghplyvwq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	onsdfs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	onsdfs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	onsdfs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	onsdfs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lmgghplyvwq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	onsdfs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	onsdfs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	onsdfs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lmgghplyvwq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	onsdfs.exe

Adds policy Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szmfpksluiswtw = "hrhdqozvhylssyftv.exe"	lmgghplyvwq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szmfpksluiswtw = "obutjkyxmgwgjsctyukx.exe"	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szmfpksluiswtw = "drllcettjevgkufxdarfz.exe"	onsdfs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	lmgghplyvwq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szmfpksluiswtw = "drllcettjevgkufxdarfz.exe"	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szmfpksluiswtw = "obutjkyxmgwgjsctyukx.exe"	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vzjzgydtzkr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obutjkyxmgwgjsctyukx.exe"	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vzjzgydtzkr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ajytfcmhsiuazekx.exe"	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vzjzgydtzkr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drllcettjevgkufxdarfz.exe"	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szmfpksluiswtw = "qbspdcolyqemnucruo.exe"	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vzjzgydtzkr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnfdssfdrkziksbrvqf.exe"	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szmfpksluiswtw = "ajytfcmhsiuazekx.exe"	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vzjzgydtzkr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qbspdcolyqemnucruo.exe"	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vzjzgydtzkr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hrhdqozvhylssyftv.exe"	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szmfpksluiswtw = "ajytfcmhsiuazekx.exe"	lmgghplyvwq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vzjzgydtzkr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnfdssfdrkziksbrvqf.exe"	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szmfpksluiswtw = "obutjkyxmgwgjsctyukx.exe"	lmgghplyvwq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szmfpksluiswtw = "bnfdssfdrkziksbrvqf.exe"	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vzjzgydtzkr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drllcettjevgkufxdarfz.exe"	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vzjzgydtzkr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qbspdcolyqemnucruo.exe"	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vzjzgydtzkr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ajytfcmhsiuazekx.exe"	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vzjzgydtzkr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drllcettjevgkufxdarfz.exe"	lmgghplyvwq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	lmgghplyvwq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vzjzgydtzkr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnfdssfdrkziksbrvqf.exe"	lmgghplyvwq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szmfpksluiswtw = "bnfdssfdrkziksbrvqf.exe"	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szmfpksluiswtw = "ajytfcmhsiuazekx.exe"	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szmfpksluiswtw = "qbspdcolyqemnucruo.exe"	onsdfs.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	onsdfs.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lmgghplyvwq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lmgghplyvwq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	onsdfs.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	onsdfs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	onsdfs.exe

Executes dropped EXE 4 IoCs

pid	Process
2152	lmgghplyvwq.exe
852	onsdfs.exe
1948	onsdfs.exe
1848	lmgghplyvwq.exe

Loads dropped DLL 8 IoCs

pid	Process
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
2152	lmgghplyvwq.exe
2152	lmgghplyvwq.exe
2152	lmgghplyvwq.exe
2152	lmgghplyvwq.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hrhdqozvhylssyftv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ajytfcmhsiuazekx.exe ."	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qbspdcolyqemnucruo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drllcettjevgkufxdarfz.exe"	lmgghplyvwq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rxjbkeldlyhkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hrhdqozvhylssyftv.exe ."	onsdfs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ajytfcmhsiuazekx = "hrhdqozvhylssyftv.exe ."	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qbspdcolyqemnucruo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obutjkyxmgwgjsctyukx.exe"	onsdfs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ajytfcmhsiuazekx = "obutjkyxmgwgjsctyukx.exe ."	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hrhdqozvhylssyftv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obutjkyxmgwgjsctyukx.exe ."	lmgghplyvwq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\vdrlwsbvfufkimr = "drllcettjevgkufxdarfz.exe"	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sxizhagxeqya = "obutjkyxmgwgjsctyukx.exe"	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hrhdqozvhylssyftv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hrhdqozvhylssyftv.exe ."	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qbspdcolyqemnucruo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qbspdcolyqemnucruo.exe"	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rxjbkeldlyhkg = "hrhdqozvhylssyftv.exe ."	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hrhdqozvhylssyftv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drllcettjevgkufxdarfz.exe ."	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sxizhagxeqya = "drllcettjevgkufxdarfz.exe"	lmgghplyvwq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sxizhagxeqya = "hrhdqozvhylssyftv.exe"	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qbspdcolyqemnucruo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qbspdcolyqemnucruo.exe"	lmgghplyvwq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qbspdcolyqemnucruo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ajytfcmhsiuazekx.exe"	onsdfs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\vdrlwsbvfufkimr = "obutjkyxmgwgjsctyukx.exe"	onsdfs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ajytfcmhsiuazekx = "qbspdcolyqemnucruo.exe ."	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sxizhagxeqya = "ajytfcmhsiuazekx.exe"	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sxizhagxeqya = "drllcettjevgkufxdarfz.exe"	onsdfs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\vdrlwsbvfufkimr = "bnfdssfdrkziksbrvqf.exe"	onsdfs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\vdrlwsbvfufkimr = "hrhdqozvhylssyftv.exe"	lmgghplyvwq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sxizhagxeqya = "hrhdqozvhylssyftv.exe"	lmgghplyvwq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rxjbkeldlyhkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obutjkyxmgwgjsctyukx.exe ."	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qbspdcolyqemnucruo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnfdssfdrkziksbrvqf.exe"	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hrhdqozvhylssyftv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hrhdqozvhylssyftv.exe ."	lmgghplyvwq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qbspdcolyqemnucruo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ajytfcmhsiuazekx.exe"	onsdfs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ajytfcmhsiuazekx = "ajytfcmhsiuazekx.exe ."	onsdfs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\vdrlwsbvfufkimr = "ajytfcmhsiuazekx.exe"	onsdfs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\sxizhagxeqya = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hrhdqozvhylssyftv.exe"	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rxjbkeldlyhkg = "obutjkyxmgwgjsctyukx.exe ."	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hrhdqozvhylssyftv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obutjkyxmgwgjsctyukx.exe ."	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sxizhagxeqya = "ajytfcmhsiuazekx.exe"	lmgghplyvwq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\sxizhagxeqya = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drllcettjevgkufxdarfz.exe"	onsdfs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\sxizhagxeqya = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ajytfcmhsiuazekx.exe"	onsdfs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rxjbkeldlyhkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hrhdqozvhylssyftv.exe ."	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sxizhagxeqya = "bnfdssfdrkziksbrvqf.exe"	onsdfs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ajytfcmhsiuazekx = "obutjkyxmgwgjsctyukx.exe ."	onsdfs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rxjbkeldlyhkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drllcettjevgkufxdarfz.exe ."	lmgghplyvwq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rxjbkeldlyhkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qbspdcolyqemnucruo.exe ."	onsdfs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rxjbkeldlyhkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drllcettjevgkufxdarfz.exe ."	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rxjbkeldlyhkg = "drllcettjevgkufxdarfz.exe ."	onsdfs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\sxizhagxeqya = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hrhdqozvhylssyftv.exe"	lmgghplyvwq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sxizhagxeqya = "ajytfcmhsiuazekx.exe"	onsdfs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\sxizhagxeqya = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnfdssfdrkziksbrvqf.exe"	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qbspdcolyqemnucruo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hrhdqozvhylssyftv.exe"	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rxjbkeldlyhkg = "qbspdcolyqemnucruo.exe ."	lmgghplyvwq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rxjbkeldlyhkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drllcettjevgkufxdarfz.exe ."	onsdfs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\sxizhagxeqya = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hrhdqozvhylssyftv.exe"	onsdfs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\sxizhagxeqya = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obutjkyxmgwgjsctyukx.exe"	onsdfs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ajytfcmhsiuazekx = "hrhdqozvhylssyftv.exe ."	onsdfs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\sxizhagxeqya = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hrhdqozvhylssyftv.exe"	lmgghplyvwq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qbspdcolyqemnucruo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drllcettjevgkufxdarfz.exe"	onsdfs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\sxizhagxeqya = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ajytfcmhsiuazekx.exe"	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hrhdqozvhylssyftv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnfdssfdrkziksbrvqf.exe ."	onsdfs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\sxizhagxeqya = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qbspdcolyqemnucruo.exe"	onsdfs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\vdrlwsbvfufkimr = "ajytfcmhsiuazekx.exe"	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rxjbkeldlyhkg = "bnfdssfdrkziksbrvqf.exe ."	lmgghplyvwq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ajytfcmhsiuazekx = "bnfdssfdrkziksbrvqf.exe ."	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sxizhagxeqya = "hrhdqozvhylssyftv.exe"	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sxizhagxeqya = "bnfdssfdrkziksbrvqf.exe"	onsdfs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rxjbkeldlyhkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qbspdcolyqemnucruo.exe ."	onsdfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hrhdqozvhylssyftv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qbspdcolyqemnucruo.exe ."	onsdfs.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lmgghplyvwq.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lmgghplyvwq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lmgghplyvwq.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lmgghplyvwq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	onsdfs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	onsdfs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	onsdfs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	onsdfs.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	whatismyipaddress.com
11	whatismyip.everdot.org
2	www.showmyipaddress.com

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	onsdfs.exe
File created	C:\autorun.inf	onsdfs.exe
File opened for modification	F:\autorun.inf	onsdfs.exe
File created	F:\autorun.inf	onsdfs.exe

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ujefxaqriewinykdkiapkl.exe	onsdfs.exe
File opened for modification	C:\Windows\SysWOW64\ajytfcmhsiuazekx.exe	onsdfs.exe
File opened for modification	C:\Windows\SysWOW64\ujefxaqriewinykdkiapkl.exe	lmgghplyvwq.exe
File opened for modification	C:\Windows\SysWOW64\ajytfcmhsiuazekx.exe	onsdfs.exe
File created	C:\Windows\SysWOW64\rxjbkeldlyhkgilvtirxjbkeldlyhkgilvt.rxj	onsdfs.exe
File opened for modification	C:\Windows\SysWOW64\bnfdssfdrkziksbrvqf.exe	lmgghplyvwq.exe
File opened for modification	C:\Windows\SysWOW64\drllcettjevgkufxdarfz.exe	lmgghplyvwq.exe
File opened for modification	C:\Windows\SysWOW64\drllcettjevgkufxdarfz.exe	onsdfs.exe
File created	C:\Windows\SysWOW64\ideljsovsuskvmedqusnovtc.fce	onsdfs.exe
File opened for modification	C:\Windows\SysWOW64\hrhdqozvhylssyftv.exe	lmgghplyvwq.exe
File opened for modification	C:\Windows\SysWOW64\drllcettjevgkufxdarfz.exe	lmgghplyvwq.exe
File opened for modification	C:\Windows\SysWOW64\obutjkyxmgwgjsctyukx.exe	onsdfs.exe
File opened for modification	C:\Windows\SysWOW64\ideljsovsuskvmedqusnovtc.fce	onsdfs.exe
File opened for modification	C:\Windows\SysWOW64\qbspdcolyqemnucruo.exe	lmgghplyvwq.exe
File opened for modification	C:\Windows\SysWOW64\ujefxaqriewinykdkiapkl.exe	lmgghplyvwq.exe
File opened for modification	C:\Windows\SysWOW64\hrhdqozvhylssyftv.exe	lmgghplyvwq.exe
File opened for modification	C:\Windows\SysWOW64\obutjkyxmgwgjsctyukx.exe	lmgghplyvwq.exe
File opened for modification	C:\Windows\SysWOW64\qbspdcolyqemnucruo.exe	onsdfs.exe
File opened for modification	C:\Windows\SysWOW64\ujefxaqriewinykdkiapkl.exe	onsdfs.exe
File opened for modification	C:\Windows\SysWOW64\obutjkyxmgwgjsctyukx.exe	lmgghplyvwq.exe
File opened for modification	C:\Windows\SysWOW64\qbspdcolyqemnucruo.exe	lmgghplyvwq.exe
File opened for modification	C:\Windows\SysWOW64\bnfdssfdrkziksbrvqf.exe	lmgghplyvwq.exe
File opened for modification	C:\Windows\SysWOW64\drllcettjevgkufxdarfz.exe	onsdfs.exe
File opened for modification	C:\Windows\SysWOW64\hrhdqozvhylssyftv.exe	onsdfs.exe
File opened for modification	C:\Windows\SysWOW64\obutjkyxmgwgjsctyukx.exe	onsdfs.exe
File opened for modification	C:\Windows\SysWOW64\rxjbkeldlyhkgilvtirxjbkeldlyhkgilvt.rxj	onsdfs.exe
File opened for modification	C:\Windows\SysWOW64\ajytfcmhsiuazekx.exe	lmgghplyvwq.exe
File opened for modification	C:\Windows\SysWOW64\hrhdqozvhylssyftv.exe	onsdfs.exe
File opened for modification	C:\Windows\SysWOW64\bnfdssfdrkziksbrvqf.exe	onsdfs.exe
File opened for modification	C:\Windows\SysWOW64\ajytfcmhsiuazekx.exe	lmgghplyvwq.exe
File opened for modification	C:\Windows\SysWOW64\bnfdssfdrkziksbrvqf.exe	onsdfs.exe
File opened for modification	C:\Windows\SysWOW64\qbspdcolyqemnucruo.exe	onsdfs.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\rxjbkeldlyhkgilvtirxjbkeldlyhkgilvt.rxj	onsdfs.exe
File opened for modification	C:\Program Files (x86)\ideljsovsuskvmedqusnovtc.fce	onsdfs.exe
File created	C:\Program Files (x86)\ideljsovsuskvmedqusnovtc.fce	onsdfs.exe
File opened for modification	C:\Program Files (x86)\rxjbkeldlyhkgilvtirxjbkeldlyhkgilvt.rxj	onsdfs.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ujefxaqriewinykdkiapkl.exe	lmgghplyvwq.exe
File opened for modification	C:\Windows\ideljsovsuskvmedqusnovtc.fce	onsdfs.exe
File created	C:\Windows\rxjbkeldlyhkgilvtirxjbkeldlyhkgilvt.rxj	onsdfs.exe
File opened for modification	C:\Windows\ujefxaqriewinykdkiapkl.exe	lmgghplyvwq.exe
File opened for modification	C:\Windows\obutjkyxmgwgjsctyukx.exe	lmgghplyvwq.exe
File opened for modification	C:\Windows\ajytfcmhsiuazekx.exe	onsdfs.exe
File opened for modification	C:\Windows\obutjkyxmgwgjsctyukx.exe	onsdfs.exe
File opened for modification	C:\Windows\ujefxaqriewinykdkiapkl.exe	onsdfs.exe
File opened for modification	C:\Windows\hrhdqozvhylssyftv.exe	lmgghplyvwq.exe
File opened for modification	C:\Windows\bnfdssfdrkziksbrvqf.exe	onsdfs.exe
File opened for modification	C:\Windows\bnfdssfdrkziksbrvqf.exe	lmgghplyvwq.exe
File opened for modification	C:\Windows\qbspdcolyqemnucruo.exe	onsdfs.exe
File opened for modification	C:\Windows\drllcettjevgkufxdarfz.exe	onsdfs.exe
File opened for modification	C:\Windows\ujefxaqriewinykdkiapkl.exe	onsdfs.exe
File opened for modification	C:\Windows\obutjkyxmgwgjsctyukx.exe	lmgghplyvwq.exe
File opened for modification	C:\Windows\ajytfcmhsiuazekx.exe	lmgghplyvwq.exe
File opened for modification	C:\Windows\drllcettjevgkufxdarfz.exe	lmgghplyvwq.exe
File created	C:\Windows\ideljsovsuskvmedqusnovtc.fce	onsdfs.exe
File opened for modification	C:\Windows\rxjbkeldlyhkgilvtirxjbkeldlyhkgilvt.rxj	onsdfs.exe
File opened for modification	C:\Windows\qbspdcolyqemnucruo.exe	lmgghplyvwq.exe
File opened for modification	C:\Windows\bnfdssfdrkziksbrvqf.exe	lmgghplyvwq.exe
File opened for modification	C:\Windows\hrhdqozvhylssyftv.exe	onsdfs.exe
File opened for modification	C:\Windows\hrhdqozvhylssyftv.exe	lmgghplyvwq.exe
File opened for modification	C:\Windows\drllcettjevgkufxdarfz.exe	lmgghplyvwq.exe
File opened for modification	C:\Windows\qbspdcolyqemnucruo.exe	lmgghplyvwq.exe
File opened for modification	C:\Windows\qbspdcolyqemnucruo.exe	onsdfs.exe
File opened for modification	C:\Windows\bnfdssfdrkziksbrvqf.exe	onsdfs.exe
File opened for modification	C:\Windows\obutjkyxmgwgjsctyukx.exe	onsdfs.exe
File opened for modification	C:\Windows\drllcettjevgkufxdarfz.exe	onsdfs.exe
File opened for modification	C:\Windows\ajytfcmhsiuazekx.exe	lmgghplyvwq.exe
File opened for modification	C:\Windows\hrhdqozvhylssyftv.exe	onsdfs.exe
File opened for modification	C:\Windows\ajytfcmhsiuazekx.exe	onsdfs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
852	onsdfs.exe
852	onsdfs.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
852	onsdfs.exe
852	onsdfs.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
852	onsdfs.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
852	onsdfs.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
852	onsdfs.exe
852	onsdfs.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
852	onsdfs.exe
852	onsdfs.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
852	onsdfs.exe
852	onsdfs.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
852	onsdfs.exe
852	onsdfs.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
852	onsdfs.exe
852	onsdfs.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
852	onsdfs.exe
852	onsdfs.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
2900	11fc825e7ee3156e9ab4a47e01d05820.exe
852	onsdfs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	852	onsdfs.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2152	2900	11fc825e7ee3156e9ab4a47e01d05820.exe	28
PID 2900 wrote to memory of 2152	2900	11fc825e7ee3156e9ab4a47e01d05820.exe	28
PID 2900 wrote to memory of 2152	2900	11fc825e7ee3156e9ab4a47e01d05820.exe	28
PID 2900 wrote to memory of 2152	2900	11fc825e7ee3156e9ab4a47e01d05820.exe	28
PID 2152 wrote to memory of 852	2152	lmgghplyvwq.exe	29
PID 2152 wrote to memory of 852	2152	lmgghplyvwq.exe	29
PID 2152 wrote to memory of 852	2152	lmgghplyvwq.exe	29
PID 2152 wrote to memory of 852	2152	lmgghplyvwq.exe	29
PID 2152 wrote to memory of 1948	2152	lmgghplyvwq.exe	30
PID 2152 wrote to memory of 1948	2152	lmgghplyvwq.exe	30
PID 2152 wrote to memory of 1948	2152	lmgghplyvwq.exe	30
PID 2152 wrote to memory of 1948	2152	lmgghplyvwq.exe	30
PID 2900 wrote to memory of 1848	2900	11fc825e7ee3156e9ab4a47e01d05820.exe	33
PID 2900 wrote to memory of 1848	2900	11fc825e7ee3156e9ab4a47e01d05820.exe	33
PID 2900 wrote to memory of 1848	2900	11fc825e7ee3156e9ab4a47e01d05820.exe	33
PID 2900 wrote to memory of 1848	2900	11fc825e7ee3156e9ab4a47e01d05820.exe	33

System policy modification 1 TTPs 41 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lmgghplyvwq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	lmgghplyvwq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	onsdfs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	onsdfs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	onsdfs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	onsdfs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	onsdfs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	onsdfs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	onsdfs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	onsdfs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lmgghplyvwq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	lmgghplyvwq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	onsdfs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lmgghplyvwq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	lmgghplyvwq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	lmgghplyvwq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	lmgghplyvwq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	onsdfs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	onsdfs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	onsdfs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	onsdfs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lmgghplyvwq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lmgghplyvwq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	lmgghplyvwq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	onsdfs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	onsdfs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	onsdfs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	onsdfs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	onsdfs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lmgghplyvwq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	lmgghplyvwq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	onsdfs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	onsdfs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	onsdfs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	onsdfs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lmgghplyvwq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	lmgghplyvwq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	onsdfs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	onsdfs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	onsdfs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	onsdfs.exe

C:\Users\Admin\AppData\Local\Temp\11fc825e7ee3156e9ab4a47e01d05820.exe
"C:\Users\Admin\AppData\Local\Temp\11fc825e7ee3156e9ab4a47e01d05820.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Users\Admin\AppData\Local\Temp\lmgghplyvwq.exe
  "C:\Users\Admin\AppData\Local\Temp\lmgghplyvwq.exe" "c:\users\admin\appdata\local\temp\11fc825e7ee3156e9ab4a47e01d05820.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2152
- - C:\Users\Admin\AppData\Local\Temp\onsdfs.exe
    "C:\Users\Admin\AppData\Local\Temp\onsdfs.exe" "-C:\Users\Admin\AppData\Local\Temp\ajytfcmhsiuazekx.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:852
- - C:\Users\Admin\AppData\Local\Temp\onsdfs.exe
    "C:\Users\Admin\AppData\Local\Temp\onsdfs.exe" "-C:\Users\Admin\AppData\Local\Temp\ajytfcmhsiuazekx.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1948
- C:\Users\Admin\AppData\Local\Temp\lmgghplyvwq.exe
  "C:\Users\Admin\AppData\Local\Temp\lmgghplyvwq.exe" "c:\users\admin\appdata\local\temp\11fc825e7ee3156e9ab4a47e01d05820.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System policy modification
  PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ideljsovsuskvmedqusnovtc.fce

Filesize
280B

MD5
79331f13f1f1fb5b69cff02e527db556

SHA1
204083cf9fe3ee99d638e4ddd1f99061a044dfda

SHA256
093fa1c337a906485d18995db26de9539b224769496b8d04564f8da40cb7e6eb

SHA512
e112897d30dfb64b0aeee1fc2558f146066c234d0155dd82cc22cb8de76b5ea81d1fed6e2aeb480c83cfcf7572c27feb13141db4cac3c54da64e27da670d5b6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ajytfcmhsiuazekx.exe

Filesize
51KB

MD5
777140d1980d5a4693f21630091227e2

SHA1
ae6a8c442cf25fd2c2a2113f8303309e2734ca4d

SHA256
36d55bcd0d044c9384cf59e013fe6112babef72ff87e1f85d160764c214d7a10

SHA512
4e02944ea868674606062e39bd00ea9dd4cce94e8726f37db8b235318c78e7dbc4a17fb5f7bb76d7a15bc2a00ef1049f7d7060f4af7f258b927cd5e4160bb789

Download Submit
C:\Users\Admin\AppData\Local\Temp\bnfdssfdrkziksbrvqf.exe

Filesize
16KB

MD5
1c907383def4ee7caab9757f19109717

SHA1
a6703d205f7e9a72c2ef78a1c8a902f0317c2746

SHA256
7f125ab62c2813a6c45841d02ce0019d9114d59b2938f2a807cdd95329201433

SHA512
4809e8ead36aee52606374db7141f89bf7101d3ad6fc2ab3bb87285838456aed1e6e6b51bf76c07b20567b99c396dfdeabb83e3a5ac4efa33d0fc98e1f48fc60

Download Submit
C:\Users\Admin\AppData\Local\Temp\drllcettjevgkufxdarfz.exe

Filesize
13KB

MD5
410ee90d98e3cdafdd5ca28dd8e7dc3a

SHA1
da8b88c12efd1e77dfaeb06bf6a75a9f72072f28

SHA256
433fef3e882df3e9b9d9cd2490b0a8adb3ccb155e6357a10b72c9a3b9068fd64

SHA512
70984f8941f3fca10eb13d9d146631ba8eb7ab9d1bcde5ce3bc4a09bcc13fbd77308be31c1cb74c9447d0d1fe00400d7ebd3c501681023d97f11db4868ebf0ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrhdqozvhylssyftv.exe

Filesize
4KB

MD5
526aff6138f2914b0b8b0f4a5f0e6d63

SHA1
d820698876f0273f9b0bd897be11f0eb1ee53a67

SHA256
8e0c6793c337745af177834421bed1934c23c183d453630aadcbc5353fb28526

SHA512
20990f985b8a9ae2fc8c8f2d652ec62fd678692b09266923f07dd7c696412c306c3a68f5746410d0b745456c1b9c376cc4d788829c2748d1bf941f58d19378ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmgghplyvwq.exe

Filesize
98KB

MD5
ab7f00db231883ed09e8d6e77954dccd

SHA1
120ea31f59db9b1cea54ec1de8b2d39af3fdfdb7

SHA256
46e40ad0613e5adff34682113eacde500193f2189b49bf5ba65a63ade3b5b1e0

SHA512
7816ac27f688712e492adcc4fe43862ac0bd6bc678659c05cea829d45704df6cd0fbeb17f92868681d244d7bf1be39c9218123c3c35eea9f948127e25382be26

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmgghplyvwq.exe

Filesize
150KB

MD5
2e9f62368b222ccbc748fec6332ab129

SHA1
afde45ffc1399e42b6861e48a2973e0bf0d8a1ca

SHA256
1d30b666400aef618a52e5cc1ea6ed191c2f72cdfaaad6c86ec9958ee53a5cb1

SHA512
acbe200bd82fe17a593eca1c0d8ad3829deca689a6bca1f18badde0733b2c097b536b93d430415dd986007b5c81b31f4742227723623e7fc5918a2d6ad24a872

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmgghplyvwq.exe

Filesize
128KB

MD5
3f3fb77fdebde005a72fb0da201f855d

SHA1
d9132894f05079b86648588b9f58145b963c329e

SHA256
aa95dfa8f4c97e62b65d76b1bfa8af7fd16ef7d5d95545bcb53e3e4b5ac49d6a

SHA512
bc095ee5339b6fbdc5ff102612d795a11abab1fe3d1e7c50f542886d72c8b57dd400956e6a1a4c206f08bf488e6091c2d9b9f4f253fd493f7d332d64538b402a

Download Submit
C:\Users\Admin\AppData\Local\Temp\obutjkyxmgwgjsctyukx.exe

Filesize
27KB

MD5
424db1a411b66a7af5df7b3f2b3432d8

SHA1
b1f844562013b3b46efe69f79c657b446954915d

SHA256
d189ac47ecc11def154f83dd1d308da8c58b74828d7cc3b66234d8df1edd65ad

SHA512
ca0ee9079b302706a4a6d2bd73fef57adc780ced3d8f9f1ba1f916e97ed648c9ec513c76b1e35b4e3e357dcd45bb23f1179432c877d02188bfa9ff537dfbb574

Download Submit
C:\Users\Admin\AppData\Local\Temp\onsdfs.exe

Filesize
320KB

MD5
690108a7091dc86fa29731b2946e0151

SHA1
51423ed69bf5d8ae4d757eda97eebcb9bcf46bd3

SHA256
965cffbed0348b78ef79f67e00a0f3f81fac8c0bc0a741ad0dc62df619702656

SHA512
438100365ea9be800d863a6f490ccb1f256d1b24b5079006b8b4b6c3ab8880dad620a2b6e768d6b3904dfb180afabd7b3c0f37664fbff927b1f87dd588f104dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\onsdfs.exe

Filesize
128KB

MD5
7fe8377ee79fe83cd0c005b25705db90

SHA1
822b5a086946b4737c375dab2c295743a862356f

SHA256
f817909c1b485b8a0d0b0cf97532d66b11e4a7f6ba136821086c35306c13803e

SHA512
5021dc46472bd4c9c683ea8ab35c9206cb15e8b4be50656a3df56b5413b9ca9a06c814f71df53a0035103797f76763dcdb15d936ed348053b23aab9fd2eb6fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\onsdfs.exe

Filesize
77KB

MD5
06a353c1990f7aed8c93df423a3431bf

SHA1
50b62cc98fbc131f82228555d75e315e57c5cf44

SHA256
fc3aa6a551a0276f2c978f0c23061ba95185e4317e5af728482f67f9ca07801c

SHA512
4a16e1d71f723e4c8924f40761136f17bdda9d870073b131edf81e767555ef8066ad85fdc3ae554166cdba698b86235638421f1d294298a8def6beda83e38b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbspdcolyqemnucruo.exe

Filesize
32KB

MD5
784b2b879e6bd615065d5f6c492df16b

SHA1
215afcfcd15ca1649917d3a30dfbfa03d00f30c6

SHA256
b9364d9e16c958d3a93f466a907439d65c71ae875e3f30177e9a7e4581f72e89

SHA512
9df46f96bfd999a238617a11f4c2e6ace2e7fbae8b798dec54b12c34ea0c338bbda0d9a6d590ef5b27528bbdc26302b794790b183d69f01333eacd1ca684c718

Download Submit
C:\Users\Admin\AppData\Local\Temp\ujefxaqriewinykdkiapkl.exe

Filesize
58KB

MD5
5094666425984a5995e2c12d2711d280

SHA1
d32d6f9575be51c28a393d13090222d2f6a12019

SHA256
cf40e553fcf2a40ff6f37e2c570e993ddf865cc17d4f59049d51a8511af9882b

SHA512
26ccc1462cda353c72bf380ad9fb12a8225b4e7a74742cfe2496d361ce08e785a70122e7dceb745f9c2d91f031de45bca4ce3e50d120c79f7c668c2b76896e49

Download Submit
C:\Users\Admin\AppData\Local\ideljsovsuskvmedqusnovtc.fce

Filesize
280B

MD5
793d0a8e0a5fe7639a25c0ffd7a10ddc

SHA1
4d138976cb866df39afe88b5dd6bab3df414b5ff

SHA256
21d41157a23922b5504ab1422e1f1415aa20093dc81c7ed733d313626091bf69

SHA512
d4d532cbaf83b5cad2ae34e78e0968aa48e1281ea119b5439faa54163bc47e276ca2d5af863faa1330464e79a9ee7902b9458b4365bd416a6b83d78ca3786f26

Download Submit
C:\Users\Admin\AppData\Local\ideljsovsuskvmedqusnovtc.fce

Filesize
280B

MD5
db7ffb272a4381a84995b0e3af35d86f

SHA1
327745403948908ec40025886ae6d2cf7f79c1db

SHA256
d113559ed0ce32c64db4d1a2cbee15009ec81f33f2aad23a31134d73c62e9ab6

SHA512
7d176c98a2165ffe98c7abb1c67c6b4b843e94d907fbafcbc57cbcf83a89e6c2ba6a928aedcf1b289fb0eaf4d966fabce4a027eaa0dddb2b73f1936e2fb2412e

Download Submit
C:\Users\Admin\AppData\Local\rxjbkeldlyhkgilvtirxjbkeldlyhkgilvt.rxj

Filesize
4KB

MD5
d5a83c82ea01fe720e1924213c117c13

SHA1
6262a6c989e7c26b326fa4ab4b11100a0a61bf3b

SHA256
8a5dbeef82c699c97b02d1d91178664cd33c221fdf4ac7ab3dc4f8fdf85707e2

SHA512
a80e46d2f0492ab0bd1f5abe1617838880644c4db5a3b5129b407375fa98efc6f3aed82e386669036e419eb00d93461ca723f62a8941e26522bec9f5882bd6b1

Download Submit
C:\Windows\SysWOW64\ajytfcmhsiuazekx.exe

Filesize
23KB

MD5
90fd2ee0e28d3706d5293bc4acdf22c5

SHA1
268de37decc4a4377705853439b6b259a648cca2

SHA256
cb71358cf7a9a7e117826b86cd0f503237572a03fa3251f8493640cef97c6f25

SHA512
48f77785233cc2e4b638d87a09d61721c63860d092d913b5c017caa8420c984582b1ad880f3c2bcd5450e22aee5661f7accf55e942432ca40692539773798d06

Download Submit
C:\Windows\SysWOW64\bnfdssfdrkziksbrvqf.exe

Filesize
81KB

MD5
a39d139ac3fb2ac1541fb5dabc0e0f51

SHA1
192a91e0d189b6c869caf399c28e9fe391275e27

SHA256
30ba2a07afd0615434cdddb297c7a26146eecc920d61910102a55f4c1b69cf5c

SHA512
bfe2bf75c8ac622287e9f5783266ef9779221ed252555169c5b064b778856af707978c709314ced2c46eb074a67d6502410ecb7a0e566dd9f19963a2cd686c5d

Download Submit
C:\Windows\SysWOW64\drllcettjevgkufxdarfz.exe

Filesize
85KB

MD5
5176f804fd1c76ac9f78a24f80d1482f

SHA1
435e35ee1e5a26aa02ed8298d70b3f89d9910dcf

SHA256
647d249a818610869d98d8d8a674ddf035ead97e8a48dcbc023ca84dcfb227ac

SHA512
bfcd5697a4d0b2fc4f0ae1f28c8fec8c8135d6281218fed6379eb345dfb1e5c77e3dd18c19b0deaa754a76b85d4033daadf7e711ee14fe65ebc691e1d40f2dd1

Download Submit
C:\Windows\SysWOW64\hrhdqozvhylssyftv.exe

Filesize
31KB

MD5
981787e445869ffe5501503eda7a0cc1

SHA1
56cdc3062bd57e1a21d17ab871d2b6b9c5b2b7d5

SHA256
845d3d70a19fbc5b221e94026d17f03074e1dbf563ccfc7b624ef8e27732a73b

SHA512
ee2aba479b66095c79e79181b90d49472885210b30a2f74e788627a5c63f45c736468dab1539ed5283ebf6fe43834ec1c917ea6d3cb96eddea6a295138f24d6b

Download Submit
C:\Windows\SysWOW64\obutjkyxmgwgjsctyukx.exe

Filesize
32KB

MD5
f99efb111b0b5de0449f04b63b4ac5e8

SHA1
35c7c8cde391c640dbdfcac714ffd5ef984b4797

SHA256
1a2451d3d3e76262b1e2d03f822079c0a55daeee6ff903aeab69d8e7c70a495d

SHA512
908780b19db933c6764807b47d9765d13960d69aa86afd8e09938ba35a3843cdb046d882a72dac8bac7db2a332c0154c45c64439415e0d853cc71d29e31012d7

Download Submit
C:\Windows\SysWOW64\qbspdcolyqemnucruo.exe

Filesize
824KB

MD5
11fc825e7ee3156e9ab4a47e01d05820

SHA1
c0531cfd6e692227a1d1c91623e3842635477f8c

SHA256
98c0aa5d72889e324c8651ee538e777a136d59d1f9abfbd4d59c20fc66ff0836

SHA512
ced2c223281c8611f959b5527950c5e058da6561e12b3dfced9dbab16396212f37214ba1f7da88df584db1fdb93d4cd277ddd947558f46578b8bdee304083eba

Download Submit
C:\Windows\SysWOW64\qbspdcolyqemnucruo.exe

Filesize
33KB

MD5
ac0945bfc687ab0ca0efe25b372f9651

SHA1
9cc85e23d6e4ca20df72a519e98f8bc429274eb1

SHA256
9e81c2acc26d37293ab01712295523f4a4a02f42597477d05d25bea0059b3351

SHA512
fb93d9ca12f81b3b16232f5daa38da80337e84ad73ebef18b6eb392e6f6ea7d88d8fe9aba31fe68aa6180cc71050a0fbd936dedceee1cb6b02529f8b3681a49d

Download Submit
C:\Windows\SysWOW64\ujefxaqriewinykdkiapkl.exe

Filesize
15KB

MD5
eac3e92b28230ce2d80421e16fc18519

SHA1
ea74237229bada78fcd93d4e52960f519e5a850c

SHA256
a6fcaf2498d076d006fc0ea82f77e9a8b1e826bacab1edc7eeb1360249574165

SHA512
1bcdcbbeb045e7a6bc61bb6f7f9af1e5ba1bca88f892f03e153f3c2d5cd5149f8fd91cccb164d42effb4083537950d8e11d93c6278a0bfb52dab95178f5b70a2

Download Submit
C:\Windows\ajytfcmhsiuazekx.exe

Filesize
320KB

MD5
be8fb960609323a14b45cffe176bfd2c

SHA1
cf4970525cf5583c82c2536805bfe71dc007986d

SHA256
88e0ba50524f632341a518a5d4ca16f277e9fb558f69e78014f8182b0d3c8b16

SHA512
28cafe5b113841e451eeb8234460114e151bae0e4a5d4c812270d293d41538afeb6fa9bf3c1a1f827df28e3f3ba244296d4062c7efc7be20a7d3bce4d5218d55

Download Submit
C:\Windows\ajytfcmhsiuazekx.exe

Filesize
14KB

MD5
5eb93c981a7d8cad7dcb912f3d3f73de

SHA1
1cf6a4a778befe61c3f48ad34cc108bb34529ead

SHA256
a5f60c941d0c650229826d80541cdbe6f17ffe4d293017f7d4fce269b47c4fe2

SHA512
f5cede6a9482754bfcf55deed023139876f8cf4ad0b4d1fc164d54ebdb869a69a5efad3f4e572d039d9fd4e40164aa56537b807b07b3df5d29d6a906853216fa

Download Submit
C:\Windows\ajytfcmhsiuazekx.exe

Filesize
32KB

MD5
c3f570efc1a0e02aa7b228617917587f

SHA1
9df9cb9a1657de225ef2f41871839701990e85ac

SHA256
f2c08e9701703c3ee8048343a398249731eeb7b3a265eb8d53211747c839ff6d

SHA512
aae598b90d8c1a65765227e70589d8ed6e7175021b3ae2f14cdc3329a448dc0157a9818a50b8a58bb7818655c8d5aa5a8758127734b95e7b2fa3f32e5884d660

Download Submit
C:\Windows\bnfdssfdrkziksbrvqf.exe

Filesize
4KB

MD5
1cc678971fb1b4130980bb7c90449b25

SHA1
302e210927b5b318974c55f5d2cb5cd0ab01ff52

SHA256
1d841da37820b9fe20cd22beee8cdcb1d87d66a8d6faea1fd99e19fd1203e891

SHA512
31f5ff1f513aa6912b0a3b5665fc2dbe2519316a915775a23b2927a153b6098381b41b0a0ac44c8ce914706713a6453354f7fa73b831c41b30e80cd1d097ffb2

Download Submit
C:\Windows\bnfdssfdrkziksbrvqf.exe

Filesize
15KB

MD5
67982954baf08cb85346be0a953308d1

SHA1
c9ec5ec5feeec52351b6db13bea1e7a382d5513f

SHA256
45804d7ff8200e4a34abda1512d2023101b0ab6da5c9c5e8981634a479b1ac53

SHA512
8217e809de438181986737eeac7ba45a6cee7a7b82fefa294f4b00bb224bda49fe57ffc42d9083e8835c5ccc91ba04a239a08eb96c60fcc75109b8085681eb6f

Download Submit
C:\Windows\drllcettjevgkufxdarfz.exe

Filesize
15KB

MD5
f64692cd3dd00dd256c8271c3c3ccd12

SHA1
87867d11d52252e5c0267c6c7681966ee870aa49

SHA256
dc017a0493e788d885116ffaacaecd43df40ae99c0b60b61f9a2dfd0a3835b01

SHA512
4808e12fc4690fc989fc67c5579ddea09a4f4f90e471742d3d49d94ef5c163a21ed7cfd89b59548e45f46c44c018776e2c35477cab5627cb3a57cc99803aeda2

Download Submit
C:\Windows\drllcettjevgkufxdarfz.exe

Filesize
15KB

MD5
a5e368074bb73c83f36f60ae5d61d246

SHA1
6ac280a41001ef4c11bc28b2e21fe2003f739587

SHA256
50d66a128decdabf2055d1f29af9d352e9b25f586793d5d31ef9ac7e3a091c35

SHA512
ae945a378bbc7882d3386ce716c15ede8ef888440b2d016429cb91f760891b2f079ee8963fb1955c5b782a226fc522d6c255ad4750d170efb8806781740433b2

Download Submit
C:\Windows\hrhdqozvhylssyftv.exe

Filesize
21KB

MD5
dd794f9c7fc1e942fcbe3d9f87eec81e

SHA1
da75d0685795f862400453f8f50c566a30b743b3

SHA256
a9b3b4a5c7559ea63a64e6822667636657167318b33c7017293d8e02ba55dfcc

SHA512
d6520a84e0402eacf8ba67476e41b2b47c62e3cc372f5a3cd1cf0670a0405278a72f37a912f35106d72b6ec0e2bf1c47392e922543a23d6baae7d97148c5bc37

Download Submit
C:\Windows\hrhdqozvhylssyftv.exe

Filesize
16KB

MD5
82d14f79f61d8ac195e033968344f4e1

SHA1
0037f78c6145e799ef4d9f6aec328460231c61c1

SHA256
1b4f55e556ec1916615802dde44ed7d1f6383663545300901a0ddc24bc6d73d3

SHA512
1d92c2d520626f4a8bf7c1b8cbd38ed2a672afb2739392f6daccf2c185a938a9b45ae05c702e10f1386fc32ee4a089f167919ac184beb8b32ca66f72f9635dfd

Download Submit
C:\Windows\obutjkyxmgwgjsctyukx.exe

Filesize
27KB

MD5
fb34da01c9d6db5ab1b2cdd26ac89751

SHA1
9c850fbe5f856eb556381c138e6f57f6db5d2c62

SHA256
3259ca43601537d9ded1f5827288d07cb0291e01a351d232a9f1f526a4a2545e

SHA512
46746c79906dc13fb7d2838ee9145fbad674d826cf994453864f52b2bf0bda65f2d2b7071f6c27f06bc3f2a9a3ff5a5916d7111d58a1590a18f0e7e8de0f1804

Download Submit
C:\Windows\obutjkyxmgwgjsctyukx.exe

Filesize
10KB

MD5
321c719d9814d4b240453698ecf6daff

SHA1
d87a25b1250108f6440ef786fda2885e2a03c87c

SHA256
f5855396dd0ccdb29016c2c1330ac3cfb245b306a8fbda5558b6cf99d886762b

SHA512
5f1de00c6f816d29d7ec96f792733ee8c3857b2713a78b6e5d0b88eb22f81a6960a5d2456f0d1c2d40a15418da9f6e35e5668e6191832debdea770b3344ab2e0

Download Submit
C:\Windows\qbspdcolyqemnucruo.exe

Filesize
22KB

MD5
ec9dfc5285f5f0e891bc9de352f01a73

SHA1
b861687e85297321ed4d88854f824cec915c84ae

SHA256
6a268a1257b674714aa0e3089c53663a156d7ec5272860acc135b7a06eb8756e

SHA512
fe7b744574a80326f226a9143e4a5b3d1f191701ffaa60baea8f69da0f6bae90301088ee9b1ab078ee7b04e285895dab9e06e3d49b6c7e9cf5946ceddb74d5d2

Download Submit
C:\Windows\qbspdcolyqemnucruo.exe

Filesize
512KB

MD5
c90453c0206486aec7cec11bd817919e

SHA1
bae4af11b2345886e09d5907fba1a1604b209cf8

SHA256
5d5f91c0156e7c634b46d5d074240a4c9c25e2686e44eea6ae54053bcb0ec45c

SHA512
5a8c495e65e21922851b37c7af8a08f54af8f6559c055c15eb952750e57569f3183c3bbdd26cb3ab2d303926cf4a28475a257660591edd971195c52e0e2a6c42

Download Submit
C:\Windows\qbspdcolyqemnucruo.exe

Filesize
21KB

MD5
213661a4dc0a0c4e90d8009ac98d981b

SHA1
19bee5e18dbeed887155c79b98e6947d60cda9af

SHA256
9d7baf2b97e4c2c58b55dcba315179d948920841a4c759aaa0401137426c17fa

SHA512
41262c47086cb1dc8b54969f51c3a980d1b5bf8521856d35be2924f5bca6101a0a16a41ecafef434ebefeba1bf6275730920dedf24f2f949a3efba05361d5098

Download Submit
C:\Windows\ujefxaqriewinykdkiapkl.exe

Filesize
50KB

MD5
18aeda0494a5540cf7b58d925cd2afbf

SHA1
e9dcaad9033588beb40a9ea4c50db3459d2cf3da

SHA256
bfed0be987f24a4a204038de73e1a64296cc47e51eec5f6089f179408a4271a8

SHA512
a9534ce8bcf9cb19434038ffcdba5bf57580ec806e5d625073b2966aa4ab12f5a5ee73b1a5ef1086ad66e1fae43f96b8e42ae8250d627e4a33072ceb3d1b7d55

Download Submit
C:\Windows\ujefxaqriewinykdkiapkl.exe

Filesize
29KB

MD5
3a51b5bd5da10b540baab982d8c034e5

SHA1
42a3f2bc29eec0a51d65b5fcfb4393c16494f232

SHA256
d88ef7b178c6915a721705f278384745d5910e72e82c607537211752c47923ce

SHA512
7f752b07b5f639793d6b774928b2fa8d37365d1b7b3c0be9e1a2877f23b1398aef0a26ed55c87b6317e41d0c9162b4235c09958ad38af7175e03fc43a1320dab

Download Submit
C:\Windows\ujefxaqriewinykdkiapkl.exe

Filesize
128KB

MD5
72cb558324cd2399d1390c546f705fa4

SHA1
dabb7e56a823fbcc7133738e49870912af53a791

SHA256
74ce01d52990b10047b8e58f8c8421869a351fa148d3657eef247d003eb406e4

SHA512
52d319abbb823a934514cb1b7d91095a79957b848a64d6c5f6af099580eaff41070033e5831e3f8e7d87222a75304170fc9f357c1f9989fa7ad00841bdca602f

Download Submit
\Users\Admin\AppData\Local\Temp\lmgghplyvwq.exe

Filesize
320KB

MD5
8d8113dc6098a8c8e37e3413cb0bbe34

SHA1
588c6552b93e207165e9f706b29178182a6237af

SHA256
8e619b2d162456e75bad9d85fcf4aa7f314c638d09f125ec726ec2d4cbd9fcfa

SHA512
ee9826a627ff1483755144808e5d526263ff0443422c23e9fd3af95d3acff88cf622fc876b2452d67840e1863d1200fa8cfccceda90116b9299922e3d54612fb

Download Submit
\Users\Admin\AppData\Local\Temp\lmgghplyvwq.exe

Filesize
192KB

MD5
4c57da957ad77dcfe523bcb9bbe88fb8

SHA1
22f7bd39c1a8103b295045ca9de72c8d5b84087d

SHA256
8ccda20bfc8a17e5315388157889654b1c2ce494081a8467bd839b72ac90572f

SHA512
2d2a3d30fb9171610b47484bed858399c86557dd7b059c720107d2484c0553fa8db224b30b024e36461b692c6e831de4ccb8391110e3956db917cf6676152e34

Download Submit
\Users\Admin\AppData\Local\Temp\onsdfs.exe

Filesize
393KB

MD5
9ac8fa8adfb2314db66eed409d6772f4

SHA1
fa41ab9ab66ce9520ba5e47b71fd43933591d0ec

SHA256
be7864af292da14f5e354b1ba0c23a1e86f83c67889925c75b32f8589b7b7b0e

SHA512
04e2cc9c300b77baacfcc509dac539ef478495bd5c48ebb135f2e4c762f4148d103e4c1f2dd52c992ba5e432162af09d451eb17db3e859f2f011ff27d5d35051

Download Submit
\Users\Admin\AppData\Local\Temp\onsdfs.exe

Filesize
566KB

MD5
990fa09fa733e064169a29f558a3aa02

SHA1
70af65f755e3fb997b670484fc6218bc82388382

SHA256
21b41cf9e4e3409a457cf51bf6f3e7b977b8c36be21bcdb783e6ea5f6c9913e5

SHA512
f2a4cf6d81a0aa809032e7c07f6193eb9e6d270a6af13d40798a733169c4a6968aa6fe576fdd7fc30436ea2f536f79883917d221d30de5b46e47887c8a1d28dd

Download Submit
\Users\Admin\AppData\Local\Temp\onsdfs.exe

Filesize
373KB

MD5
4010de26ff138e4bf26644ab6523f371

SHA1
f49c0a4d31e0013caf5330ef2988b8fc09d5d2d0

SHA256
ed9c6cef467c8e15e1f5f2c8f7ebddf83c00180527d8bb2947efe343c18bf654

SHA512
f1c43f791f7a0871e682d3a3c823c3792fa684cfd914f34e18b5501d6a493819bdbc73f132b8fcdbb14bd0ffbc363b16a5e8767a376445df015107672e306519

Download Submit
\Users\Admin\AppData\Local\Temp\onsdfs.exe

Filesize
68KB

MD5
f29c00a3f84e909fee6f045c997f7955

SHA1
84fe37e7e05178e649506ba2454321eb969b6547

SHA256
877bd8da8ef90ad1ccb814987b9722094e268b3eaa9fc82a6d41643224442bba

SHA512
d63631beeb5cd566a748479fce7a5d3206599120cd3c47a2e260f4a1ae9aaf64eaa928788744abc3b80e353917ec2d22212ab91477ba9e5efc9b853a90ace660

Download Submit