a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04

Analysis

max time kernel
153s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2022 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
Size

1016KB
MD5

6d6251f40847f86830b194ec8b9fd160
SHA1

cb2c3f35496101c4021adce6494711ec9aabc896
SHA256

a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04
SHA512

f77d28c9da8db9b7c0f682e2c2707a67405ecebd891361c3672654cde245811fde6bde38cba995fa7c9b761cfaafc046a9767a70067a31f574b0bfcf23b87b8d
SSDEEP

6144:0IXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHU:0IXsgtvm1De5YlOx6lzBH46U

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	yborjrewily.exe

UAC bypass 3 TTPs 13 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ituhll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ituhll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ituhll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ituhll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ituhll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ituhll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ituhll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ituhll.exe

Adds policy Run key to start application 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xhhtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khutjvnkwprbvfetnm.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xhhtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vthhylecpjmxsddtooz.exe"	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kxapvxfs = "upaxlvlgqhhphpmz.exe"	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xhhtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vthhylecpjmxsddtooz.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xhhtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihwxpdxwkfjvrdevrsed.exe"	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kxapvxfs = "bxjhwhyufxyhajhvo.exe"	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xhhtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxnpixsshdivsfhzwyllb.exe"	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xhhtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vthhylecpjmxsddtooz.exe"	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kxapvxfs = "khutjvnkwprbvfetnm.exe"	ituhll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kxapvxfs = "khutjvnkwprbvfetnm.exe"	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kxapvxfs = "ihwxpdxwkfjvrdevrsed.exe"	ituhll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kxapvxfs = "khutjvnkwprbvfetnm.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xhhtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khutjvnkwprbvfetnm.exe"	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kxapvxfs = "xxnpixsshdivsfhzwyllb.exe"	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xhhtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upaxlvlgqhhphpmz.exe"	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xhhtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxjhwhyufxyhajhvo.exe"	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kxapvxfs = "ihwxpdxwkfjvrdevrsed.exe"	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kxapvxfs = "vthhylecpjmxsddtooz.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kxapvxfs = "bxjhwhyufxyhajhvo.exe"	ituhll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kxapvxfs = "vthhylecpjmxsddtooz.exe"	ituhll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xhhtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihwxpdxwkfjvrdevrsed.exe"	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kxapvxfs = "vthhylecpjmxsddtooz.exe"	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xhhtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khutjvnkwprbvfetnm.exe"	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kxapvxfs = "upaxlvlgqhhphpmz.exe"	ituhll.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yborjrewily.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ituhll.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ituhll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ituhll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ituhll.exe

Executes dropped EXE 4 IoCs

pid	Process
508	yborjrewily.exe
4696	ituhll.exe
4108	ituhll.exe
5080	yborjrewily.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	yborjrewily.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdkdntfwcplp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upaxlvlgqhhphpmz.exe"	ituhll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ituhll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxnpixsshdivsfhzwyllb.exe"	ituhll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ituhll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxjhwhyufxyhajhvo.exe"	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ituhll = "khutjvnkwprbvfetnm.exe"	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ituhll = "ihwxpdxwkfjvrdevrsed.exe"	yborjrewily.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfldmrcsxje = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihwxpdxwkfjvrdevrsed.exe ."	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ujofnrbquf = "bxjhwhyufxyhajhvo.exe ."	yborjrewily.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	ituhll.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	ituhll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bptjqtcqt = "xxnpixsshdivsfhzwyllb.exe"	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdkdntfwcplp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upaxlvlgqhhphpmz.exe"	ituhll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bptjqtcqt = "ihwxpdxwkfjvrdevrsed.exe"	ituhll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ituhll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vthhylecpjmxsddtooz.exe"	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfldmrcsxje = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khutjvnkwprbvfetnm.exe ."	ituhll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vhjxcdk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxnpixsshdivsfhzwyllb.exe ."	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bptjqtcqt = "xxnpixsshdivsfhzwyllb.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vhjxcdk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxnpixsshdivsfhzwyllb.exe ."	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfldmrcsxje = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vthhylecpjmxsddtooz.exe ."	ituhll.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	ituhll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vhjxcdk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxnpixsshdivsfhzwyllb.exe ."	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhjxcdk = "ihwxpdxwkfjvrdevrsed.exe ."	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhjxcdk = "khutjvnkwprbvfetnm.exe ."	ituhll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bptjqtcqt = "bxjhwhyufxyhajhvo.exe"	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfldmrcsxje = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihwxpdxwkfjvrdevrsed.exe ."	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhjxcdk = "upaxlvlgqhhphpmz.exe ."	ituhll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ituhll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihwxpdxwkfjvrdevrsed.exe"	ituhll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ituhll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upaxlvlgqhhphpmz.exe"	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ituhll = "bxjhwhyufxyhajhvo.exe"	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdkdntfwcplp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxnpixsshdivsfhzwyllb.exe"	ituhll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vhjxcdk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihwxpdxwkfjvrdevrsed.exe ."	ituhll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ujofnrbquf = "upaxlvlgqhhphpmz.exe ."	ituhll.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhjxcdk = "bxjhwhyufxyhajhvo.exe ."	ituhll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vhjxcdk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxjhwhyufxyhajhvo.exe ."	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdkdntfwcplp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxjhwhyufxyhajhvo.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bptjqtcqt = "vthhylecpjmxsddtooz.exe"	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhjxcdk = "khutjvnkwprbvfetnm.exe ."	ituhll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bptjqtcqt = "vthhylecpjmxsddtooz.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhjxcdk = "upaxlvlgqhhphpmz.exe ."	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vhjxcdk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxjhwhyufxyhajhvo.exe ."	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhjxcdk = "vthhylecpjmxsddtooz.exe ."	ituhll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bptjqtcqt = "bxjhwhyufxyhajhvo.exe"	ituhll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ujofnrbquf = "ihwxpdxwkfjvrdevrsed.exe ."	ituhll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ituhll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khutjvnkwprbvfetnm.exe"	ituhll.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ituhll = "khutjvnkwprbvfetnm.exe"	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfldmrcsxje = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upaxlvlgqhhphpmz.exe ."	ituhll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ituhll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khutjvnkwprbvfetnm.exe"	ituhll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ujofnrbquf = "bxjhwhyufxyhajhvo.exe ."	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhjxcdk = "vthhylecpjmxsddtooz.exe ."	ituhll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bptjqtcqt = "ihwxpdxwkfjvrdevrsed.exe"	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfldmrcsxje = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upaxlvlgqhhphpmz.exe ."	ituhll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vhjxcdk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vthhylecpjmxsddtooz.exe ."	ituhll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bptjqtcqt = "upaxlvlgqhhphpmz.exe"	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdkdntfwcplp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxjhwhyufxyhajhvo.exe"	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdkdntfwcplp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khutjvnkwprbvfetnm.exe"	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ituhll = "ihwxpdxwkfjvrdevrsed.exe"	ituhll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bptjqtcqt = "khutjvnkwprbvfetnm.exe"	ituhll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	ituhll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ituhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ituhll = "upaxlvlgqhhphpmz.exe"	ituhll.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ituhll.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ituhll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ituhll.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ituhll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yborjrewily.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yborjrewily.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	yborjrewily.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
31	www.showmyipaddress.com
41	whatismyip.everdot.org
17	whatismyipaddress.com
19	whatismyip.everdot.org

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	ituhll.exe
File created	C:\autorun.inf	ituhll.exe

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ihwxpdxwkfjvrdevrsed.exe	ituhll.exe
File opened for modification	C:\Windows\SysWOW64\xxnpixsshdivsfhzwyllb.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\bxjhwhyufxyhajhvo.exe	ituhll.exe
File opened for modification	C:\Windows\SysWOW64\xxnpixsshdivsfhzwyllb.exe	ituhll.exe
File opened for modification	C:\Windows\SysWOW64\upaxlvlgqhhphpmz.exe	ituhll.exe
File opened for modification	C:\Windows\SysWOW64\xxnpixsshdivsfhzwyllb.exe	ituhll.exe
File opened for modification	C:\Windows\SysWOW64\khutjvnkwprbvfetnm.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\opgjdtpqgdjxvjmfdguvmp.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\khutjvnkwprbvfetnm.exe	ituhll.exe
File opened for modification	C:\Windows\SysWOW64\opgjdtpqgdjxvjmfdguvmp.exe	ituhll.exe
File opened for modification	C:\Windows\SysWOW64\opgjdtpqgdjxvjmfdguvmp.exe	ituhll.exe
File opened for modification	C:\Windows\SysWOW64\upaxlvlgqhhphpmz.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\vthhylecpjmxsddtooz.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\ihwxpdxwkfjvrdevrsed.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\ihwxpdxwkfjvrdevrsed.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\bxjhwhyufxyhajhvo.exe	ituhll.exe
File opened for modification	C:\Windows\SysWOW64\vthhylecpjmxsddtooz.exe	ituhll.exe
File created	C:\Windows\SysWOW64\zdxdatswppypqhnjkqhlf.iba	ituhll.exe
File opened for modification	C:\Windows\SysWOW64\ujofnrbqufzbnpgnzqshmdlpzosdxzln.lxo	ituhll.exe
File opened for modification	C:\Windows\SysWOW64\khutjvnkwprbvfetnm.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\xxnpixsshdivsfhzwyllb.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\upaxlvlgqhhphpmz.exe	ituhll.exe
File opened for modification	C:\Windows\SysWOW64\ihwxpdxwkfjvrdevrsed.exe	ituhll.exe
File opened for modification	C:\Windows\SysWOW64\bxjhwhyufxyhajhvo.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\opgjdtpqgdjxvjmfdguvmp.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\vthhylecpjmxsddtooz.exe	ituhll.exe
File opened for modification	C:\Windows\SysWOW64\zdxdatswppypqhnjkqhlf.iba	ituhll.exe
File opened for modification	C:\Windows\SysWOW64\upaxlvlgqhhphpmz.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\vthhylecpjmxsddtooz.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\bxjhwhyufxyhajhvo.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\khutjvnkwprbvfetnm.exe	ituhll.exe
File created	C:\Windows\SysWOW64\ujofnrbqufzbnpgnzqshmdlpzosdxzln.lxo	ituhll.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ujofnrbqufzbnpgnzqshmdlpzosdxzln.lxo	ituhll.exe
File created	C:\Program Files (x86)\ujofnrbqufzbnpgnzqshmdlpzosdxzln.lxo	ituhll.exe
File opened for modification	C:\Program Files (x86)\zdxdatswppypqhnjkqhlf.iba	ituhll.exe
File created	C:\Program Files (x86)\zdxdatswppypqhnjkqhlf.iba	ituhll.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\bxjhwhyufxyhajhvo.exe	yborjrewily.exe
File opened for modification	C:\Windows\xxnpixsshdivsfhzwyllb.exe	ituhll.exe
File opened for modification	C:\Windows\upaxlvlgqhhphpmz.exe	yborjrewily.exe
File opened for modification	C:\Windows\upaxlvlgqhhphpmz.exe	ituhll.exe
File opened for modification	C:\Windows\bxjhwhyufxyhajhvo.exe	ituhll.exe
File opened for modification	C:\Windows\bxjhwhyufxyhajhvo.exe	ituhll.exe
File opened for modification	C:\Windows\ihwxpdxwkfjvrdevrsed.exe	yborjrewily.exe
File opened for modification	C:\Windows\opgjdtpqgdjxvjmfdguvmp.exe	yborjrewily.exe
File opened for modification	C:\Windows\vthhylecpjmxsddtooz.exe	yborjrewily.exe
File opened for modification	C:\Windows\xxnpixsshdivsfhzwyllb.exe	yborjrewily.exe
File opened for modification	C:\Windows\bxjhwhyufxyhajhvo.exe	yborjrewily.exe
File opened for modification	C:\Windows\upaxlvlgqhhphpmz.exe	yborjrewily.exe
File opened for modification	C:\Windows\vthhylecpjmxsddtooz.exe	yborjrewily.exe
File opened for modification	C:\Windows\ihwxpdxwkfjvrdevrsed.exe	yborjrewily.exe
File opened for modification	C:\Windows\ihwxpdxwkfjvrdevrsed.exe	ituhll.exe
File opened for modification	C:\Windows\ujofnrbqufzbnpgnzqshmdlpzosdxzln.lxo	ituhll.exe
File opened for modification	C:\Windows\khutjvnkwprbvfetnm.exe	yborjrewily.exe
File opened for modification	C:\Windows\xxnpixsshdivsfhzwyllb.exe	yborjrewily.exe
File opened for modification	C:\Windows\upaxlvlgqhhphpmz.exe	ituhll.exe
File opened for modification	C:\Windows\khutjvnkwprbvfetnm.exe	ituhll.exe
File opened for modification	C:\Windows\zdxdatswppypqhnjkqhlf.iba	ituhll.exe
File opened for modification	C:\Windows\khutjvnkwprbvfetnm.exe	yborjrewily.exe
File opened for modification	C:\Windows\vthhylecpjmxsddtooz.exe	ituhll.exe
File opened for modification	C:\Windows\vthhylecpjmxsddtooz.exe	ituhll.exe
File opened for modification	C:\Windows\ihwxpdxwkfjvrdevrsed.exe	ituhll.exe
File opened for modification	C:\Windows\opgjdtpqgdjxvjmfdguvmp.exe	ituhll.exe
File created	C:\Windows\zdxdatswppypqhnjkqhlf.iba	ituhll.exe
File created	C:\Windows\ujofnrbqufzbnpgnzqshmdlpzosdxzln.lxo	ituhll.exe
File opened for modification	C:\Windows\opgjdtpqgdjxvjmfdguvmp.exe	yborjrewily.exe
File opened for modification	C:\Windows\khutjvnkwprbvfetnm.exe	ituhll.exe
File opened for modification	C:\Windows\opgjdtpqgdjxvjmfdguvmp.exe	ituhll.exe
File opened for modification	C:\Windows\xxnpixsshdivsfhzwyllb.exe	ituhll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
4696	ituhll.exe
4696	ituhll.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4696	ituhll.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 508	5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe	81
PID 5100 wrote to memory of 508	5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe	81
PID 5100 wrote to memory of 508	5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe	81
PID 508 wrote to memory of 4696	508	yborjrewily.exe	82
PID 508 wrote to memory of 4696	508	yborjrewily.exe	82
PID 508 wrote to memory of 4696	508	yborjrewily.exe	82
PID 508 wrote to memory of 4108	508	yborjrewily.exe	83
PID 508 wrote to memory of 4108	508	yborjrewily.exe	83
PID 508 wrote to memory of 4108	508	yborjrewily.exe	83
PID 5100 wrote to memory of 5080	5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe	93
PID 5100 wrote to memory of 5080	5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe	93
PID 5100 wrote to memory of 5080	5100	a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe	93

System policy modification 1 TTPs 41 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ituhll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ituhll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ituhll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ituhll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ituhll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ituhll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ituhll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ituhll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ituhll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ituhll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ituhll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ituhll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yborjrewily.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ituhll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ituhll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ituhll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ituhll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ituhll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ituhll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ituhll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	yborjrewily.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ituhll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ituhll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ituhll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ituhll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	yborjrewily.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ituhll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ituhll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ituhll.exe

C:\Users\Admin\AppData\Local\Temp\a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe
"C:\Users\Admin\AppData\Local\Temp\a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Users\Admin\AppData\Local\Temp\yborjrewily.exe
  "C:\Users\Admin\AppData\Local\Temp\yborjrewily.exe" "c:\users\admin\appdata\local\temp\a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:508
- - C:\Users\Admin\AppData\Local\Temp\ituhll.exe
    "C:\Users\Admin\AppData\Local\Temp\ituhll.exe" "-C:\Users\Admin\AppData\Local\Temp\upaxlvlgqhhphpmz.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:4696
- - C:\Users\Admin\AppData\Local\Temp\ituhll.exe
    "C:\Users\Admin\AppData\Local\Temp\ituhll.exe" "-C:\Users\Admin\AppData\Local\Temp\upaxlvlgqhhphpmz.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4108
- C:\Users\Admin\AppData\Local\Temp\yborjrewily.exe
  "C:\Users\Admin\AppData\Local\Temp\yborjrewily.exe" "c:\users\admin\appdata\local\temp\a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System policy modification
  PID:5080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bxjhwhyufxyhajhvo.exe

Filesize
1016KB

MD5
6d6251f40847f86830b194ec8b9fd160

SHA1
cb2c3f35496101c4021adce6494711ec9aabc896

SHA256
a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04

SHA512
f77d28c9da8db9b7c0f682e2c2707a67405ecebd891361c3672654cde245811fde6bde38cba995fa7c9b761cfaafc046a9767a70067a31f574b0bfcf23b87b8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ihwxpdxwkfjvrdevrsed.exe

Filesize
1016KB

MD5
6d6251f40847f86830b194ec8b9fd160

SHA1
cb2c3f35496101c4021adce6494711ec9aabc896

SHA256
a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04

SHA512
f77d28c9da8db9b7c0f682e2c2707a67405ecebd891361c3672654cde245811fde6bde38cba995fa7c9b761cfaafc046a9767a70067a31f574b0bfcf23b87b8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ituhll.exe

Filesize
712KB

MD5
5a638ad8f29407078f5c08ccf631b601

SHA1
79abee1fe77f2184be8d9a370899652a77b6616a

SHA256
195b0bd484658c8fcd9640737768c278ea8a5ae5c640565f38c255a82812f7db

SHA512
8ad7350aa3e51763081dab8d4819ec3ef17a80af35f809d0574584462187815dc0a8a975b4daa7a8d3495a0ae9d705244bcdcc181b63d4967f204d5cf2c75a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\ituhll.exe

Filesize
712KB

MD5
5a638ad8f29407078f5c08ccf631b601

SHA1
79abee1fe77f2184be8d9a370899652a77b6616a

SHA256
195b0bd484658c8fcd9640737768c278ea8a5ae5c640565f38c255a82812f7db

SHA512
8ad7350aa3e51763081dab8d4819ec3ef17a80af35f809d0574584462187815dc0a8a975b4daa7a8d3495a0ae9d705244bcdcc181b63d4967f204d5cf2c75a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\ituhll.exe

Filesize
712KB

MD5
5a638ad8f29407078f5c08ccf631b601

SHA1
79abee1fe77f2184be8d9a370899652a77b6616a

SHA256
195b0bd484658c8fcd9640737768c278ea8a5ae5c640565f38c255a82812f7db

SHA512
8ad7350aa3e51763081dab8d4819ec3ef17a80af35f809d0574584462187815dc0a8a975b4daa7a8d3495a0ae9d705244bcdcc181b63d4967f204d5cf2c75a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\khutjvnkwprbvfetnm.exe

Filesize
1016KB

MD5
6d6251f40847f86830b194ec8b9fd160

SHA1
cb2c3f35496101c4021adce6494711ec9aabc896

SHA256
a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04

SHA512
f77d28c9da8db9b7c0f682e2c2707a67405ecebd891361c3672654cde245811fde6bde38cba995fa7c9b761cfaafc046a9767a70067a31f574b0bfcf23b87b8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\opgjdtpqgdjxvjmfdguvmp.exe

Filesize
1016KB

MD5
6d6251f40847f86830b194ec8b9fd160

SHA1
cb2c3f35496101c4021adce6494711ec9aabc896

SHA256
a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04

SHA512
f77d28c9da8db9b7c0f682e2c2707a67405ecebd891361c3672654cde245811fde6bde38cba995fa7c9b761cfaafc046a9767a70067a31f574b0bfcf23b87b8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\upaxlvlgqhhphpmz.exe

Filesize
1016KB

MD5
6d6251f40847f86830b194ec8b9fd160

SHA1
cb2c3f35496101c4021adce6494711ec9aabc896

SHA256
a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04

SHA512
f77d28c9da8db9b7c0f682e2c2707a67405ecebd891361c3672654cde245811fde6bde38cba995fa7c9b761cfaafc046a9767a70067a31f574b0bfcf23b87b8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vthhylecpjmxsddtooz.exe

Filesize
1016KB

MD5
6d6251f40847f86830b194ec8b9fd160

SHA1
cb2c3f35496101c4021adce6494711ec9aabc896

SHA256
a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04

SHA512
f77d28c9da8db9b7c0f682e2c2707a67405ecebd891361c3672654cde245811fde6bde38cba995fa7c9b761cfaafc046a9767a70067a31f574b0bfcf23b87b8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xxnpixsshdivsfhzwyllb.exe

Filesize
1016KB

MD5
6d6251f40847f86830b194ec8b9fd160

SHA1
cb2c3f35496101c4021adce6494711ec9aabc896

SHA256
a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04

SHA512
f77d28c9da8db9b7c0f682e2c2707a67405ecebd891361c3672654cde245811fde6bde38cba995fa7c9b761cfaafc046a9767a70067a31f574b0bfcf23b87b8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yborjrewily.exe

Filesize
320KB

MD5
561e6d606cd30157b072414e698f7841

SHA1
ae9aa1c20a008650fc3295af549f868e6500a91d

SHA256
6c4b7d3f541312af5b42f8c6a66fa27a9e54077db03be5cd1eeec5069eb7875d

SHA512
365be4c4817aa39dc495809f6b90f6ad6dc1165a86aefc02d5687adf224c96d72afa1f7866f44afb758d17e39f9fd845f8f1d5e153e99ffd5903a637724aa767

Download Submit
C:\Users\Admin\AppData\Local\Temp\yborjrewily.exe

Filesize
320KB

MD5
561e6d606cd30157b072414e698f7841

SHA1
ae9aa1c20a008650fc3295af549f868e6500a91d

SHA256
6c4b7d3f541312af5b42f8c6a66fa27a9e54077db03be5cd1eeec5069eb7875d

SHA512
365be4c4817aa39dc495809f6b90f6ad6dc1165a86aefc02d5687adf224c96d72afa1f7866f44afb758d17e39f9fd845f8f1d5e153e99ffd5903a637724aa767

Download Submit
C:\Users\Admin\AppData\Local\Temp\yborjrewily.exe

Filesize
320KB

MD5
561e6d606cd30157b072414e698f7841

SHA1
ae9aa1c20a008650fc3295af549f868e6500a91d

SHA256
6c4b7d3f541312af5b42f8c6a66fa27a9e54077db03be5cd1eeec5069eb7875d

SHA512
365be4c4817aa39dc495809f6b90f6ad6dc1165a86aefc02d5687adf224c96d72afa1f7866f44afb758d17e39f9fd845f8f1d5e153e99ffd5903a637724aa767

Download Submit
C:\Windows\SysWOW64\bxjhwhyufxyhajhvo.exe

Filesize
1016KB

MD5
6d6251f40847f86830b194ec8b9fd160

SHA1
cb2c3f35496101c4021adce6494711ec9aabc896

SHA256
a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04

SHA512
f77d28c9da8db9b7c0f682e2c2707a67405ecebd891361c3672654cde245811fde6bde38cba995fa7c9b761cfaafc046a9767a70067a31f574b0bfcf23b87b8d

Download Submit
C:\Windows\SysWOW64\ihwxpdxwkfjvrdevrsed.exe

Filesize
1016KB

MD5
6d6251f40847f86830b194ec8b9fd160

SHA1
cb2c3f35496101c4021adce6494711ec9aabc896

SHA256
a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04

SHA512
f77d28c9da8db9b7c0f682e2c2707a67405ecebd891361c3672654cde245811fde6bde38cba995fa7c9b761cfaafc046a9767a70067a31f574b0bfcf23b87b8d

Download Submit
C:\Windows\SysWOW64\khutjvnkwprbvfetnm.exe

Filesize
1016KB

MD5
6d6251f40847f86830b194ec8b9fd160

SHA1
cb2c3f35496101c4021adce6494711ec9aabc896

SHA256
a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04

SHA512
f77d28c9da8db9b7c0f682e2c2707a67405ecebd891361c3672654cde245811fde6bde38cba995fa7c9b761cfaafc046a9767a70067a31f574b0bfcf23b87b8d

Download Submit
C:\Windows\SysWOW64\opgjdtpqgdjxvjmfdguvmp.exe

Filesize
1016KB

MD5
6d6251f40847f86830b194ec8b9fd160

SHA1
cb2c3f35496101c4021adce6494711ec9aabc896

SHA256
a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04

SHA512
f77d28c9da8db9b7c0f682e2c2707a67405ecebd891361c3672654cde245811fde6bde38cba995fa7c9b761cfaafc046a9767a70067a31f574b0bfcf23b87b8d

Download Submit
C:\Windows\SysWOW64\upaxlvlgqhhphpmz.exe

Filesize
1016KB

MD5
6d6251f40847f86830b194ec8b9fd160

SHA1
cb2c3f35496101c4021adce6494711ec9aabc896

SHA256
a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04

SHA512
f77d28c9da8db9b7c0f682e2c2707a67405ecebd891361c3672654cde245811fde6bde38cba995fa7c9b761cfaafc046a9767a70067a31f574b0bfcf23b87b8d

Download Submit
C:\Windows\SysWOW64\vthhylecpjmxsddtooz.exe

Filesize
1016KB

MD5
6d6251f40847f86830b194ec8b9fd160

SHA1
cb2c3f35496101c4021adce6494711ec9aabc896

SHA256
a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04

SHA512
f77d28c9da8db9b7c0f682e2c2707a67405ecebd891361c3672654cde245811fde6bde38cba995fa7c9b761cfaafc046a9767a70067a31f574b0bfcf23b87b8d

Download Submit
C:\Windows\SysWOW64\xxnpixsshdivsfhzwyllb.exe

Filesize
1016KB

MD5
6d6251f40847f86830b194ec8b9fd160

SHA1
cb2c3f35496101c4021adce6494711ec9aabc896

SHA256
a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04

SHA512
f77d28c9da8db9b7c0f682e2c2707a67405ecebd891361c3672654cde245811fde6bde38cba995fa7c9b761cfaafc046a9767a70067a31f574b0bfcf23b87b8d

Download Submit
C:\Windows\bxjhwhyufxyhajhvo.exe

Filesize
1016KB

MD5
6d6251f40847f86830b194ec8b9fd160

SHA1
cb2c3f35496101c4021adce6494711ec9aabc896

SHA256
a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04

SHA512
f77d28c9da8db9b7c0f682e2c2707a67405ecebd891361c3672654cde245811fde6bde38cba995fa7c9b761cfaafc046a9767a70067a31f574b0bfcf23b87b8d

Download Submit
C:\Windows\bxjhwhyufxyhajhvo.exe

Filesize
1016KB

MD5
6d6251f40847f86830b194ec8b9fd160

SHA1
cb2c3f35496101c4021adce6494711ec9aabc896

SHA256
a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04

SHA512
f77d28c9da8db9b7c0f682e2c2707a67405ecebd891361c3672654cde245811fde6bde38cba995fa7c9b761cfaafc046a9767a70067a31f574b0bfcf23b87b8d

Download Submit
C:\Windows\bxjhwhyufxyhajhvo.exe

Filesize
1016KB

MD5
6d6251f40847f86830b194ec8b9fd160

SHA1
cb2c3f35496101c4021adce6494711ec9aabc896

SHA256
a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04

SHA512
f77d28c9da8db9b7c0f682e2c2707a67405ecebd891361c3672654cde245811fde6bde38cba995fa7c9b761cfaafc046a9767a70067a31f574b0bfcf23b87b8d

Download Submit
C:\Windows\ihwxpdxwkfjvrdevrsed.exe

Filesize
1016KB

MD5
6d6251f40847f86830b194ec8b9fd160

SHA1
cb2c3f35496101c4021adce6494711ec9aabc896

SHA256
a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04

SHA512
f77d28c9da8db9b7c0f682e2c2707a67405ecebd891361c3672654cde245811fde6bde38cba995fa7c9b761cfaafc046a9767a70067a31f574b0bfcf23b87b8d

Download Submit
C:\Windows\ihwxpdxwkfjvrdevrsed.exe

Filesize
1016KB

MD5
6d6251f40847f86830b194ec8b9fd160

SHA1
cb2c3f35496101c4021adce6494711ec9aabc896

SHA256
a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04

SHA512
f77d28c9da8db9b7c0f682e2c2707a67405ecebd891361c3672654cde245811fde6bde38cba995fa7c9b761cfaafc046a9767a70067a31f574b0bfcf23b87b8d

Download Submit
C:\Windows\ihwxpdxwkfjvrdevrsed.exe

Filesize
1016KB

MD5
6d6251f40847f86830b194ec8b9fd160

SHA1
cb2c3f35496101c4021adce6494711ec9aabc896

SHA256
a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04

SHA512
f77d28c9da8db9b7c0f682e2c2707a67405ecebd891361c3672654cde245811fde6bde38cba995fa7c9b761cfaafc046a9767a70067a31f574b0bfcf23b87b8d

Download Submit
C:\Windows\khutjvnkwprbvfetnm.exe

Filesize
1016KB

MD5
6d6251f40847f86830b194ec8b9fd160

SHA1
cb2c3f35496101c4021adce6494711ec9aabc896

SHA256
a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04

SHA512
f77d28c9da8db9b7c0f682e2c2707a67405ecebd891361c3672654cde245811fde6bde38cba995fa7c9b761cfaafc046a9767a70067a31f574b0bfcf23b87b8d

Download Submit
C:\Windows\khutjvnkwprbvfetnm.exe

Filesize
1016KB

MD5
6d6251f40847f86830b194ec8b9fd160

SHA1
cb2c3f35496101c4021adce6494711ec9aabc896

SHA256
a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04

SHA512
f77d28c9da8db9b7c0f682e2c2707a67405ecebd891361c3672654cde245811fde6bde38cba995fa7c9b761cfaafc046a9767a70067a31f574b0bfcf23b87b8d

Download Submit
C:\Windows\khutjvnkwprbvfetnm.exe

Filesize
1016KB

MD5
6d6251f40847f86830b194ec8b9fd160

SHA1
cb2c3f35496101c4021adce6494711ec9aabc896

SHA256
a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04

SHA512
f77d28c9da8db9b7c0f682e2c2707a67405ecebd891361c3672654cde245811fde6bde38cba995fa7c9b761cfaafc046a9767a70067a31f574b0bfcf23b87b8d

Download Submit
C:\Windows\opgjdtpqgdjxvjmfdguvmp.exe

Filesize
1016KB

MD5
6d6251f40847f86830b194ec8b9fd160

SHA1
cb2c3f35496101c4021adce6494711ec9aabc896

SHA256
a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04

SHA512
f77d28c9da8db9b7c0f682e2c2707a67405ecebd891361c3672654cde245811fde6bde38cba995fa7c9b761cfaafc046a9767a70067a31f574b0bfcf23b87b8d

Download Submit
C:\Windows\opgjdtpqgdjxvjmfdguvmp.exe

Filesize
1016KB

MD5
6d6251f40847f86830b194ec8b9fd160

SHA1
cb2c3f35496101c4021adce6494711ec9aabc896

SHA256
a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04

SHA512
f77d28c9da8db9b7c0f682e2c2707a67405ecebd891361c3672654cde245811fde6bde38cba995fa7c9b761cfaafc046a9767a70067a31f574b0bfcf23b87b8d

Download Submit
C:\Windows\opgjdtpqgdjxvjmfdguvmp.exe

Filesize
1016KB

MD5
6d6251f40847f86830b194ec8b9fd160

SHA1
cb2c3f35496101c4021adce6494711ec9aabc896

SHA256
a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04

SHA512
f77d28c9da8db9b7c0f682e2c2707a67405ecebd891361c3672654cde245811fde6bde38cba995fa7c9b761cfaafc046a9767a70067a31f574b0bfcf23b87b8d

Download Submit
C:\Windows\upaxlvlgqhhphpmz.exe

Filesize
1016KB

MD5
6d6251f40847f86830b194ec8b9fd160

SHA1
cb2c3f35496101c4021adce6494711ec9aabc896

SHA256
a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04

SHA512
f77d28c9da8db9b7c0f682e2c2707a67405ecebd891361c3672654cde245811fde6bde38cba995fa7c9b761cfaafc046a9767a70067a31f574b0bfcf23b87b8d

Download Submit
C:\Windows\upaxlvlgqhhphpmz.exe

Filesize
1016KB

MD5
6d6251f40847f86830b194ec8b9fd160

SHA1
cb2c3f35496101c4021adce6494711ec9aabc896

SHA256
a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04

SHA512
f77d28c9da8db9b7c0f682e2c2707a67405ecebd891361c3672654cde245811fde6bde38cba995fa7c9b761cfaafc046a9767a70067a31f574b0bfcf23b87b8d

Download Submit
C:\Windows\upaxlvlgqhhphpmz.exe

Filesize
1016KB

MD5
6d6251f40847f86830b194ec8b9fd160

SHA1
cb2c3f35496101c4021adce6494711ec9aabc896

SHA256
a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04

SHA512
f77d28c9da8db9b7c0f682e2c2707a67405ecebd891361c3672654cde245811fde6bde38cba995fa7c9b761cfaafc046a9767a70067a31f574b0bfcf23b87b8d

Download Submit
C:\Windows\vthhylecpjmxsddtooz.exe

Filesize
1016KB

MD5
6d6251f40847f86830b194ec8b9fd160

SHA1
cb2c3f35496101c4021adce6494711ec9aabc896

SHA256
a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04

SHA512
f77d28c9da8db9b7c0f682e2c2707a67405ecebd891361c3672654cde245811fde6bde38cba995fa7c9b761cfaafc046a9767a70067a31f574b0bfcf23b87b8d

Download Submit
C:\Windows\vthhylecpjmxsddtooz.exe

Filesize
1016KB

MD5
6d6251f40847f86830b194ec8b9fd160

SHA1
cb2c3f35496101c4021adce6494711ec9aabc896

SHA256
a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04

SHA512
f77d28c9da8db9b7c0f682e2c2707a67405ecebd891361c3672654cde245811fde6bde38cba995fa7c9b761cfaafc046a9767a70067a31f574b0bfcf23b87b8d

Download Submit
C:\Windows\vthhylecpjmxsddtooz.exe

Filesize
1016KB

MD5
6d6251f40847f86830b194ec8b9fd160

SHA1
cb2c3f35496101c4021adce6494711ec9aabc896

SHA256
a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04

SHA512
f77d28c9da8db9b7c0f682e2c2707a67405ecebd891361c3672654cde245811fde6bde38cba995fa7c9b761cfaafc046a9767a70067a31f574b0bfcf23b87b8d

Download Submit
C:\Windows\xxnpixsshdivsfhzwyllb.exe

Filesize
1016KB

MD5
6d6251f40847f86830b194ec8b9fd160

SHA1
cb2c3f35496101c4021adce6494711ec9aabc896

SHA256
a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04

SHA512
f77d28c9da8db9b7c0f682e2c2707a67405ecebd891361c3672654cde245811fde6bde38cba995fa7c9b761cfaafc046a9767a70067a31f574b0bfcf23b87b8d

Download Submit
C:\Windows\xxnpixsshdivsfhzwyllb.exe

Filesize
1016KB

MD5
6d6251f40847f86830b194ec8b9fd160

SHA1
cb2c3f35496101c4021adce6494711ec9aabc896

SHA256
a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04

SHA512
f77d28c9da8db9b7c0f682e2c2707a67405ecebd891361c3672654cde245811fde6bde38cba995fa7c9b761cfaafc046a9767a70067a31f574b0bfcf23b87b8d

Download Submit
C:\Windows\xxnpixsshdivsfhzwyllb.exe

Filesize
1016KB

MD5
6d6251f40847f86830b194ec8b9fd160

SHA1
cb2c3f35496101c4021adce6494711ec9aabc896

SHA256
a332b31812e9d062a170ac8d3bbb56ba37c1f9b4fc61fd09da0ae8ca718faf04

SHA512
f77d28c9da8db9b7c0f682e2c2707a67405ecebd891361c3672654cde245811fde6bde38cba995fa7c9b761cfaafc046a9767a70067a31f574b0bfcf23b87b8d

Download Submit
memory/508-132-0x0000000000000000-mapping.dmp

Download
memory/4108-138-0x0000000000000000-mapping.dmp

Download
memory/4696-135-0x0000000000000000-mapping.dmp

Download
memory/5080-168-0x0000000000000000-mapping.dmp

Download