253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2024, 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe
Size

4.2MB
MD5

873c6264052761245df6b117738ac825
SHA1

855b7550370d5e7ae1e530d1b99cd1103fc0b626
SHA256

253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5
SHA512

9a8de1df29aa30f86f1b7bd6026b861749828c36c44023ee2ae8d3e5d53ca4561a7d45df34e39caf2deb729698f90bd80f29abc814f33aedb13a4fae7491f698
SSDEEP

6144:8cFvrd1rWkNYiclkBw1x42dy8r1YA+ycK23+86JQPDHDdx/QtqV:d1dCicWy1xFc8r1N+ZKlPJQPDHvd

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	adnru.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	adnru.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	adnru.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	adnru.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	adnru.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	adnru.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	adnru.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	adnru.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	adnru.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe

Adds policy Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ydpvahn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypnfwphdwjcktxtqsgc.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xfudlverbf = "etpfulbvmxoubdxss.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xfudlverbf = "ndarhzqldphowzuqre.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ydpvahn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etpfulbvmxoubdxss.exe"	adnru.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	adnru.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ydpvahn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypnfwphdwjcktxtqsgc.exe"	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xfudlverbf = "attngbvtodyitzxwaqohh.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ydpvahn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etpfulbvmxoubdxss.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ydpvahn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\attngbvtodyitzxwaqohh.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ydpvahn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndarhzqldphowzuqre.exe"	adnru.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ydpvahn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldcvnhaxrfzisxusvkhz.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ydpvahn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypnfwphdwjcktxtqsgc.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xfudlverbf = "ldcvnhaxrfzisxusvkhz.exe"	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ydpvahn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldcvnhaxrfzisxusvkhz.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xfudlverbf = "xlgvjzohxhxcijcw.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ydpvahn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndarhzqldphowzuqre.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ydpvahn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlgvjzohxhxcijcw.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xfudlverbf = "etpfulbvmxoubdxss.exe"	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xfudlverbf = "ldcvnhaxrfzisxusvkhz.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xfudlverbf = "ndarhzqldphowzuqre.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xfudlverbf = "ypnfwphdwjcktxtqsgc.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xfudlverbf = "etpfulbvmxoubdxss.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xfudlverbf = "xlgvjzohxhxcijcw.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xfudlverbf = "ypnfwphdwjcktxtqsgc.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ydpvahn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlgvjzohxhxcijcw.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ydpvahn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\attngbvtodyitzxwaqohh.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xfudlverbf = "ldcvnhaxrfzisxusvkhz.exe"	adnru.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	adnru.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	adnru.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	adnru.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	adnru.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe

Executes dropped EXE 2 IoCs

pid	Process
4460	adnru.exe
412	adnru.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntgntbit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\attngbvtodyitzxwaqohh.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntgntbit = "ypnfwphdwjcktxtqsgc.exe"	adnru.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbrbkvfteju = "ldcvnhaxrfzisxusvkhz.exe"	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pzqblxixjpbc = "ypnfwphdwjcktxtqsgc.exe ."	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntgntbit = "ndarhzqldphowzuqre.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\elzhoxfra = "etpfulbvmxoubdxss.exe ."	adnru.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\elzhoxfra = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypnfwphdwjcktxtqsgc.exe ."	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\elzhoxfra = "attngbvtodyitzxwaqohh.exe ."	adnru.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pzqblxixjpbc = "xlgvjzohxhxcijcw.exe ."	adnru.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbrbkvfteju = "attngbvtodyitzxwaqohh.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ozrdobndqxkmp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypnfwphdwjcktxtqsgc.exe ."	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ozrdobndqxkmp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\attngbvtodyitzxwaqohh.exe ."	adnru.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntgntbit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndarhzqldphowzuqre.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\elzhoxfra = "attngbvtodyitzxwaqohh.exe ."	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbrbkvfteju = "ypnfwphdwjcktxtqsgc.exe"	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntgntbit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etpfulbvmxoubdxss.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntgntbit = "etpfulbvmxoubdxss.exe"	adnru.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntgntbit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypnfwphdwjcktxtqsgc.exe"	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pzqblxixjpbc = "ndarhzqldphowzuqre.exe ."	adnru.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\elzhoxfra = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldcvnhaxrfzisxusvkhz.exe ."	adnru.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\elzhoxfra = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlgvjzohxhxcijcw.exe ."	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pbuhthulzhvycb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndarhzqldphowzuqre.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntgntbit = "ldcvnhaxrfzisxusvkhz.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pbuhthulzhvycb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndarhzqldphowzuqre.exe"	adnru.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntgntbit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypnfwphdwjcktxtqsgc.exe"	adnru.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntgntbit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndarhzqldphowzuqre.exe"	adnru.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbrbkvfteju = "ndarhzqldphowzuqre.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntgntbit = "xlgvjzohxhxcijcw.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntgntbit = "attngbvtodyitzxwaqohh.exe"	adnru.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pzqblxixjpbc = "ypnfwphdwjcktxtqsgc.exe ."	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ozrdobndqxkmp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndarhzqldphowzuqre.exe ."	adnru.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbrbkvfteju = "xlgvjzohxhxcijcw.exe"	adnru.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\elzhoxfra = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etpfulbvmxoubdxss.exe ."	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\elzhoxfra = "ndarhzqldphowzuqre.exe ."	adnru.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbrbkvfteju = "attngbvtodyitzxwaqohh.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pbuhthulzhvycb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypnfwphdwjcktxtqsgc.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pbuhthulzhvycb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etpfulbvmxoubdxss.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntgntbit = "attngbvtodyitzxwaqohh.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\elzhoxfra = "ndarhzqldphowzuqre.exe ."	adnru.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbrbkvfteju = "ypnfwphdwjcktxtqsgc.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pbuhthulzhvycb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldcvnhaxrfzisxusvkhz.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\elzhoxfra = "ypnfwphdwjcktxtqsgc.exe ."	adnru.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\elzhoxfra = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypnfwphdwjcktxtqsgc.exe ."	adnru.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\elzhoxfra = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldcvnhaxrfzisxusvkhz.exe ."	adnru.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pzqblxixjpbc = "xlgvjzohxhxcijcw.exe ."	adnru.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pzqblxixjpbc = "ypnfwphdwjcktxtqsgc.exe ."	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\elzhoxfra = "etpfulbvmxoubdxss.exe ."	adnru.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\elzhoxfra = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndarhzqldphowzuqre.exe ."	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntgntbit = "ldcvnhaxrfzisxusvkhz.exe"	adnru.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbrbkvfteju = "ldcvnhaxrfzisxusvkhz.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ozrdobndqxkmp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldcvnhaxrfzisxusvkhz.exe ."	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pbuhthulzhvycb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlgvjzohxhxcijcw.exe"	adnru.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pzqblxixjpbc = "attngbvtodyitzxwaqohh.exe ."	adnru.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbrbkvfteju = "xlgvjzohxhxcijcw.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntgntbit = "etpfulbvmxoubdxss.exe"	adnru.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pzqblxixjpbc = "ldcvnhaxrfzisxusvkhz.exe ."	adnru.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntgntbit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlgvjzohxhxcijcw.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntgntbit = "etpfulbvmxoubdxss.exe"	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ozrdobndqxkmp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndarhzqldphowzuqre.exe ."	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pbuhthulzhvycb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\attngbvtodyitzxwaqohh.exe"	adnru.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\elzhoxfra = "C:\\Users\\Admin\\AppData\\Local\\Temp\\attngbvtodyitzxwaqohh.exe ."	adnru.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbrbkvfteju = "etpfulbvmxoubdxss.exe"	adnru.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntgntbit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldcvnhaxrfzisxusvkhz.exe"	adnru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntgntbit = "ypnfwphdwjcktxtqsgc.exe"	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	adnru.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	adnru.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	adnru.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	adnru.exe

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
39	www.showmyipaddress.com
46	whatismyip.everdot.org
50	whatismyipaddress.com
64	whatismyip.everdot.org
88	whatismyip.everdot.org

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\rtcfhlovzxbuodksfelnwzbfip.rvo	adnru.exe
File created	C:\Windows\SysWOW64\rtcfhlovzxbuodksfelnwzbfip.rvo	adnru.exe
File opened for modification	C:\Windows\SysWOW64\sfznapdvktimrrjcakcpjxkznfudswbbtmkum.thu	adnru.exe
File created	C:\Windows\SysWOW64\sfznapdvktimrrjcakcpjxkznfudswbbtmkum.thu	adnru.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\rtcfhlovzxbuodksfelnwzbfip.rvo	adnru.exe
File created	C:\Program Files (x86)\rtcfhlovzxbuodksfelnwzbfip.rvo	adnru.exe
File opened for modification	C:\Program Files (x86)\sfznapdvktimrrjcakcpjxkznfudswbbtmkum.thu	adnru.exe
File created	C:\Program Files (x86)\sfznapdvktimrrjcakcpjxkznfudswbbtmkum.thu	adnru.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rtcfhlovzxbuodksfelnwzbfip.rvo	adnru.exe
File created	C:\Windows\rtcfhlovzxbuodksfelnwzbfip.rvo	adnru.exe
File opened for modification	C:\Windows\sfznapdvktimrrjcakcpjxkznfudswbbtmkum.thu	adnru.exe
File created	C:\Windows\sfznapdvktimrrjcakcpjxkznfudswbbtmkum.thu	adnru.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings	adnru.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings	adnru.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4460	adnru.exe
4460	adnru.exe
4460	adnru.exe
4460	adnru.exe
4460	adnru.exe
4460	adnru.exe
4460	adnru.exe
4460	adnru.exe
4460	adnru.exe
4460	adnru.exe
4460	adnru.exe
4460	adnru.exe
4460	adnru.exe
4460	adnru.exe
4460	adnru.exe
4460	adnru.exe
4460	adnru.exe
4460	adnru.exe
4460	adnru.exe
4460	adnru.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
412	adnru.exe
4460	adnru.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4460	adnru.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 4460	1996	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe	94
PID 1996 wrote to memory of 4460	1996	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe	94
PID 1996 wrote to memory of 4460	1996	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe	94
PID 1996 wrote to memory of 412	1996	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe	95
PID 1996 wrote to memory of 412	1996	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe	95
PID 1996 wrote to memory of 412	1996	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe	95

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	adnru.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	adnru.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	adnru.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	adnru.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	adnru.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	adnru.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	adnru.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	adnru.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	adnru.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	adnru.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	adnru.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	adnru.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	adnru.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	adnru.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	adnru.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	adnru.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	adnru.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	adnru.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	adnru.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	adnru.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	adnru.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	adnru.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	adnru.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	adnru.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	adnru.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	adnru.exe

C:\Users\Admin\AppData\Local\Temp\253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe
"C:\Users\Admin\AppData\Local\Temp\253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1996
- C:\Users\Admin\AppData\Local\Temp\adnru.exe
  "C:\Users\Admin\AppData\Local\Temp\adnru.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:4460
- C:\Users\Admin\AppData\Local\Temp\adnru.exe
  "C:\Users\Admin\AppData\Local\Temp\adnru.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - System policy modification
  PID:412

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\rtcfhlovzxbuodksfelnwzbfip.rvo

Filesize
260B

MD5
5835f83e9227994668fa7e5e514b3906

SHA1
5a86e57259ce9978d1fe1e6dea0a1bb8884c16d8

SHA256
11b3948cfcd3fc7904e0570bf1f91e33fdcc58ce3ae7026654f6f965fefb72e4

SHA512
1cd1265d8e557b9c40fe9305bf78fc84bc85bd7457ebd26dcf72aabdb15eea2a569ae8e902200d291127d50279ece4dd5939761a880bda03673d941028d9a2ee

Download Submit
C:\Program Files (x86)\rtcfhlovzxbuodksfelnwzbfip.rvo

Filesize
260B

MD5
521d978fde91b82eb74a9ac7564e5c09

SHA1
a9a607d32d87812414fb2c6f049b51dc0b4d64cf

SHA256
d662d322e9dc96d25c528f3f88154023b14acf2e6f91b3a7dcd312dd3957c2dd

SHA512
574f89b9b13f90e2335026a4044f4398a9fa7d360190e3d5405d20275e9dfff1d8cf1423c11964203de0155ba2d07e75ac58f95af3855d7821adb4ba2639ed54

Download Submit
C:\Program Files (x86)\rtcfhlovzxbuodksfelnwzbfip.rvo

Filesize
260B

MD5
6314b13ab47d4baf857d48f0bb1d2319

SHA1
ce760b3d74780856ca46313330d6249487ac2ba3

SHA256
4a657f267848b6411eb401c33561d763c3a3eca60f2b355ca92d8b1ea07e093c

SHA512
af29c8811a7194180d902e6c084334a9d4068c8595ea5b22e5d6a0e7fc1c5d2cefee8d3620ba1221db9329fc8d79ff95d1e732852d1e2cdc89017447a02abb5f

Download Submit
C:\Program Files (x86)\rtcfhlovzxbuodksfelnwzbfip.rvo

Filesize
260B

MD5
68648de106ae19ab9366baa567d56c15

SHA1
c29b1d9912a4d16f5d509fa5d382aac8ace81e73

SHA256
6b76e97933051b2de85ba9bdeaeda0502c1d3773e929f30434b82ef90c4e065b

SHA512
086b31c3a5a31e0149cd8fce24c7d564fbb99785c3448f5670fec49c1c6febfaa0b3acf720b047e4a5c7eef6ba731517128856073fc48b1f5bd39529da8e1854

Download Submit
C:\Program Files (x86)\rtcfhlovzxbuodksfelnwzbfip.rvo

Filesize
260B

MD5
ec4394292b383ed3c1625eb8cdaa5b5b

SHA1
36a504832abc54521a282edfc4ae589f610d95f0

SHA256
808fe8e264bc60152d8a45e94ba4ecdbbd5d1dbca569fb6b3e94ae626d169a1b

SHA512
5c036ddaab5f70de18c438835f01445729f5c58d7d51e455c73be30e6e78bd05406e733beb40b17accef70cd7f0260a3da5810ddfe72a0a48419f83b36fe0f56

Download Submit
C:\Program Files (x86)\rtcfhlovzxbuodksfelnwzbfip.rvo

Filesize
260B

MD5
6fb2ed374a251b4c5838926b5357b88b

SHA1
9204ac12a5cbd6e917b12b9d57b4e4bc7c59e709

SHA256
c637a5cb96958a0f92264e8278bdb0f41ab35911255e488b216d19d694c59153

SHA512
6ff58d7acf313d2be6395bc2ff3ca8d469234af8ca0784c0e4716b7fb68f9551296088022fc62f3d9e55ad4915f46ecde0a8a28199133a4babef7dd466b33a62

Download Submit
C:\Users\Admin\AppData\Local\Temp\adnru.exe

Filesize
5.6MB

MD5
623242ad35bdd716bb2d0477a0f59250

SHA1
b97e85c9f67ed7f448d8523b4e2afbd4f9ac0660

SHA256
69d7f52b051e34d0361e6a82bc450b51168ebfe339f475aa4ae9b3926c4ee57d

SHA512
3f15a2afcf8c4563b5152d28712fece07ed8bd6b52db2a8a8512c11b0fe9d8bd57993523b392058bef9ffb5e3569447a00719bd276aa89a613aaaf6452c90ced

Download Submit
C:\Users\Admin\AppData\Local\rtcfhlovzxbuodksfelnwzbfip.rvo

Filesize
260B

MD5
c6d167a5c11ac45fe04686faecd88e63

SHA1
fd7378836ca916482602807f3277eb4eaa7d6bb6

SHA256
3b6468cb35077baec22ff42b2a2f3ca208c1430a510889a1ddefa26926a8eeeb

SHA512
7d4887d70e889b8e6ea39ade3dd410cd0e23bbf3482ee18cf5c14a18e162c3bcee8682ce720e3b8e2218c0b29e0c48d61d0eb3a0d49a23a73d2fdfe9212f3e71

Download Submit
C:\Users\Admin\AppData\Local\rtcfhlovzxbuodksfelnwzbfip.rvo

Filesize
260B

MD5
1be32faf4d838a09705d9fa417d8ec56

SHA1
f5866fd82ced60b9417843671a1d7af639ee3a7a

SHA256
2b0c431548fcd20276c70cf9d27db68306051b79760e81fd1e050efbccd5312e

SHA512
c734eedad558396665ffbeebf148b4fed389e985dd85eb449645f8494a916cd4c416a0f5cd5e6442f40b105c720eb9a8671404debfed7671acddd6212a0d2af1

Download Submit
C:\Users\Admin\AppData\Local\sfznapdvktimrrjcakcpjxkznfudswbbtmkum.thu

Filesize
3KB

MD5
75cd60233103e3c4cae7efb8abc92091

SHA1
3f1878fb452e27a6cbf28c0dcac3b6ee5d2d711e

SHA256
d5040d478b14b37bb3521b209db89154bf360335c8c77c2e430999f8adce249b

SHA512
6e549c5e971bb46f0e7c9d33df58835ce2b6030d0859b2d1c26cd4c6bcb2959aa5dd8f4f124a9b1c170a5e74a535e7c9fbaed546b5a4cc785532058610b2df31

Download Submit