7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71

Analysis

max time kernel
154s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2022, 03:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
Size

648KB
MD5

68499d93e5ff4d1e8bd7b14ce3b55add
SHA1

8eb09e8c065d5d489024601650494d806f76a454
SHA256

7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71
SHA512

4d9131886e9d72c6ccc104f8f2a2480ac1d9ccd25b62d0c0f2d01897d2426582793e4e90668d3be5ec83f705844a413ea6cd00ae5b551bda843adb4ac0dc3f51
SSDEEP

12288:IpUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqss:IpUNr6YkVRFkgbeqeo68Fhq

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ybnmv.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ybnmv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ybnmv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ybnmv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ybnmv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ybnmv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ybnmv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ybnmv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ybnmv.exe

Adds policy Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cjzcpxiqb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vjgqkzrgyhpfkdgf.exe"	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nxqwmxlwkptf = "crpavleunxgxdxbbd.exe"	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nxqwmxlwkptf = "yrtihbyspdqlvtbfllmfh.exe"	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nxqwmxlwkptf = "wnnaxpkcxjunvrxzdba.exe"	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nxqwmxlwkptf = "yrtihbyspdqlvtbfllmfh.exe"	ybnmv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cjzcpxiqb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrtihbyspdqlvtbfllmfh.exe"	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nxqwmxlwkptf = "wnnaxpkcxjunvrxzdba.exe"	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nxqwmxlwkptf = "jbcqohdwsfrlurybgffx.exe"	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cjzcpxiqb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrtihbyspdqlvtbfllmfh.exe"	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nxqwmxlwkptf = "jbcqohdwsfrlurybgffx.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cjzcpxiqb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crpavleunxgxdxbbd.exe"	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nxqwmxlwkptf = "jbcqohdwsfrlurybgffx.exe"	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nxqwmxlwkptf = "lbamiztkepzrytyzcz.exe"	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nxqwmxlwkptf = "lbamiztkepzrytyzcz.exe"	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nxqwmxlwkptf = "vjgqkzrgyhpfkdgf.exe"	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cjzcpxiqb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbamiztkepzrytyzcz.exe"	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cjzcpxiqb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jbcqohdwsfrlurybgffx.exe"	ybnmv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cjzcpxiqb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jbcqohdwsfrlurybgffx.exe"	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nxqwmxlwkptf = "vjgqkzrgyhpfkdgf.exe"	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cjzcpxiqb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wnnaxpkcxjunvrxzdba.exe"	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cjzcpxiqb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vjgqkzrgyhpfkdgf.exe"	ybnmv.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ybnmv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ybnmv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ybnmv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ybnmv.exe

Executes dropped EXE 4 IoCs

pid	Process
1968	grrfdxtjqbb.exe
1696	ybnmv.exe
548	ybnmv.exe
2492	grrfdxtjqbb.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	grrfdxtjqbb.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nzucuhxkahnbev = "wnnaxpkcxjunvrxzdba.exe ."	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vjgqkzrgyhpfkdgf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrtihbyspdqlvtbfllmfh.exe"	ybnmv.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vduymvhqcf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crpavleunxgxdxbbd.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qzrwlvisfjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wnnaxpkcxjunvrxzdba.exe ."	grrfdxtjqbb.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	ybnmv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nzucuhxkahnbev = "jbcqohdwsfrlurybgffx.exe ."	ybnmv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nzucuhxkahnbev = "lbamiztkepzrytyzcz.exe ."	ybnmv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mxrypbqcrxcpr = "crpavleunxgxdxbbd.exe"	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vjgqkzrgyhpfkdgf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jbcqohdwsfrlurybgffx.exe"	ybnmv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mxrypbqcrxcpr = "vjgqkzrgyhpfkdgf.exe"	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qdzibpgultaptln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrtihbyspdqlvtbfllmfh.exe ."	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vduymvhqcf = "lbamiztkepzrytyzcz.exe"	ybnmv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mxrypbqcrxcpr = "yrtihbyspdqlvtbfllmfh.exe"	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qdzibpgultaptln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbamiztkepzrytyzcz.exe ."	ybnmv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vduymvhqcf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbamiztkepzrytyzcz.exe"	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qdzibpgultaptln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vjgqkzrgyhpfkdgf.exe ."	ybnmv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qzrwlvisfjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vjgqkzrgyhpfkdgf.exe ."	ybnmv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nzucuhxkahnbev = "jbcqohdwsfrlurybgffx.exe ."	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vjgqkzrgyhpfkdgf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wnnaxpkcxjunvrxzdba.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vduymvhqcf = "yrtihbyspdqlvtbfllmfh.exe"	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qzrwlvisfjm = "lbamiztkepzrytyzcz.exe ."	ybnmv.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	ybnmv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qzrwlvisfjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vjgqkzrgyhpfkdgf.exe ."	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qzrwlvisfjm = "wnnaxpkcxjunvrxzdba.exe ."	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vduymvhqcf = "yrtihbyspdqlvtbfllmfh.exe"	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qdzibpgultaptln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vjgqkzrgyhpfkdgf.exe ."	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vduymvhqcf = "lbamiztkepzrytyzcz.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vduymvhqcf = "yrtihbyspdqlvtbfllmfh.exe"	grrfdxtjqbb.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	ybnmv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qzrwlvisfjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jbcqohdwsfrlurybgffx.exe ."	ybnmv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mxrypbqcrxcpr = "lbamiztkepzrytyzcz.exe"	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qzrwlvisfjm = "crpavleunxgxdxbbd.exe ."	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vduymvhqcf = "jbcqohdwsfrlurybgffx.exe"	ybnmv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nzucuhxkahnbev = "yrtihbyspdqlvtbfllmfh.exe ."	ybnmv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vjgqkzrgyhpfkdgf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wnnaxpkcxjunvrxzdba.exe"	ybnmv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nzucuhxkahnbev = "vjgqkzrgyhpfkdgf.exe ."	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qzrwlvisfjm = "wnnaxpkcxjunvrxzdba.exe ."	ybnmv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mxrypbqcrxcpr = "vjgqkzrgyhpfkdgf.exe"	ybnmv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nzucuhxkahnbev = "vjgqkzrgyhpfkdgf.exe ."	ybnmv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mxrypbqcrxcpr = "jbcqohdwsfrlurybgffx.exe"	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qzrwlvisfjm = "lbamiztkepzrytyzcz.exe ."	ybnmv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	grrfdxtjqbb.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	ybnmv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vduymvhqcf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jbcqohdwsfrlurybgffx.exe"	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qzrwlvisfjm = "yrtihbyspdqlvtbfllmfh.exe ."	ybnmv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nzucuhxkahnbev = "wnnaxpkcxjunvrxzdba.exe ."	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qdzibpgultaptln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crpavleunxgxdxbbd.exe ."	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qdzibpgultaptln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wnnaxpkcxjunvrxzdba.exe ."	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vjgqkzrgyhpfkdgf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbamiztkepzrytyzcz.exe"	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qdzibpgultaptln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wnnaxpkcxjunvrxzdba.exe ."	ybnmv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qzrwlvisfjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jbcqohdwsfrlurybgffx.exe ."	ybnmv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vduymvhqcf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jbcqohdwsfrlurybgffx.exe"	ybnmv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	ybnmv.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	ybnmv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qzrwlvisfjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crpavleunxgxdxbbd.exe ."	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qdzibpgultaptln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jbcqohdwsfrlurybgffx.exe ."	ybnmv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mxrypbqcrxcpr = "yrtihbyspdqlvtbfllmfh.exe"	ybnmv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nzucuhxkahnbev = "yrtihbyspdqlvtbfllmfh.exe ."	ybnmv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nzucuhxkahnbev = "jbcqohdwsfrlurybgffx.exe ."	ybnmv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vduymvhqcf = "jbcqohdwsfrlurybgffx.exe"	ybnmv.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	grrfdxtjqbb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ybnmv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ybnmv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ybnmv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ybnmv.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
34	whatismyipaddress.com
53	whatismyip.everdot.org
55	whatismyip.everdot.org

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\vjgqkzrgyhpfkdgf.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\lbamiztkepzrytyzcz.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\crpavleunxgxdxbbd.exe	ybnmv.exe
File opened for modification	C:\Windows\SysWOW64\yrtihbyspdqlvtbfllmfh.exe	ybnmv.exe
File opened for modification	C:\Windows\SysWOW64\pjmccxvqodrnyxglstvpsi.exe	ybnmv.exe
File opened for modification	C:\Windows\SysWOW64\jbcqohdwsfrlurybgffx.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\yrtihbyspdqlvtbfllmfh.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\lbamiztkepzrytyzcz.exe	ybnmv.exe
File opened for modification	C:\Windows\SysWOW64\vjgqkzrgyhpfkdgf.exe	ybnmv.exe
File opened for modification	C:\Windows\SysWOW64\lbamiztkepzrytyzcz.exe	ybnmv.exe
File opened for modification	C:\Windows\SysWOW64\wnnaxpkcxjunvrxzdba.exe	ybnmv.exe
File created	C:\Windows\SysWOW64\vduymvhqcfhrqdatodtbswktfoadfpob.rmb	ybnmv.exe
File opened for modification	C:\Windows\SysWOW64\crpavleunxgxdxbbd.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\wnnaxpkcxjunvrxzdba.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\wnnaxpkcxjunvrxzdba.exe	ybnmv.exe
File opened for modification	C:\Windows\SysWOW64\yrtihbyspdqlvtbfllmfh.exe	ybnmv.exe
File opened for modification	C:\Windows\SysWOW64\pjmccxvqodrnyxglstvpsi.exe	ybnmv.exe
File opened for modification	C:\Windows\SysWOW64\crpavleunxgxdxbbd.exe	ybnmv.exe
File opened for modification	C:\Windows\SysWOW64\jbcqohdwsfrlurybgffx.exe	ybnmv.exe
File opened for modification	C:\Windows\SysWOW64\pjmccxvqodrnyxglstvpsi.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\vjgqkzrgyhpfkdgf.exe	ybnmv.exe
File opened for modification	C:\Windows\SysWOW64\jbcqohdwsfrlurybgffx.exe	ybnmv.exe
File opened for modification	C:\Windows\SysWOW64\axdwzxywxpgftvhpzdifl.hfg	ybnmv.exe
File created	C:\Windows\SysWOW64\axdwzxywxpgftvhpzdifl.hfg	ybnmv.exe
File opened for modification	C:\Windows\SysWOW64\vduymvhqcfhrqdatodtbswktfoadfpob.rmb	ybnmv.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\axdwzxywxpgftvhpzdifl.hfg	ybnmv.exe
File created	C:\Program Files (x86)\axdwzxywxpgftvhpzdifl.hfg	ybnmv.exe
File opened for modification	C:\Program Files (x86)\vduymvhqcfhrqdatodtbswktfoadfpob.rmb	ybnmv.exe
File created	C:\Program Files (x86)\vduymvhqcfhrqdatodtbswktfoadfpob.rmb	ybnmv.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\vjgqkzrgyhpfkdgf.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\crpavleunxgxdxbbd.exe	ybnmv.exe
File opened for modification	C:\Windows\jbcqohdwsfrlurybgffx.exe	ybnmv.exe
File opened for modification	C:\Windows\yrtihbyspdqlvtbfllmfh.exe	ybnmv.exe
File opened for modification	C:\Windows\crpavleunxgxdxbbd.exe	ybnmv.exe
File opened for modification	C:\Windows\wnnaxpkcxjunvrxzdba.exe	ybnmv.exe
File opened for modification	C:\Windows\vduymvhqcfhrqdatodtbswktfoadfpob.rmb	ybnmv.exe
File opened for modification	C:\Windows\wnnaxpkcxjunvrxzdba.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\jbcqohdwsfrlurybgffx.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\wnnaxpkcxjunvrxzdba.exe	ybnmv.exe
File opened for modification	C:\Windows\vjgqkzrgyhpfkdgf.exe	ybnmv.exe
File opened for modification	C:\Windows\lbamiztkepzrytyzcz.exe	ybnmv.exe
File opened for modification	C:\Windows\crpavleunxgxdxbbd.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\lbamiztkepzrytyzcz.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\yrtihbyspdqlvtbfllmfh.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\lbamiztkepzrytyzcz.exe	ybnmv.exe
File opened for modification	C:\Windows\jbcqohdwsfrlurybgffx.exe	ybnmv.exe
File opened for modification	C:\Windows\yrtihbyspdqlvtbfllmfh.exe	ybnmv.exe
File opened for modification	C:\Windows\pjmccxvqodrnyxglstvpsi.exe	ybnmv.exe
File opened for modification	C:\Windows\axdwzxywxpgftvhpzdifl.hfg	ybnmv.exe
File opened for modification	C:\Windows\pjmccxvqodrnyxglstvpsi.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\vjgqkzrgyhpfkdgf.exe	ybnmv.exe
File opened for modification	C:\Windows\pjmccxvqodrnyxglstvpsi.exe	ybnmv.exe
File created	C:\Windows\axdwzxywxpgftvhpzdifl.hfg	ybnmv.exe
File created	C:\Windows\vduymvhqcfhrqdatodtbswktfoadfpob.rmb	ybnmv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1696	ybnmv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4700 wrote to memory of 1968	4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe	81
PID 4700 wrote to memory of 1968	4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe	81
PID 4700 wrote to memory of 1968	4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe	81
PID 1968 wrote to memory of 1696	1968	grrfdxtjqbb.exe	83
PID 1968 wrote to memory of 1696	1968	grrfdxtjqbb.exe	83
PID 1968 wrote to memory of 1696	1968	grrfdxtjqbb.exe	83
PID 1968 wrote to memory of 548	1968	grrfdxtjqbb.exe	84
PID 1968 wrote to memory of 548	1968	grrfdxtjqbb.exe	84
PID 1968 wrote to memory of 548	1968	grrfdxtjqbb.exe	84
PID 4700 wrote to memory of 2492	4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe	92
PID 4700 wrote to memory of 2492	4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe	92
PID 4700 wrote to memory of 2492	4700	7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe	92

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ybnmv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ybnmv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ybnmv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ybnmv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ybnmv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ybnmv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ybnmv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ybnmv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ybnmv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ybnmv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ybnmv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ybnmv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ybnmv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ybnmv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ybnmv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ybnmv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ybnmv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ybnmv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ybnmv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ybnmv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ybnmv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ybnmv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ybnmv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ybnmv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ybnmv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ybnmv.exe

C:\Users\Admin\AppData\Local\Temp\7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe
"C:\Users\Admin\AppData\Local\Temp\7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe
  "C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe" "c:\users\admin\appdata\local\temp\7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1968
- - C:\Users\Admin\AppData\Local\Temp\ybnmv.exe
    "C:\Users\Admin\AppData\Local\Temp\ybnmv.exe" "-C:\Users\Admin\AppData\Local\Temp\vjgqkzrgyhpfkdgf.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1696
- - C:\Users\Admin\AppData\Local\Temp\ybnmv.exe
    "C:\Users\Admin\AppData\Local\Temp\ybnmv.exe" "-C:\Users\Admin\AppData\Local\Temp\vjgqkzrgyhpfkdgf.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:548
- C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe
  "C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe" "c:\users\admin\appdata\local\temp\7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71.exe"
  2⤵
  - Executes dropped EXE
  PID:2492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\crpavleunxgxdxbbd.exe

Filesize
648KB

MD5
68499d93e5ff4d1e8bd7b14ce3b55add

SHA1
8eb09e8c065d5d489024601650494d806f76a454

SHA256
7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71

SHA512
4d9131886e9d72c6ccc104f8f2a2480ac1d9ccd25b62d0c0f2d01897d2426582793e4e90668d3be5ec83f705844a413ea6cd00ae5b551bda843adb4ac0dc3f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe

Filesize
320KB

MD5
8a171951600bd9f630ec4a8c148dd258

SHA1
b5a318c1c6ed762b0d81538eecb16951fc49b5a0

SHA256
c7912810bf2b1e11498cd6694d169057306ba90cb720d7980d66c7b6b5558180

SHA512
c620b1f7e2772575a3f5426ead5945d8095f1608e1384a2ab0059f76248350fc834c4998bd3baa15c857f09d4a8b6e8b0c4d7e1711b037ba0b244910d33df866

Download Submit
C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe

Filesize
320KB

MD5
8a171951600bd9f630ec4a8c148dd258

SHA1
b5a318c1c6ed762b0d81538eecb16951fc49b5a0

SHA256
c7912810bf2b1e11498cd6694d169057306ba90cb720d7980d66c7b6b5558180

SHA512
c620b1f7e2772575a3f5426ead5945d8095f1608e1384a2ab0059f76248350fc834c4998bd3baa15c857f09d4a8b6e8b0c4d7e1711b037ba0b244910d33df866

Download Submit
C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe

Filesize
320KB

MD5
8a171951600bd9f630ec4a8c148dd258

SHA1
b5a318c1c6ed762b0d81538eecb16951fc49b5a0

SHA256
c7912810bf2b1e11498cd6694d169057306ba90cb720d7980d66c7b6b5558180

SHA512
c620b1f7e2772575a3f5426ead5945d8095f1608e1384a2ab0059f76248350fc834c4998bd3baa15c857f09d4a8b6e8b0c4d7e1711b037ba0b244910d33df866

Download Submit
C:\Users\Admin\AppData\Local\Temp\jbcqohdwsfrlurybgffx.exe

Filesize
648KB

MD5
68499d93e5ff4d1e8bd7b14ce3b55add

SHA1
8eb09e8c065d5d489024601650494d806f76a454

SHA256
7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71

SHA512
4d9131886e9d72c6ccc104f8f2a2480ac1d9ccd25b62d0c0f2d01897d2426582793e4e90668d3be5ec83f705844a413ea6cd00ae5b551bda843adb4ac0dc3f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\lbamiztkepzrytyzcz.exe

Filesize
648KB

MD5
68499d93e5ff4d1e8bd7b14ce3b55add

SHA1
8eb09e8c065d5d489024601650494d806f76a454

SHA256
7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71

SHA512
4d9131886e9d72c6ccc104f8f2a2480ac1d9ccd25b62d0c0f2d01897d2426582793e4e90668d3be5ec83f705844a413ea6cd00ae5b551bda843adb4ac0dc3f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\pjmccxvqodrnyxglstvpsi.exe

Filesize
648KB

MD5
68499d93e5ff4d1e8bd7b14ce3b55add

SHA1
8eb09e8c065d5d489024601650494d806f76a454

SHA256
7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71

SHA512
4d9131886e9d72c6ccc104f8f2a2480ac1d9ccd25b62d0c0f2d01897d2426582793e4e90668d3be5ec83f705844a413ea6cd00ae5b551bda843adb4ac0dc3f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\vjgqkzrgyhpfkdgf.exe

Filesize
648KB

MD5
68499d93e5ff4d1e8bd7b14ce3b55add

SHA1
8eb09e8c065d5d489024601650494d806f76a454

SHA256
7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71

SHA512
4d9131886e9d72c6ccc104f8f2a2480ac1d9ccd25b62d0c0f2d01897d2426582793e4e90668d3be5ec83f705844a413ea6cd00ae5b551bda843adb4ac0dc3f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\wnnaxpkcxjunvrxzdba.exe

Filesize
648KB

MD5
68499d93e5ff4d1e8bd7b14ce3b55add

SHA1
8eb09e8c065d5d489024601650494d806f76a454

SHA256
7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71

SHA512
4d9131886e9d72c6ccc104f8f2a2480ac1d9ccd25b62d0c0f2d01897d2426582793e4e90668d3be5ec83f705844a413ea6cd00ae5b551bda843adb4ac0dc3f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\ybnmv.exe

Filesize
708KB

MD5
8eb6e6503571848a67b158bba198f076

SHA1
7cd3d4977e77eb607f266e45096ffc61a3fce4fb

SHA256
a0822dd7cab02ec81a556cad601b0cac513a7de94c7d42b84c8680860b33e1e9

SHA512
780bebd2c28f244f5a3b57f70fc765fd0e52383017d836726d16972140e2ae9af5f6a7b7a18eeac7ded7ffa4009f08c9757825704fee069b38963216c333c6a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ybnmv.exe

Filesize
708KB

MD5
8eb6e6503571848a67b158bba198f076

SHA1
7cd3d4977e77eb607f266e45096ffc61a3fce4fb

SHA256
a0822dd7cab02ec81a556cad601b0cac513a7de94c7d42b84c8680860b33e1e9

SHA512
780bebd2c28f244f5a3b57f70fc765fd0e52383017d836726d16972140e2ae9af5f6a7b7a18eeac7ded7ffa4009f08c9757825704fee069b38963216c333c6a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ybnmv.exe

Filesize
708KB

MD5
8eb6e6503571848a67b158bba198f076

SHA1
7cd3d4977e77eb607f266e45096ffc61a3fce4fb

SHA256
a0822dd7cab02ec81a556cad601b0cac513a7de94c7d42b84c8680860b33e1e9

SHA512
780bebd2c28f244f5a3b57f70fc765fd0e52383017d836726d16972140e2ae9af5f6a7b7a18eeac7ded7ffa4009f08c9757825704fee069b38963216c333c6a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yrtihbyspdqlvtbfllmfh.exe

Filesize
648KB

MD5
68499d93e5ff4d1e8bd7b14ce3b55add

SHA1
8eb09e8c065d5d489024601650494d806f76a454

SHA256
7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71

SHA512
4d9131886e9d72c6ccc104f8f2a2480ac1d9ccd25b62d0c0f2d01897d2426582793e4e90668d3be5ec83f705844a413ea6cd00ae5b551bda843adb4ac0dc3f51

Download Submit
C:\Windows\SysWOW64\crpavleunxgxdxbbd.exe

Filesize
648KB

MD5
68499d93e5ff4d1e8bd7b14ce3b55add

SHA1
8eb09e8c065d5d489024601650494d806f76a454

SHA256
7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71

SHA512
4d9131886e9d72c6ccc104f8f2a2480ac1d9ccd25b62d0c0f2d01897d2426582793e4e90668d3be5ec83f705844a413ea6cd00ae5b551bda843adb4ac0dc3f51

Download Submit
C:\Windows\SysWOW64\jbcqohdwsfrlurybgffx.exe

Filesize
648KB

MD5
68499d93e5ff4d1e8bd7b14ce3b55add

SHA1
8eb09e8c065d5d489024601650494d806f76a454

SHA256
7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71

SHA512
4d9131886e9d72c6ccc104f8f2a2480ac1d9ccd25b62d0c0f2d01897d2426582793e4e90668d3be5ec83f705844a413ea6cd00ae5b551bda843adb4ac0dc3f51

Download Submit
C:\Windows\SysWOW64\lbamiztkepzrytyzcz.exe

Filesize
648KB

MD5
68499d93e5ff4d1e8bd7b14ce3b55add

SHA1
8eb09e8c065d5d489024601650494d806f76a454

SHA256
7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71

SHA512
4d9131886e9d72c6ccc104f8f2a2480ac1d9ccd25b62d0c0f2d01897d2426582793e4e90668d3be5ec83f705844a413ea6cd00ae5b551bda843adb4ac0dc3f51

Download Submit
C:\Windows\SysWOW64\pjmccxvqodrnyxglstvpsi.exe

Filesize
648KB

MD5
68499d93e5ff4d1e8bd7b14ce3b55add

SHA1
8eb09e8c065d5d489024601650494d806f76a454

SHA256
7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71

SHA512
4d9131886e9d72c6ccc104f8f2a2480ac1d9ccd25b62d0c0f2d01897d2426582793e4e90668d3be5ec83f705844a413ea6cd00ae5b551bda843adb4ac0dc3f51

Download Submit
C:\Windows\SysWOW64\vjgqkzrgyhpfkdgf.exe

Filesize
648KB

MD5
68499d93e5ff4d1e8bd7b14ce3b55add

SHA1
8eb09e8c065d5d489024601650494d806f76a454

SHA256
7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71

SHA512
4d9131886e9d72c6ccc104f8f2a2480ac1d9ccd25b62d0c0f2d01897d2426582793e4e90668d3be5ec83f705844a413ea6cd00ae5b551bda843adb4ac0dc3f51

Download Submit
C:\Windows\SysWOW64\wnnaxpkcxjunvrxzdba.exe

Filesize
648KB

MD5
68499d93e5ff4d1e8bd7b14ce3b55add

SHA1
8eb09e8c065d5d489024601650494d806f76a454

SHA256
7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71

SHA512
4d9131886e9d72c6ccc104f8f2a2480ac1d9ccd25b62d0c0f2d01897d2426582793e4e90668d3be5ec83f705844a413ea6cd00ae5b551bda843adb4ac0dc3f51

Download Submit
C:\Windows\SysWOW64\yrtihbyspdqlvtbfllmfh.exe

Filesize
648KB

MD5
68499d93e5ff4d1e8bd7b14ce3b55add

SHA1
8eb09e8c065d5d489024601650494d806f76a454

SHA256
7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71

SHA512
4d9131886e9d72c6ccc104f8f2a2480ac1d9ccd25b62d0c0f2d01897d2426582793e4e90668d3be5ec83f705844a413ea6cd00ae5b551bda843adb4ac0dc3f51

Download Submit
C:\Windows\crpavleunxgxdxbbd.exe

Filesize
648KB

MD5
68499d93e5ff4d1e8bd7b14ce3b55add

SHA1
8eb09e8c065d5d489024601650494d806f76a454

SHA256
7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71

SHA512
4d9131886e9d72c6ccc104f8f2a2480ac1d9ccd25b62d0c0f2d01897d2426582793e4e90668d3be5ec83f705844a413ea6cd00ae5b551bda843adb4ac0dc3f51

Download Submit
C:\Windows\crpavleunxgxdxbbd.exe

Filesize
648KB

MD5
68499d93e5ff4d1e8bd7b14ce3b55add

SHA1
8eb09e8c065d5d489024601650494d806f76a454

SHA256
7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71

SHA512
4d9131886e9d72c6ccc104f8f2a2480ac1d9ccd25b62d0c0f2d01897d2426582793e4e90668d3be5ec83f705844a413ea6cd00ae5b551bda843adb4ac0dc3f51

Download Submit
C:\Windows\jbcqohdwsfrlurybgffx.exe

Filesize
648KB

MD5
68499d93e5ff4d1e8bd7b14ce3b55add

SHA1
8eb09e8c065d5d489024601650494d806f76a454

SHA256
7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71

SHA512
4d9131886e9d72c6ccc104f8f2a2480ac1d9ccd25b62d0c0f2d01897d2426582793e4e90668d3be5ec83f705844a413ea6cd00ae5b551bda843adb4ac0dc3f51

Download Submit
C:\Windows\jbcqohdwsfrlurybgffx.exe

Filesize
648KB

MD5
68499d93e5ff4d1e8bd7b14ce3b55add

SHA1
8eb09e8c065d5d489024601650494d806f76a454

SHA256
7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71

SHA512
4d9131886e9d72c6ccc104f8f2a2480ac1d9ccd25b62d0c0f2d01897d2426582793e4e90668d3be5ec83f705844a413ea6cd00ae5b551bda843adb4ac0dc3f51

Download Submit
C:\Windows\lbamiztkepzrytyzcz.exe

Filesize
648KB

MD5
68499d93e5ff4d1e8bd7b14ce3b55add

SHA1
8eb09e8c065d5d489024601650494d806f76a454

SHA256
7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71

SHA512
4d9131886e9d72c6ccc104f8f2a2480ac1d9ccd25b62d0c0f2d01897d2426582793e4e90668d3be5ec83f705844a413ea6cd00ae5b551bda843adb4ac0dc3f51

Download Submit
C:\Windows\lbamiztkepzrytyzcz.exe

Filesize
648KB

MD5
68499d93e5ff4d1e8bd7b14ce3b55add

SHA1
8eb09e8c065d5d489024601650494d806f76a454

SHA256
7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71

SHA512
4d9131886e9d72c6ccc104f8f2a2480ac1d9ccd25b62d0c0f2d01897d2426582793e4e90668d3be5ec83f705844a413ea6cd00ae5b551bda843adb4ac0dc3f51

Download Submit
C:\Windows\pjmccxvqodrnyxglstvpsi.exe

Filesize
648KB

MD5
68499d93e5ff4d1e8bd7b14ce3b55add

SHA1
8eb09e8c065d5d489024601650494d806f76a454

SHA256
7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71

SHA512
4d9131886e9d72c6ccc104f8f2a2480ac1d9ccd25b62d0c0f2d01897d2426582793e4e90668d3be5ec83f705844a413ea6cd00ae5b551bda843adb4ac0dc3f51

Download Submit
C:\Windows\pjmccxvqodrnyxglstvpsi.exe

Filesize
648KB

MD5
68499d93e5ff4d1e8bd7b14ce3b55add

SHA1
8eb09e8c065d5d489024601650494d806f76a454

SHA256
7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71

SHA512
4d9131886e9d72c6ccc104f8f2a2480ac1d9ccd25b62d0c0f2d01897d2426582793e4e90668d3be5ec83f705844a413ea6cd00ae5b551bda843adb4ac0dc3f51

Download Submit
C:\Windows\vjgqkzrgyhpfkdgf.exe

Filesize
648KB

MD5
68499d93e5ff4d1e8bd7b14ce3b55add

SHA1
8eb09e8c065d5d489024601650494d806f76a454

SHA256
7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71

SHA512
4d9131886e9d72c6ccc104f8f2a2480ac1d9ccd25b62d0c0f2d01897d2426582793e4e90668d3be5ec83f705844a413ea6cd00ae5b551bda843adb4ac0dc3f51

Download Submit
C:\Windows\vjgqkzrgyhpfkdgf.exe

Filesize
648KB

MD5
68499d93e5ff4d1e8bd7b14ce3b55add

SHA1
8eb09e8c065d5d489024601650494d806f76a454

SHA256
7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71

SHA512
4d9131886e9d72c6ccc104f8f2a2480ac1d9ccd25b62d0c0f2d01897d2426582793e4e90668d3be5ec83f705844a413ea6cd00ae5b551bda843adb4ac0dc3f51

Download Submit
C:\Windows\wnnaxpkcxjunvrxzdba.exe

Filesize
648KB

MD5
68499d93e5ff4d1e8bd7b14ce3b55add

SHA1
8eb09e8c065d5d489024601650494d806f76a454

SHA256
7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71

SHA512
4d9131886e9d72c6ccc104f8f2a2480ac1d9ccd25b62d0c0f2d01897d2426582793e4e90668d3be5ec83f705844a413ea6cd00ae5b551bda843adb4ac0dc3f51

Download Submit
C:\Windows\wnnaxpkcxjunvrxzdba.exe

Filesize
648KB

MD5
68499d93e5ff4d1e8bd7b14ce3b55add

SHA1
8eb09e8c065d5d489024601650494d806f76a454

SHA256
7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71

SHA512
4d9131886e9d72c6ccc104f8f2a2480ac1d9ccd25b62d0c0f2d01897d2426582793e4e90668d3be5ec83f705844a413ea6cd00ae5b551bda843adb4ac0dc3f51

Download Submit
C:\Windows\yrtihbyspdqlvtbfllmfh.exe

Filesize
648KB

MD5
68499d93e5ff4d1e8bd7b14ce3b55add

SHA1
8eb09e8c065d5d489024601650494d806f76a454

SHA256
7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71

SHA512
4d9131886e9d72c6ccc104f8f2a2480ac1d9ccd25b62d0c0f2d01897d2426582793e4e90668d3be5ec83f705844a413ea6cd00ae5b551bda843adb4ac0dc3f51

Download Submit
C:\Windows\yrtihbyspdqlvtbfllmfh.exe

Filesize
648KB

MD5
68499d93e5ff4d1e8bd7b14ce3b55add

SHA1
8eb09e8c065d5d489024601650494d806f76a454

SHA256
7aeee031d10561d531f03e64874fbe01dddca7f175b2e6a4c19f039c01348c71

SHA512
4d9131886e9d72c6ccc104f8f2a2480ac1d9ccd25b62d0c0f2d01897d2426582793e4e90668d3be5ec83f705844a413ea6cd00ae5b551bda843adb4ac0dc3f51

Download Submit