7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7

Analysis

max time kernel
161s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
Size

1016KB
MD5

66ccf1008145ac36d94f620756394440
SHA1

549bc2b2373dc2c3afc7c5b710a13b39be884510
SHA256

7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7
SHA512

ba183c204e56840089d2c10e392c81c174b5aef0f6fe1a94f072ff8b918c8e8008b80a6f9c0d1415757203248525ddbc4f1ce2cd317e6f81c640262edfe8032e
SSDEEP

6144:CIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHU:CIXsgtvm1De5YlOx6lzBH46U

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	lmwbet.exe

UAC bypass 3 TTPs 13 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lmwbet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lmwbet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	lmwbet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	lmwbet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lmwbet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lmwbet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lmwbet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lmwbet.exe

Adds policy Run key to start application 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xcqzgzfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nawncdrezqzrytyzcz.exe"	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ownzjfowmycpr = "eqlbppcoiygxdxbbd.exe"	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xcqzgzfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xicredpatipfkdgf.exe"	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xcqzgzfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqpjbfwmkeqlvtbflloed.exe"	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ownzjfowmycpr = "xicredpatipfkdgf.exe"	lmwbet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xcqzgzfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqlbppcoiygxdxbbd.exe"	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xcqzgzfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqpjbfwmkeqlvtbflloed.exe"	lmwbet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ownzjfowmycpr = "layrilbqngrlurybgfhw.exe"	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xcqzgzfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\layrilbqngrlurybgfhw.exe"	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ownzjfowmycpr = "ymjbrtiwskunvrxzdbc.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ownzjfowmycpr = "eqlbppcoiygxdxbbd.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ownzjfowmycpr = "ymjbrtiwskunvrxzdbc.exe"	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xcqzgzfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymjbrtiwskunvrxzdbc.exe"	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xcqzgzfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nawncdrezqzrytyzcz.exe"	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ownzjfowmycpr = "layrilbqngrlurybgfhw.exe"	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xcqzgzfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqlbppcoiygxdxbbd.exe"	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ownzjfowmycpr = "nawncdrezqzrytyzcz.exe"	lmwbet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xcqzgzfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymjbrtiwskunvrxzdbc.exe"	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ownzjfowmycpr = "aqpjbfwmkeqlvtbflloed.exe"	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xcqzgzfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xicredpatipfkdgf.exe"	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ownzjfowmycpr = "nawncdrezqzrytyzcz.exe"	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ownzjfowmycpr = "aqpjbfwmkeqlvtbflloed.exe"	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ownzjfowmycpr = "eqlbppcoiygxdxbbd.exe"	lmwbet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xcqzgzfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\layrilbqngrlurybgfhw.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ownzjfowmycpr = "ymjbrtiwskunvrxzdbc.exe"	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xcqzgzfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nawncdrezqzrytyzcz.exe"	grrfdxtjqbb.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lmwbet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lmwbet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lmwbet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lmwbet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	grrfdxtjqbb.exe

Executes dropped EXE 4 IoCs

pid	Process
1096	grrfdxtjqbb.exe
4112	lmwbet.exe
2140	lmwbet.exe
4336	grrfdxtjqbb.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	grrfdxtjqbb.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\synxfzgmakm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\layrilbqngrlurybgfhw.exe"	lmwbet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\scvjvteoguaptln = "nawncdrezqzrytyzcz.exe ."	lmwbet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\scvjvteoguaptln = "aqpjbfwmkeqlvtbflloed.exe ."	lmwbet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\scvjvteoguaptln = "xicredpatipfkdgf.exe ."	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eqlbppcoiygxdxbbd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymjbrtiwskunvrxzdbc.exe"	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eqlbppcoiygxdxbbd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqlbppcoiygxdxbbd.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\synxfzgmakm = "eqlbppcoiygxdxbbd.exe"	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\synxfzgmakm = "xicredpatipfkdgf.exe"	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xicredpatipfkdgf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymjbrtiwskunvrxzdbc.exe ."	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwmxgbjqfqtf = "xicredpatipfkdgf.exe ."	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\synxfzgmakm = "xicredpatipfkdgf.exe"	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xicredpatipfkdgf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqpjbfwmkeqlvtbflloed.exe ."	lmwbet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\synxfzgmakm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqlbppcoiygxdxbbd.exe"	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eqlbppcoiygxdxbbd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqlbppcoiygxdxbbd.exe"	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xicredpatipfkdgf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nawncdrezqzrytyzcz.exe ."	lmwbet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pyqdolvevinbev = "xicredpatipfkdgf.exe"	lmwbet.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	lmwbet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pwmxgbjqfqtf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymjbrtiwskunvrxzdbc.exe ."	lmwbet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pwmxgbjqfqtf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xicredpatipfkdgf.exe ."	lmwbet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pyqdolvevinbev = "eqlbppcoiygxdxbbd.exe"	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xicredpatipfkdgf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\layrilbqngrlurybgfhw.exe ."	lmwbet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pwmxgbjqfqtf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\layrilbqngrlurybgfhw.exe ."	lmwbet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pwmxgbjqfqtf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nawncdrezqzrytyzcz.exe ."	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwmxgbjqfqtf = "layrilbqngrlurybgfhw.exe ."	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\synxfzgmakm = "nawncdrezqzrytyzcz.exe"	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwmxgbjqfqtf = "nawncdrezqzrytyzcz.exe ."	lmwbet.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	lmwbet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\synxfzgmakm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqlbppcoiygxdxbbd.exe"	lmwbet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\synxfzgmakm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\layrilbqngrlurybgfhw.exe"	lmwbet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pyqdolvevinbev = "eqlbppcoiygxdxbbd.exe"	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwmxgbjqfqtf = "eqlbppcoiygxdxbbd.exe ."	lmwbet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pwmxgbjqfqtf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nawncdrezqzrytyzcz.exe ."	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\synxfzgmakm = "eqlbppcoiygxdxbbd.exe"	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eqlbppcoiygxdxbbd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqlbppcoiygxdxbbd.exe"	lmwbet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\synxfzgmakm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymjbrtiwskunvrxzdbc.exe"	lmwbet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pwmxgbjqfqtf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqpjbfwmkeqlvtbflloed.exe ."	lmwbet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eqlbppcoiygxdxbbd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymjbrtiwskunvrxzdbc.exe"	lmwbet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\synxfzgmakm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xicredpatipfkdgf.exe"	lmwbet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pyqdolvevinbev = "nawncdrezqzrytyzcz.exe"	lmwbet.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\synxfzgmakm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\layrilbqngrlurybgfhw.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwmxgbjqfqtf = "aqpjbfwmkeqlvtbflloed.exe ."	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xicredpatipfkdgf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqlbppcoiygxdxbbd.exe ."	lmwbet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pyqdolvevinbev = "nawncdrezqzrytyzcz.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xicredpatipfkdgf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymjbrtiwskunvrxzdbc.exe ."	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwmxgbjqfqtf = "eqlbppcoiygxdxbbd.exe ."	lmwbet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\synxfzgmakm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nawncdrezqzrytyzcz.exe"	lmwbet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\scvjvteoguaptln = "layrilbqngrlurybgfhw.exe ."	lmwbet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\synxfzgmakm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xicredpatipfkdgf.exe"	lmwbet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\synxfzgmakm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqpjbfwmkeqlvtbflloed.exe"	lmwbet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\scvjvteoguaptln = "eqlbppcoiygxdxbbd.exe ."	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwmxgbjqfqtf = "xicredpatipfkdgf.exe ."	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\scvjvteoguaptln = "eqlbppcoiygxdxbbd.exe ."	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\scvjvteoguaptln = "ymjbrtiwskunvrxzdbc.exe ."	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\synxfzgmakm = "aqpjbfwmkeqlvtbflloed.exe"	lmwbet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	lmwbet.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\synxfzgmakm = "eqlbppcoiygxdxbbd.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xicredpatipfkdgf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymjbrtiwskunvrxzdbc.exe ."	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	lmwbet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pyqdolvevinbev = "ymjbrtiwskunvrxzdbc.exe"	lmwbet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwmxgbjqfqtf = "nawncdrezqzrytyzcz.exe ."	lmwbet.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lmwbet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lmwbet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lmwbet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	grrfdxtjqbb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	grrfdxtjqbb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lmwbet.exe

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
53	whatismyipaddress.com
58	www.showmyipaddress.com
24	www.showmyipaddress.com
28	whatismyipaddress.com
32	whatismyip.everdot.org
37	whatismyip.everdot.org

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\eqlbppcoiygxdxbbd.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\ymjbrtiwskunvrxzdbc.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\riidwbtkjernyxglstxooj.exe	lmwbet.exe
File created	C:\Windows\SysWOW64\cwzxtbwqsqgftvhpzdkeh.bje	lmwbet.exe
File opened for modification	C:\Windows\SysWOW64\xcqzgzfkxghrqdatodvaoxexdivefpob.rmb	lmwbet.exe
File opened for modification	C:\Windows\SysWOW64\xicredpatipfkdgf.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\xicredpatipfkdgf.exe	lmwbet.exe
File opened for modification	C:\Windows\SysWOW64\layrilbqngrlurybgfhw.exe	lmwbet.exe
File opened for modification	C:\Windows\SysWOW64\aqpjbfwmkeqlvtbflloed.exe	lmwbet.exe
File opened for modification	C:\Windows\SysWOW64\xicredpatipfkdgf.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\aqpjbfwmkeqlvtbflloed.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\layrilbqngrlurybgfhw.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\eqlbppcoiygxdxbbd.exe	lmwbet.exe
File opened for modification	C:\Windows\SysWOW64\nawncdrezqzrytyzcz.exe	lmwbet.exe
File opened for modification	C:\Windows\SysWOW64\aqpjbfwmkeqlvtbflloed.exe	lmwbet.exe
File opened for modification	C:\Windows\SysWOW64\cwzxtbwqsqgftvhpzdkeh.bje	lmwbet.exe
File opened for modification	C:\Windows\SysWOW64\nawncdrezqzrytyzcz.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\ymjbrtiwskunvrxzdbc.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\eqlbppcoiygxdxbbd.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\nawncdrezqzrytyzcz.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\layrilbqngrlurybgfhw.exe	lmwbet.exe
File opened for modification	C:\Windows\SysWOW64\riidwbtkjernyxglstxooj.exe	lmwbet.exe
File created	C:\Windows\SysWOW64\xcqzgzfkxghrqdatodvaoxexdivefpob.rmb	lmwbet.exe
File opened for modification	C:\Windows\SysWOW64\riidwbtkjernyxglstxooj.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\xicredpatipfkdgf.exe	lmwbet.exe
File opened for modification	C:\Windows\SysWOW64\ymjbrtiwskunvrxzdbc.exe	lmwbet.exe
File opened for modification	C:\Windows\SysWOW64\nawncdrezqzrytyzcz.exe	lmwbet.exe
File opened for modification	C:\Windows\SysWOW64\ymjbrtiwskunvrxzdbc.exe	lmwbet.exe
File opened for modification	C:\Windows\SysWOW64\aqpjbfwmkeqlvtbflloed.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\riidwbtkjernyxglstxooj.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\eqlbppcoiygxdxbbd.exe	lmwbet.exe
File opened for modification	C:\Windows\SysWOW64\layrilbqngrlurybgfhw.exe	grrfdxtjqbb.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\cwzxtbwqsqgftvhpzdkeh.bje	lmwbet.exe
File created	C:\Program Files (x86)\cwzxtbwqsqgftvhpzdkeh.bje	lmwbet.exe
File opened for modification	C:\Program Files (x86)\xcqzgzfkxghrqdatodvaoxexdivefpob.rmb	lmwbet.exe
File created	C:\Program Files (x86)\xcqzgzfkxghrqdatodvaoxexdivefpob.rmb	lmwbet.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xicredpatipfkdgf.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\eqlbppcoiygxdxbbd.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\layrilbqngrlurybgfhw.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\cwzxtbwqsqgftvhpzdkeh.bje	lmwbet.exe
File opened for modification	C:\Windows\xcqzgzfkxghrqdatodvaoxexdivefpob.rmb	lmwbet.exe
File opened for modification	C:\Windows\layrilbqngrlurybgfhw.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\aqpjbfwmkeqlvtbflloed.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\riidwbtkjernyxglstxooj.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\ymjbrtiwskunvrxzdbc.exe	lmwbet.exe
File opened for modification	C:\Windows\layrilbqngrlurybgfhw.exe	lmwbet.exe
File opened for modification	C:\Windows\aqpjbfwmkeqlvtbflloed.exe	lmwbet.exe
File opened for modification	C:\Windows\eqlbppcoiygxdxbbd.exe	lmwbet.exe
File opened for modification	C:\Windows\layrilbqngrlurybgfhw.exe	lmwbet.exe
File created	C:\Windows\cwzxtbwqsqgftvhpzdkeh.bje	lmwbet.exe
File created	C:\Windows\xcqzgzfkxghrqdatodvaoxexdivefpob.rmb	lmwbet.exe
File opened for modification	C:\Windows\eqlbppcoiygxdxbbd.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\xicredpatipfkdgf.exe	lmwbet.exe
File opened for modification	C:\Windows\nawncdrezqzrytyzcz.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\nawncdrezqzrytyzcz.exe	lmwbet.exe
File opened for modification	C:\Windows\ymjbrtiwskunvrxzdbc.exe	lmwbet.exe
File opened for modification	C:\Windows\aqpjbfwmkeqlvtbflloed.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\xicredpatipfkdgf.exe	lmwbet.exe
File opened for modification	C:\Windows\ymjbrtiwskunvrxzdbc.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\eqlbppcoiygxdxbbd.exe	lmwbet.exe
File opened for modification	C:\Windows\riidwbtkjernyxglstxooj.exe	lmwbet.exe
File opened for modification	C:\Windows\nawncdrezqzrytyzcz.exe	lmwbet.exe
File opened for modification	C:\Windows\aqpjbfwmkeqlvtbflloed.exe	lmwbet.exe
File opened for modification	C:\Windows\riidwbtkjernyxglstxooj.exe	lmwbet.exe
File opened for modification	C:\Windows\ymjbrtiwskunvrxzdbc.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\nawncdrezqzrytyzcz.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\xicredpatipfkdgf.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\riidwbtkjernyxglstxooj.exe	grrfdxtjqbb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
4112	lmwbet.exe
4112	lmwbet.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4112	lmwbet.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 1096	1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe	82
PID 1320 wrote to memory of 1096	1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe	82
PID 1320 wrote to memory of 1096	1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe	82
PID 1096 wrote to memory of 4112	1096	grrfdxtjqbb.exe	85
PID 1096 wrote to memory of 4112	1096	grrfdxtjqbb.exe	85
PID 1096 wrote to memory of 4112	1096	grrfdxtjqbb.exe	85
PID 1096 wrote to memory of 2140	1096	grrfdxtjqbb.exe	86
PID 1096 wrote to memory of 2140	1096	grrfdxtjqbb.exe	86
PID 1096 wrote to memory of 2140	1096	grrfdxtjqbb.exe	86
PID 1320 wrote to memory of 4336	1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe	94
PID 1320 wrote to memory of 4336	1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe	94
PID 1320 wrote to memory of 4336	1320	7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe	94

System policy modification 1 TTPs 41 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lmwbet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lmwbet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	lmwbet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lmwbet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lmwbet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	lmwbet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	lmwbet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	lmwbet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	lmwbet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lmwbet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	lmwbet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	lmwbet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	lmwbet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	lmwbet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lmwbet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	lmwbet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	lmwbet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lmwbet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lmwbet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lmwbet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lmwbet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	lmwbet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	lmwbet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	lmwbet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	lmwbet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	lmwbet.exe

C:\Users\Admin\AppData\Local\Temp\7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe
"C:\Users\Admin\AppData\Local\Temp\7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe
  "C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe" "c:\users\admin\appdata\local\temp\7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1096
- - C:\Users\Admin\AppData\Local\Temp\lmwbet.exe
    "C:\Users\Admin\AppData\Local\Temp\lmwbet.exe" "-C:\Users\Admin\AppData\Local\Temp\xicredpatipfkdgf.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:4112
- - C:\Users\Admin\AppData\Local\Temp\lmwbet.exe
    "C:\Users\Admin\AppData\Local\Temp\lmwbet.exe" "-C:\Users\Admin\AppData\Local\Temp\xicredpatipfkdgf.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2140
- C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe
  "C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe" "c:\users\admin\appdata\local\temp\7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System policy modification
  PID:4336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aqpjbfwmkeqlvtbflloed.exe

Filesize
1016KB

MD5
66ccf1008145ac36d94f620756394440

SHA1
549bc2b2373dc2c3afc7c5b710a13b39be884510

SHA256
7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7

SHA512
ba183c204e56840089d2c10e392c81c174b5aef0f6fe1a94f072ff8b918c8e8008b80a6f9c0d1415757203248525ddbc4f1ce2cd317e6f81c640262edfe8032e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eqlbppcoiygxdxbbd.exe

Filesize
1016KB

MD5
66ccf1008145ac36d94f620756394440

SHA1
549bc2b2373dc2c3afc7c5b710a13b39be884510

SHA256
7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7

SHA512
ba183c204e56840089d2c10e392c81c174b5aef0f6fe1a94f072ff8b918c8e8008b80a6f9c0d1415757203248525ddbc4f1ce2cd317e6f81c640262edfe8032e

Download Submit
C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe

Filesize
320KB

MD5
7c1e3706084a28bf503eee6dbde97887

SHA1
33f040e9093e1a07b5d0688562fb256b38de89e8

SHA256
7fff61ac66d8c30761877b8396ff3094ecf0b746708857330e0cfd33b0bb44c8

SHA512
10949084a55220dc4768d2feb75b1399dd80067a648187ff873ccf4921b12f3b076836eaf36106c0af6fd03488f7426243b85937f58642f376a6f4026bbc717b

Download Submit
C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe

Filesize
320KB

MD5
7c1e3706084a28bf503eee6dbde97887

SHA1
33f040e9093e1a07b5d0688562fb256b38de89e8

SHA256
7fff61ac66d8c30761877b8396ff3094ecf0b746708857330e0cfd33b0bb44c8

SHA512
10949084a55220dc4768d2feb75b1399dd80067a648187ff873ccf4921b12f3b076836eaf36106c0af6fd03488f7426243b85937f58642f376a6f4026bbc717b

Download Submit
C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe

Filesize
320KB

MD5
7c1e3706084a28bf503eee6dbde97887

SHA1
33f040e9093e1a07b5d0688562fb256b38de89e8

SHA256
7fff61ac66d8c30761877b8396ff3094ecf0b746708857330e0cfd33b0bb44c8

SHA512
10949084a55220dc4768d2feb75b1399dd80067a648187ff873ccf4921b12f3b076836eaf36106c0af6fd03488f7426243b85937f58642f376a6f4026bbc717b

Download Submit
C:\Users\Admin\AppData\Local\Temp\layrilbqngrlurybgfhw.exe

Filesize
1016KB

MD5
66ccf1008145ac36d94f620756394440

SHA1
549bc2b2373dc2c3afc7c5b710a13b39be884510

SHA256
7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7

SHA512
ba183c204e56840089d2c10e392c81c174b5aef0f6fe1a94f072ff8b918c8e8008b80a6f9c0d1415757203248525ddbc4f1ce2cd317e6f81c640262edfe8032e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmwbet.exe

Filesize
708KB

MD5
7c9bb020cbf98c76d073aa9f295abe99

SHA1
a2475f4411a1b7c7731ce50f6bba0f8b0b6b5307

SHA256
564df2623586d9757826a09e0cd6a78a9ad327bdabd72538fb76e9fc8b829e8c

SHA512
dbd25f0027e8be8f7642bbe9d6e5f002704de2c93c455c0adb24c622bcae868ee2db61c24b0bc8be8d7a754716b0c3d183232d50bd3ed3efc2dabe888efb3063

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmwbet.exe

Filesize
708KB

MD5
7c9bb020cbf98c76d073aa9f295abe99

SHA1
a2475f4411a1b7c7731ce50f6bba0f8b0b6b5307

SHA256
564df2623586d9757826a09e0cd6a78a9ad327bdabd72538fb76e9fc8b829e8c

SHA512
dbd25f0027e8be8f7642bbe9d6e5f002704de2c93c455c0adb24c622bcae868ee2db61c24b0bc8be8d7a754716b0c3d183232d50bd3ed3efc2dabe888efb3063

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmwbet.exe

Filesize
708KB

MD5
7c9bb020cbf98c76d073aa9f295abe99

SHA1
a2475f4411a1b7c7731ce50f6bba0f8b0b6b5307

SHA256
564df2623586d9757826a09e0cd6a78a9ad327bdabd72538fb76e9fc8b829e8c

SHA512
dbd25f0027e8be8f7642bbe9d6e5f002704de2c93c455c0adb24c622bcae868ee2db61c24b0bc8be8d7a754716b0c3d183232d50bd3ed3efc2dabe888efb3063

Download Submit
C:\Users\Admin\AppData\Local\Temp\nawncdrezqzrytyzcz.exe

Filesize
1016KB

MD5
66ccf1008145ac36d94f620756394440

SHA1
549bc2b2373dc2c3afc7c5b710a13b39be884510

SHA256
7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7

SHA512
ba183c204e56840089d2c10e392c81c174b5aef0f6fe1a94f072ff8b918c8e8008b80a6f9c0d1415757203248525ddbc4f1ce2cd317e6f81c640262edfe8032e

Download Submit
C:\Users\Admin\AppData\Local\Temp\riidwbtkjernyxglstxooj.exe

Filesize
1016KB

MD5
66ccf1008145ac36d94f620756394440

SHA1
549bc2b2373dc2c3afc7c5b710a13b39be884510

SHA256
7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7

SHA512
ba183c204e56840089d2c10e392c81c174b5aef0f6fe1a94f072ff8b918c8e8008b80a6f9c0d1415757203248525ddbc4f1ce2cd317e6f81c640262edfe8032e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xicredpatipfkdgf.exe

Filesize
1016KB

MD5
66ccf1008145ac36d94f620756394440

SHA1
549bc2b2373dc2c3afc7c5b710a13b39be884510

SHA256
7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7

SHA512
ba183c204e56840089d2c10e392c81c174b5aef0f6fe1a94f072ff8b918c8e8008b80a6f9c0d1415757203248525ddbc4f1ce2cd317e6f81c640262edfe8032e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymjbrtiwskunvrxzdbc.exe

Filesize
1016KB

MD5
66ccf1008145ac36d94f620756394440

SHA1
549bc2b2373dc2c3afc7c5b710a13b39be884510

SHA256
7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7

SHA512
ba183c204e56840089d2c10e392c81c174b5aef0f6fe1a94f072ff8b918c8e8008b80a6f9c0d1415757203248525ddbc4f1ce2cd317e6f81c640262edfe8032e

Download Submit
C:\Windows\SysWOW64\aqpjbfwmkeqlvtbflloed.exe

Filesize
1016KB

MD5
66ccf1008145ac36d94f620756394440

SHA1
549bc2b2373dc2c3afc7c5b710a13b39be884510

SHA256
7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7

SHA512
ba183c204e56840089d2c10e392c81c174b5aef0f6fe1a94f072ff8b918c8e8008b80a6f9c0d1415757203248525ddbc4f1ce2cd317e6f81c640262edfe8032e

Download Submit
C:\Windows\SysWOW64\eqlbppcoiygxdxbbd.exe

Filesize
1016KB

MD5
66ccf1008145ac36d94f620756394440

SHA1
549bc2b2373dc2c3afc7c5b710a13b39be884510

SHA256
7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7

SHA512
ba183c204e56840089d2c10e392c81c174b5aef0f6fe1a94f072ff8b918c8e8008b80a6f9c0d1415757203248525ddbc4f1ce2cd317e6f81c640262edfe8032e

Download Submit
C:\Windows\SysWOW64\layrilbqngrlurybgfhw.exe

Filesize
1016KB

MD5
66ccf1008145ac36d94f620756394440

SHA1
549bc2b2373dc2c3afc7c5b710a13b39be884510

SHA256
7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7

SHA512
ba183c204e56840089d2c10e392c81c174b5aef0f6fe1a94f072ff8b918c8e8008b80a6f9c0d1415757203248525ddbc4f1ce2cd317e6f81c640262edfe8032e

Download Submit
C:\Windows\SysWOW64\nawncdrezqzrytyzcz.exe

Filesize
1016KB

MD5
66ccf1008145ac36d94f620756394440

SHA1
549bc2b2373dc2c3afc7c5b710a13b39be884510

SHA256
7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7

SHA512
ba183c204e56840089d2c10e392c81c174b5aef0f6fe1a94f072ff8b918c8e8008b80a6f9c0d1415757203248525ddbc4f1ce2cd317e6f81c640262edfe8032e

Download Submit
C:\Windows\SysWOW64\riidwbtkjernyxglstxooj.exe

Filesize
1016KB

MD5
66ccf1008145ac36d94f620756394440

SHA1
549bc2b2373dc2c3afc7c5b710a13b39be884510

SHA256
7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7

SHA512
ba183c204e56840089d2c10e392c81c174b5aef0f6fe1a94f072ff8b918c8e8008b80a6f9c0d1415757203248525ddbc4f1ce2cd317e6f81c640262edfe8032e

Download Submit
C:\Windows\SysWOW64\xicredpatipfkdgf.exe

Filesize
1016KB

MD5
66ccf1008145ac36d94f620756394440

SHA1
549bc2b2373dc2c3afc7c5b710a13b39be884510

SHA256
7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7

SHA512
ba183c204e56840089d2c10e392c81c174b5aef0f6fe1a94f072ff8b918c8e8008b80a6f9c0d1415757203248525ddbc4f1ce2cd317e6f81c640262edfe8032e

Download Submit
C:\Windows\SysWOW64\ymjbrtiwskunvrxzdbc.exe

Filesize
1016KB

MD5
66ccf1008145ac36d94f620756394440

SHA1
549bc2b2373dc2c3afc7c5b710a13b39be884510

SHA256
7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7

SHA512
ba183c204e56840089d2c10e392c81c174b5aef0f6fe1a94f072ff8b918c8e8008b80a6f9c0d1415757203248525ddbc4f1ce2cd317e6f81c640262edfe8032e

Download Submit
C:\Windows\aqpjbfwmkeqlvtbflloed.exe

Filesize
1016KB

MD5
66ccf1008145ac36d94f620756394440

SHA1
549bc2b2373dc2c3afc7c5b710a13b39be884510

SHA256
7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7

SHA512
ba183c204e56840089d2c10e392c81c174b5aef0f6fe1a94f072ff8b918c8e8008b80a6f9c0d1415757203248525ddbc4f1ce2cd317e6f81c640262edfe8032e

Download Submit
C:\Windows\aqpjbfwmkeqlvtbflloed.exe

Filesize
1016KB

MD5
66ccf1008145ac36d94f620756394440

SHA1
549bc2b2373dc2c3afc7c5b710a13b39be884510

SHA256
7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7

SHA512
ba183c204e56840089d2c10e392c81c174b5aef0f6fe1a94f072ff8b918c8e8008b80a6f9c0d1415757203248525ddbc4f1ce2cd317e6f81c640262edfe8032e

Download Submit
C:\Windows\aqpjbfwmkeqlvtbflloed.exe

Filesize
1016KB

MD5
66ccf1008145ac36d94f620756394440

SHA1
549bc2b2373dc2c3afc7c5b710a13b39be884510

SHA256
7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7

SHA512
ba183c204e56840089d2c10e392c81c174b5aef0f6fe1a94f072ff8b918c8e8008b80a6f9c0d1415757203248525ddbc4f1ce2cd317e6f81c640262edfe8032e

Download Submit
C:\Windows\eqlbppcoiygxdxbbd.exe

Filesize
1016KB

MD5
66ccf1008145ac36d94f620756394440

SHA1
549bc2b2373dc2c3afc7c5b710a13b39be884510

SHA256
7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7

SHA512
ba183c204e56840089d2c10e392c81c174b5aef0f6fe1a94f072ff8b918c8e8008b80a6f9c0d1415757203248525ddbc4f1ce2cd317e6f81c640262edfe8032e

Download Submit
C:\Windows\eqlbppcoiygxdxbbd.exe

Filesize
1016KB

MD5
66ccf1008145ac36d94f620756394440

SHA1
549bc2b2373dc2c3afc7c5b710a13b39be884510

SHA256
7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7

SHA512
ba183c204e56840089d2c10e392c81c174b5aef0f6fe1a94f072ff8b918c8e8008b80a6f9c0d1415757203248525ddbc4f1ce2cd317e6f81c640262edfe8032e

Download Submit
C:\Windows\eqlbppcoiygxdxbbd.exe

Filesize
1016KB

MD5
66ccf1008145ac36d94f620756394440

SHA1
549bc2b2373dc2c3afc7c5b710a13b39be884510

SHA256
7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7

SHA512
ba183c204e56840089d2c10e392c81c174b5aef0f6fe1a94f072ff8b918c8e8008b80a6f9c0d1415757203248525ddbc4f1ce2cd317e6f81c640262edfe8032e

Download Submit
C:\Windows\layrilbqngrlurybgfhw.exe

Filesize
1016KB

MD5
66ccf1008145ac36d94f620756394440

SHA1
549bc2b2373dc2c3afc7c5b710a13b39be884510

SHA256
7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7

SHA512
ba183c204e56840089d2c10e392c81c174b5aef0f6fe1a94f072ff8b918c8e8008b80a6f9c0d1415757203248525ddbc4f1ce2cd317e6f81c640262edfe8032e

Download Submit
C:\Windows\layrilbqngrlurybgfhw.exe

Filesize
1016KB

MD5
66ccf1008145ac36d94f620756394440

SHA1
549bc2b2373dc2c3afc7c5b710a13b39be884510

SHA256
7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7

SHA512
ba183c204e56840089d2c10e392c81c174b5aef0f6fe1a94f072ff8b918c8e8008b80a6f9c0d1415757203248525ddbc4f1ce2cd317e6f81c640262edfe8032e

Download Submit
C:\Windows\layrilbqngrlurybgfhw.exe

Filesize
1016KB

MD5
66ccf1008145ac36d94f620756394440

SHA1
549bc2b2373dc2c3afc7c5b710a13b39be884510

SHA256
7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7

SHA512
ba183c204e56840089d2c10e392c81c174b5aef0f6fe1a94f072ff8b918c8e8008b80a6f9c0d1415757203248525ddbc4f1ce2cd317e6f81c640262edfe8032e

Download Submit
C:\Windows\nawncdrezqzrytyzcz.exe

Filesize
1016KB

MD5
66ccf1008145ac36d94f620756394440

SHA1
549bc2b2373dc2c3afc7c5b710a13b39be884510

SHA256
7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7

SHA512
ba183c204e56840089d2c10e392c81c174b5aef0f6fe1a94f072ff8b918c8e8008b80a6f9c0d1415757203248525ddbc4f1ce2cd317e6f81c640262edfe8032e

Download Submit
C:\Windows\nawncdrezqzrytyzcz.exe

Filesize
1016KB

MD5
66ccf1008145ac36d94f620756394440

SHA1
549bc2b2373dc2c3afc7c5b710a13b39be884510

SHA256
7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7

SHA512
ba183c204e56840089d2c10e392c81c174b5aef0f6fe1a94f072ff8b918c8e8008b80a6f9c0d1415757203248525ddbc4f1ce2cd317e6f81c640262edfe8032e

Download Submit
C:\Windows\nawncdrezqzrytyzcz.exe

Filesize
1016KB

MD5
66ccf1008145ac36d94f620756394440

SHA1
549bc2b2373dc2c3afc7c5b710a13b39be884510

SHA256
7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7

SHA512
ba183c204e56840089d2c10e392c81c174b5aef0f6fe1a94f072ff8b918c8e8008b80a6f9c0d1415757203248525ddbc4f1ce2cd317e6f81c640262edfe8032e

Download Submit
C:\Windows\riidwbtkjernyxglstxooj.exe

Filesize
1016KB

MD5
66ccf1008145ac36d94f620756394440

SHA1
549bc2b2373dc2c3afc7c5b710a13b39be884510

SHA256
7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7

SHA512
ba183c204e56840089d2c10e392c81c174b5aef0f6fe1a94f072ff8b918c8e8008b80a6f9c0d1415757203248525ddbc4f1ce2cd317e6f81c640262edfe8032e

Download Submit
C:\Windows\riidwbtkjernyxglstxooj.exe

Filesize
1016KB

MD5
66ccf1008145ac36d94f620756394440

SHA1
549bc2b2373dc2c3afc7c5b710a13b39be884510

SHA256
7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7

SHA512
ba183c204e56840089d2c10e392c81c174b5aef0f6fe1a94f072ff8b918c8e8008b80a6f9c0d1415757203248525ddbc4f1ce2cd317e6f81c640262edfe8032e

Download Submit
C:\Windows\riidwbtkjernyxglstxooj.exe

Filesize
1016KB

MD5
66ccf1008145ac36d94f620756394440

SHA1
549bc2b2373dc2c3afc7c5b710a13b39be884510

SHA256
7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7

SHA512
ba183c204e56840089d2c10e392c81c174b5aef0f6fe1a94f072ff8b918c8e8008b80a6f9c0d1415757203248525ddbc4f1ce2cd317e6f81c640262edfe8032e

Download Submit
C:\Windows\xicredpatipfkdgf.exe

Filesize
1016KB

MD5
66ccf1008145ac36d94f620756394440

SHA1
549bc2b2373dc2c3afc7c5b710a13b39be884510

SHA256
7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7

SHA512
ba183c204e56840089d2c10e392c81c174b5aef0f6fe1a94f072ff8b918c8e8008b80a6f9c0d1415757203248525ddbc4f1ce2cd317e6f81c640262edfe8032e

Download Submit
C:\Windows\xicredpatipfkdgf.exe

Filesize
1016KB

MD5
66ccf1008145ac36d94f620756394440

SHA1
549bc2b2373dc2c3afc7c5b710a13b39be884510

SHA256
7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7

SHA512
ba183c204e56840089d2c10e392c81c174b5aef0f6fe1a94f072ff8b918c8e8008b80a6f9c0d1415757203248525ddbc4f1ce2cd317e6f81c640262edfe8032e

Download Submit
C:\Windows\xicredpatipfkdgf.exe

Filesize
1016KB

MD5
66ccf1008145ac36d94f620756394440

SHA1
549bc2b2373dc2c3afc7c5b710a13b39be884510

SHA256
7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7

SHA512
ba183c204e56840089d2c10e392c81c174b5aef0f6fe1a94f072ff8b918c8e8008b80a6f9c0d1415757203248525ddbc4f1ce2cd317e6f81c640262edfe8032e

Download Submit
C:\Windows\ymjbrtiwskunvrxzdbc.exe

Filesize
1016KB

MD5
66ccf1008145ac36d94f620756394440

SHA1
549bc2b2373dc2c3afc7c5b710a13b39be884510

SHA256
7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7

SHA512
ba183c204e56840089d2c10e392c81c174b5aef0f6fe1a94f072ff8b918c8e8008b80a6f9c0d1415757203248525ddbc4f1ce2cd317e6f81c640262edfe8032e

Download Submit
C:\Windows\ymjbrtiwskunvrxzdbc.exe

Filesize
1016KB

MD5
66ccf1008145ac36d94f620756394440

SHA1
549bc2b2373dc2c3afc7c5b710a13b39be884510

SHA256
7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7

SHA512
ba183c204e56840089d2c10e392c81c174b5aef0f6fe1a94f072ff8b918c8e8008b80a6f9c0d1415757203248525ddbc4f1ce2cd317e6f81c640262edfe8032e

Download Submit
C:\Windows\ymjbrtiwskunvrxzdbc.exe

Filesize
1016KB

MD5
66ccf1008145ac36d94f620756394440

SHA1
549bc2b2373dc2c3afc7c5b710a13b39be884510

SHA256
7c33c7f033397176860ea90c7c8740ddbee4884151dd528a6ecc76d7e5ce72a7

SHA512
ba183c204e56840089d2c10e392c81c174b5aef0f6fe1a94f072ff8b918c8e8008b80a6f9c0d1415757203248525ddbc4f1ce2cd317e6f81c640262edfe8032e

Download Submit