d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344

Analysis

max time kernel
152s
max time network
156s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 05:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
Size

1016KB
MD5

80222288b66d339b74f2f8e4d4901df0
SHA1

045bdfa2ed1256a8968190cc66e3a41fb35041a5
SHA256

d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344
SHA512

73667bb22df2a884a855c3136ff1cc6e058df667e7a507f50ac60f916b165d7f31376164382556696b22d9a8597e28e82db026af40020b92a487324ac4c453f5
SSDEEP

6144:qIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHU:qIXsgtvm1De5YlOx6lzBH46U

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ixiyjejjshs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	aimlu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	aimlu.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aimlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	aimlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	aimlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	aimlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	aimlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aimlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	aimlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	aimlu.exe

Adds policy Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\eqyboselv = "eyozugaphrmdzqrci.exe"	aimlu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luzzjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\libpnczrmzxrqkoclnkd.exe"	aimlu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luzzjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\libpnczrmzxrqkoclnkd.exe"	aimlu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luzzjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqfpjunbsbvlgwwg.exe"	ixiyjejjshs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	aimlu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	aimlu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\eqyboselv = "ayshgwunjxwrrmrgqtrla.exe"	aimlu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luzzjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nizlhupfyjfxumoahh.exe"	aimlu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\eqyboselv = "nizlhupfyjfxumoahh.exe"	aimlu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luzzjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyozugaphrmdzqrci.exe"	aimlu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\eqyboselv = "yumzwkgxrdatrknaijf.exe"	aimlu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ixiyjejjshs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\eqyboselv = "nizlhupfyjfxumoahh.exe"	ixiyjejjshs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\eqyboselv = "yumzwkgxrdatrknaijf.exe"	aimlu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luzzjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ayshgwunjxwrrmrgqtrla.exe"	aimlu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\eqyboselv = "libpnczrmzxrqkoclnkd.exe"	aimlu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luzzjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyozugaphrmdzqrci.exe"	aimlu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\eqyboselv = "libpnczrmzxrqkoclnkd.exe"	aimlu.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	aimlu.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	aimlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	aimlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	aimlu.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ixiyjejjshs.exe

Executes dropped EXE 3 IoCs

pid	Process
952	ixiyjejjshs.exe
1116	aimlu.exe
2032	aimlu.exe

Loads dropped DLL 6 IoCs

pid	Process
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
952	ixiyjejjshs.exe
952	ixiyjejjshs.exe
952	ixiyjejjshs.exe
952	ixiyjejjshs.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nyfhtwhn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqfpjunbsbvlgwwg.exe ."	aimlu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiopacm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yumzwkgxrdatrknaijf.exe"	aimlu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\xktxlqdlwz = "libpnczrmzxrqkoclnkd.exe"	ixiyjejjshs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sgqvkqenzds = "nizlhupfyjfxumoahh.exe ."	aimlu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiopacm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqfpjunbsbvlgwwg.exe"	aimlu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\xktxlqdlwz = "nizlhupfyjfxumoahh.exe"	aimlu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yiopacm = "yumzwkgxrdatrknaijf.exe"	ixiyjejjshs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nyfhtwhn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nizlhupfyjfxumoahh.exe ."	aimlu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sgqvkqenzds = "ayshgwunjxwrrmrgqtrla.exe ."	aimlu.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	ixiyjejjshs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	aimlu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nyfhtwhn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\libpnczrmzxrqkoclnkd.exe ."	aimlu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiopacm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ayshgwunjxwrrmrgqtrla.exe"	aimlu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yiopacm = "eyozugaphrmdzqrci.exe"	aimlu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oeqxowmxlrivn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yumzwkgxrdatrknaijf.exe"	aimlu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oeqxowmxlrivn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\libpnczrmzxrqkoclnkd.exe"	ixiyjejjshs.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	aimlu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oeqxowmxlrivn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nizlhupfyjfxumoahh.exe"	aimlu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pepvlshrejzl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\libpnczrmzxrqkoclnkd.exe ."	aimlu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	aimlu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiopacm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yumzwkgxrdatrknaijf.exe"	aimlu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyfhtwhn = "eyozugaphrmdzqrci.exe ."	aimlu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yiopacm = "eyozugaphrmdzqrci.exe"	aimlu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\xktxlqdlwz = "nizlhupfyjfxumoahh.exe"	aimlu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiopacm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ayshgwunjxwrrmrgqtrla.exe"	aimlu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oeqxowmxlrivn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyozugaphrmdzqrci.exe"	aimlu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yiopacm = "ayshgwunjxwrrmrgqtrla.exe"	aimlu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nyfhtwhn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqfpjunbsbvlgwwg.exe ."	ixiyjejjshs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sgqvkqenzds = "libpnczrmzxrqkoclnkd.exe ."	aimlu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pepvlshrejzl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqfpjunbsbvlgwwg.exe ."	aimlu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sgqvkqenzds = "xqfpjunbsbvlgwwg.exe ."	aimlu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yiopacm = "ayshgwunjxwrrmrgqtrla.exe"	aimlu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oeqxowmxlrivn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yumzwkgxrdatrknaijf.exe"	aimlu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nyfhtwhn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\libpnczrmzxrqkoclnkd.exe ."	aimlu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ixiyjejjshs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyfhtwhn = "yumzwkgxrdatrknaijf.exe ."	aimlu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\xktxlqdlwz = "ayshgwunjxwrrmrgqtrla.exe"	aimlu.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	aimlu.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	aimlu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiopacm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqfpjunbsbvlgwwg.exe"	aimlu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\xktxlqdlwz = "yumzwkgxrdatrknaijf.exe"	aimlu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	aimlu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\xktxlqdlwz = "ayshgwunjxwrrmrgqtrla.exe"	aimlu.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	aimlu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pepvlshrejzl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yumzwkgxrdatrknaijf.exe ."	aimlu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyfhtwhn = "libpnczrmzxrqkoclnkd.exe ."	aimlu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pepvlshrejzl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yumzwkgxrdatrknaijf.exe ."	aimlu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pepvlshrejzl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nizlhupfyjfxumoahh.exe ."	aimlu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oeqxowmxlrivn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\libpnczrmzxrqkoclnkd.exe"	aimlu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyfhtwhn = "eyozugaphrmdzqrci.exe ."	ixiyjejjshs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyfhtwhn = "yumzwkgxrdatrknaijf.exe ."	aimlu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oeqxowmxlrivn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyozugaphrmdzqrci.exe"	aimlu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nyfhtwhn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ayshgwunjxwrrmrgqtrla.exe ."	aimlu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yiopacm = "xqfpjunbsbvlgwwg.exe"	aimlu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sgqvkqenzds = "ayshgwunjxwrrmrgqtrla.exe ."	aimlu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\xktxlqdlwz = "yumzwkgxrdatrknaijf.exe"	aimlu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yiopacm = "yumzwkgxrdatrknaijf.exe"	aimlu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyfhtwhn = "libpnczrmzxrqkoclnkd.exe ."	aimlu.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	ixiyjejjshs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sgqvkqenzds = "nizlhupfyjfxumoahh.exe ."	ixiyjejjshs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pepvlshrejzl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\libpnczrmzxrqkoclnkd.exe ."	ixiyjejjshs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiopacm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyozugaphrmdzqrci.exe"	ixiyjejjshs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	aimlu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sgqvkqenzds = "eyozugaphrmdzqrci.exe ."	aimlu.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	aimlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aimlu.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	aimlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ixiyjejjshs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aimlu.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	whatismyip.everdot.org
3	www.showmyipaddress.com
7	whatismyipaddress.com

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\oeqxowmxlrivnaxegbrdkbjzkyeviankrto.qxo	aimlu.exe
File opened for modification	C:\Windows\SysWOW64\rqlbbsrlixxtuqwmxbavll.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\SysWOW64\xqfpjunbsbvlgwwg.exe	aimlu.exe
File opened for modification	C:\Windows\SysWOW64\libpnczrmzxrqkoclnkd.exe	aimlu.exe
File opened for modification	C:\Windows\SysWOW64\nizlhupfyjfxumoahh.exe	aimlu.exe
File opened for modification	C:\Windows\SysWOW64\libpnczrmzxrqkoclnkd.exe	aimlu.exe
File opened for modification	C:\Windows\SysWOW64\nizlhupfyjfxumoahh.exe	aimlu.exe
File opened for modification	C:\Windows\SysWOW64\yumzwkgxrdatrknaijf.exe	aimlu.exe
File opened for modification	C:\Windows\SysWOW64\ayshgwunjxwrrmrgqtrla.exe	aimlu.exe
File opened for modification	C:\Windows\SysWOW64\eyozugaphrmdzqrci.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\SysWOW64\yumzwkgxrdatrknaijf.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\SysWOW64\ayshgwunjxwrrmrgqtrla.exe	ixiyjejjshs.exe
File created	C:\Windows\SysWOW64\fklhnkppsntvceqmdnstpvsx.avb	aimlu.exe
File opened for modification	C:\Windows\SysWOW64\yumzwkgxrdatrknaijf.exe	aimlu.exe
File opened for modification	C:\Windows\SysWOW64\ayshgwunjxwrrmrgqtrla.exe	aimlu.exe
File opened for modification	C:\Windows\SysWOW64\eyozugaphrmdzqrci.exe	aimlu.exe
File opened for modification	C:\Windows\SysWOW64\fklhnkppsntvceqmdnstpvsx.avb	aimlu.exe
File opened for modification	C:\Windows\SysWOW64\xqfpjunbsbvlgwwg.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\SysWOW64\nizlhupfyjfxumoahh.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\SysWOW64\eyozugaphrmdzqrci.exe	aimlu.exe
File opened for modification	C:\Windows\SysWOW64\rqlbbsrlixxtuqwmxbavll.exe	aimlu.exe
File created	C:\Windows\SysWOW64\oeqxowmxlrivnaxegbrdkbjzkyeviankrto.qxo	aimlu.exe
File opened for modification	C:\Windows\SysWOW64\libpnczrmzxrqkoclnkd.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\SysWOW64\rqlbbsrlixxtuqwmxbavll.exe	aimlu.exe
File opened for modification	C:\Windows\SysWOW64\xqfpjunbsbvlgwwg.exe	aimlu.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\fklhnkppsntvceqmdnstpvsx.avb	aimlu.exe
File created	C:\Program Files (x86)\fklhnkppsntvceqmdnstpvsx.avb	aimlu.exe
File opened for modification	C:\Program Files (x86)\oeqxowmxlrivnaxegbrdkbjzkyeviankrto.qxo	aimlu.exe
File created	C:\Program Files (x86)\oeqxowmxlrivnaxegbrdkbjzkyeviankrto.qxo	aimlu.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\libpnczrmzxrqkoclnkd.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\ayshgwunjxwrrmrgqtrla.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\nizlhupfyjfxumoahh.exe	aimlu.exe
File opened for modification	C:\Windows\libpnczrmzxrqkoclnkd.exe	aimlu.exe
File opened for modification	C:\Windows\rqlbbsrlixxtuqwmxbavll.exe	aimlu.exe
File opened for modification	C:\Windows\fklhnkppsntvceqmdnstpvsx.avb	aimlu.exe
File opened for modification	C:\Windows\xqfpjunbsbvlgwwg.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\yumzwkgxrdatrknaijf.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\rqlbbsrlixxtuqwmxbavll.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\xqfpjunbsbvlgwwg.exe	aimlu.exe
File opened for modification	C:\Windows\nizlhupfyjfxumoahh.exe	aimlu.exe
File opened for modification	C:\Windows\rqlbbsrlixxtuqwmxbavll.exe	aimlu.exe
File opened for modification	C:\Windows\eyozugaphrmdzqrci.exe	aimlu.exe
File created	C:\Windows\fklhnkppsntvceqmdnstpvsx.avb	aimlu.exe
File opened for modification	C:\Windows\eyozugaphrmdzqrci.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\oeqxowmxlrivnaxegbrdkbjzkyeviankrto.qxo	aimlu.exe
File created	C:\Windows\oeqxowmxlrivnaxegbrdkbjzkyeviankrto.qxo	aimlu.exe
File opened for modification	C:\Windows\ayshgwunjxwrrmrgqtrla.exe	aimlu.exe
File opened for modification	C:\Windows\eyozugaphrmdzqrci.exe	aimlu.exe
File opened for modification	C:\Windows\yumzwkgxrdatrknaijf.exe	aimlu.exe
File opened for modification	C:\Windows\libpnczrmzxrqkoclnkd.exe	aimlu.exe
File opened for modification	C:\Windows\xqfpjunbsbvlgwwg.exe	aimlu.exe
File opened for modification	C:\Windows\yumzwkgxrdatrknaijf.exe	aimlu.exe
File opened for modification	C:\Windows\ayshgwunjxwrrmrgqtrla.exe	aimlu.exe
File opened for modification	C:\Windows\nizlhupfyjfxumoahh.exe	ixiyjejjshs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
2032	aimlu.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
2032	aimlu.exe
2032	aimlu.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	aimlu.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 952	864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe	27
PID 864 wrote to memory of 952	864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe	27
PID 864 wrote to memory of 952	864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe	27
PID 864 wrote to memory of 952	864	d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe	27
PID 952 wrote to memory of 1116	952	ixiyjejjshs.exe	29
PID 952 wrote to memory of 1116	952	ixiyjejjshs.exe	29
PID 952 wrote to memory of 1116	952	ixiyjejjshs.exe	29
PID 952 wrote to memory of 1116	952	ixiyjejjshs.exe	29
PID 952 wrote to memory of 2032	952	ixiyjejjshs.exe	28
PID 952 wrote to memory of 2032	952	ixiyjejjshs.exe	28
PID 952 wrote to memory of 2032	952	ixiyjejjshs.exe	28
PID 952 wrote to memory of 2032	952	ixiyjejjshs.exe	28

System policy modification 1 TTPs 37 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	aimlu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	aimlu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	aimlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aimlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	aimlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	aimlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	aimlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	aimlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	aimlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	aimlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	aimlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	aimlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aimlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	aimlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	aimlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	aimlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	aimlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	aimlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	aimlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	aimlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	aimlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	aimlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	aimlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	aimlu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ixiyjejjshs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	aimlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	aimlu.exe

C:\Users\Admin\AppData\Local\Temp\d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe
"C:\Users\Admin\AppData\Local\Temp\d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:864
- C:\Users\Admin\AppData\Local\Temp\ixiyjejjshs.exe
  "C:\Users\Admin\AppData\Local\Temp\ixiyjejjshs.exe" "c:\users\admin\appdata\local\temp\d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:952
- - C:\Users\Admin\AppData\Local\Temp\aimlu.exe
    "C:\Users\Admin\AppData\Local\Temp\aimlu.exe" "-C:\Users\Admin\AppData\Local\Temp\xqfpjunbsbvlgwwg.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2032
- - C:\Users\Admin\AppData\Local\Temp\aimlu.exe
    "C:\Users\Admin\AppData\Local\Temp\aimlu.exe" "-C:\Users\Admin\AppData\Local\Temp\xqfpjunbsbvlgwwg.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aimlu.exe

Filesize
708KB

MD5
830e59258c5789307434eac60fb20110

SHA1
226ff36e7e7719523ff572de460dfec67beb519e

SHA256
d17a611261070069625f7dbad6629e12c6127280ed10781efb976d040bfcb11d

SHA512
6fa0d964e9bd38e2c849acb74b7d7d47288a71216e0d5a8968fc68bcd69575a865a399b7443a3d4aca4030933353246bb9f6acd862c989a32524f063626ec6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\aimlu.exe

Filesize
708KB

MD5
830e59258c5789307434eac60fb20110

SHA1
226ff36e7e7719523ff572de460dfec67beb519e

SHA256
d17a611261070069625f7dbad6629e12c6127280ed10781efb976d040bfcb11d

SHA512
6fa0d964e9bd38e2c849acb74b7d7d47288a71216e0d5a8968fc68bcd69575a865a399b7443a3d4aca4030933353246bb9f6acd862c989a32524f063626ec6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ayshgwunjxwrrmrgqtrla.exe

Filesize
1016KB

MD5
80222288b66d339b74f2f8e4d4901df0

SHA1
045bdfa2ed1256a8968190cc66e3a41fb35041a5

SHA256
d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344

SHA512
73667bb22df2a884a855c3136ff1cc6e058df667e7a507f50ac60f916b165d7f31376164382556696b22d9a8597e28e82db026af40020b92a487324ac4c453f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\eyozugaphrmdzqrci.exe

Filesize
1016KB

MD5
80222288b66d339b74f2f8e4d4901df0

SHA1
045bdfa2ed1256a8968190cc66e3a41fb35041a5

SHA256
d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344

SHA512
73667bb22df2a884a855c3136ff1cc6e058df667e7a507f50ac60f916b165d7f31376164382556696b22d9a8597e28e82db026af40020b92a487324ac4c453f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixiyjejjshs.exe

Filesize
320KB

MD5
12b3dce939aab67108ce0ef94e7237bf

SHA1
44a54a100833b60777d4f0892f5f105f0b9346e8

SHA256
7fd9f207fc4e35eb0a9d8b934654aaaebd4d1729cf428fbea8b158c9b7e7caf7

SHA512
97d066c453f9a7f3ad7f540d342210bbfe28b27843351bb69b5367260b540fa36684bc8c19390efa0d40197357782fdc5f8d78ea189ffea92cd6189deef5ec3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixiyjejjshs.exe

Filesize
320KB

MD5
12b3dce939aab67108ce0ef94e7237bf

SHA1
44a54a100833b60777d4f0892f5f105f0b9346e8

SHA256
7fd9f207fc4e35eb0a9d8b934654aaaebd4d1729cf428fbea8b158c9b7e7caf7

SHA512
97d066c453f9a7f3ad7f540d342210bbfe28b27843351bb69b5367260b540fa36684bc8c19390efa0d40197357782fdc5f8d78ea189ffea92cd6189deef5ec3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libpnczrmzxrqkoclnkd.exe

Filesize
1016KB

MD5
80222288b66d339b74f2f8e4d4901df0

SHA1
045bdfa2ed1256a8968190cc66e3a41fb35041a5

SHA256
d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344

SHA512
73667bb22df2a884a855c3136ff1cc6e058df667e7a507f50ac60f916b165d7f31376164382556696b22d9a8597e28e82db026af40020b92a487324ac4c453f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nizlhupfyjfxumoahh.exe

Filesize
1016KB

MD5
80222288b66d339b74f2f8e4d4901df0

SHA1
045bdfa2ed1256a8968190cc66e3a41fb35041a5

SHA256
d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344

SHA512
73667bb22df2a884a855c3136ff1cc6e058df667e7a507f50ac60f916b165d7f31376164382556696b22d9a8597e28e82db026af40020b92a487324ac4c453f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\rqlbbsrlixxtuqwmxbavll.exe

Filesize
1016KB

MD5
80222288b66d339b74f2f8e4d4901df0

SHA1
045bdfa2ed1256a8968190cc66e3a41fb35041a5

SHA256
d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344

SHA512
73667bb22df2a884a855c3136ff1cc6e058df667e7a507f50ac60f916b165d7f31376164382556696b22d9a8597e28e82db026af40020b92a487324ac4c453f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\xqfpjunbsbvlgwwg.exe

Filesize
1016KB

MD5
80222288b66d339b74f2f8e4d4901df0

SHA1
045bdfa2ed1256a8968190cc66e3a41fb35041a5

SHA256
d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344

SHA512
73667bb22df2a884a855c3136ff1cc6e058df667e7a507f50ac60f916b165d7f31376164382556696b22d9a8597e28e82db026af40020b92a487324ac4c453f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\yumzwkgxrdatrknaijf.exe

Filesize
1016KB

MD5
80222288b66d339b74f2f8e4d4901df0

SHA1
045bdfa2ed1256a8968190cc66e3a41fb35041a5

SHA256
d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344

SHA512
73667bb22df2a884a855c3136ff1cc6e058df667e7a507f50ac60f916b165d7f31376164382556696b22d9a8597e28e82db026af40020b92a487324ac4c453f5

Download Submit
C:\Windows\SysWOW64\ayshgwunjxwrrmrgqtrla.exe

Filesize
1016KB

MD5
80222288b66d339b74f2f8e4d4901df0

SHA1
045bdfa2ed1256a8968190cc66e3a41fb35041a5

SHA256
d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344

SHA512
73667bb22df2a884a855c3136ff1cc6e058df667e7a507f50ac60f916b165d7f31376164382556696b22d9a8597e28e82db026af40020b92a487324ac4c453f5

Download Submit
C:\Windows\SysWOW64\eyozugaphrmdzqrci.exe

Filesize
1016KB

MD5
80222288b66d339b74f2f8e4d4901df0

SHA1
045bdfa2ed1256a8968190cc66e3a41fb35041a5

SHA256
d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344

SHA512
73667bb22df2a884a855c3136ff1cc6e058df667e7a507f50ac60f916b165d7f31376164382556696b22d9a8597e28e82db026af40020b92a487324ac4c453f5

Download Submit
C:\Windows\SysWOW64\libpnczrmzxrqkoclnkd.exe

Filesize
1016KB

MD5
80222288b66d339b74f2f8e4d4901df0

SHA1
045bdfa2ed1256a8968190cc66e3a41fb35041a5

SHA256
d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344

SHA512
73667bb22df2a884a855c3136ff1cc6e058df667e7a507f50ac60f916b165d7f31376164382556696b22d9a8597e28e82db026af40020b92a487324ac4c453f5

Download Submit
C:\Windows\SysWOW64\nizlhupfyjfxumoahh.exe

Filesize
1016KB

MD5
80222288b66d339b74f2f8e4d4901df0

SHA1
045bdfa2ed1256a8968190cc66e3a41fb35041a5

SHA256
d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344

SHA512
73667bb22df2a884a855c3136ff1cc6e058df667e7a507f50ac60f916b165d7f31376164382556696b22d9a8597e28e82db026af40020b92a487324ac4c453f5

Download Submit
C:\Windows\SysWOW64\rqlbbsrlixxtuqwmxbavll.exe

Filesize
1016KB

MD5
80222288b66d339b74f2f8e4d4901df0

SHA1
045bdfa2ed1256a8968190cc66e3a41fb35041a5

SHA256
d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344

SHA512
73667bb22df2a884a855c3136ff1cc6e058df667e7a507f50ac60f916b165d7f31376164382556696b22d9a8597e28e82db026af40020b92a487324ac4c453f5

Download Submit
C:\Windows\SysWOW64\xqfpjunbsbvlgwwg.exe

Filesize
1016KB

MD5
80222288b66d339b74f2f8e4d4901df0

SHA1
045bdfa2ed1256a8968190cc66e3a41fb35041a5

SHA256
d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344

SHA512
73667bb22df2a884a855c3136ff1cc6e058df667e7a507f50ac60f916b165d7f31376164382556696b22d9a8597e28e82db026af40020b92a487324ac4c453f5

Download Submit
C:\Windows\SysWOW64\yumzwkgxrdatrknaijf.exe

Filesize
1016KB

MD5
80222288b66d339b74f2f8e4d4901df0

SHA1
045bdfa2ed1256a8968190cc66e3a41fb35041a5

SHA256
d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344

SHA512
73667bb22df2a884a855c3136ff1cc6e058df667e7a507f50ac60f916b165d7f31376164382556696b22d9a8597e28e82db026af40020b92a487324ac4c453f5

Download Submit
C:\Windows\ayshgwunjxwrrmrgqtrla.exe

Filesize
1016KB

MD5
80222288b66d339b74f2f8e4d4901df0

SHA1
045bdfa2ed1256a8968190cc66e3a41fb35041a5

SHA256
d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344

SHA512
73667bb22df2a884a855c3136ff1cc6e058df667e7a507f50ac60f916b165d7f31376164382556696b22d9a8597e28e82db026af40020b92a487324ac4c453f5

Download Submit
C:\Windows\ayshgwunjxwrrmrgqtrla.exe

Filesize
1016KB

MD5
80222288b66d339b74f2f8e4d4901df0

SHA1
045bdfa2ed1256a8968190cc66e3a41fb35041a5

SHA256
d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344

SHA512
73667bb22df2a884a855c3136ff1cc6e058df667e7a507f50ac60f916b165d7f31376164382556696b22d9a8597e28e82db026af40020b92a487324ac4c453f5

Download Submit
C:\Windows\eyozugaphrmdzqrci.exe

Filesize
1016KB

MD5
80222288b66d339b74f2f8e4d4901df0

SHA1
045bdfa2ed1256a8968190cc66e3a41fb35041a5

SHA256
d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344

SHA512
73667bb22df2a884a855c3136ff1cc6e058df667e7a507f50ac60f916b165d7f31376164382556696b22d9a8597e28e82db026af40020b92a487324ac4c453f5

Download Submit
C:\Windows\eyozugaphrmdzqrci.exe

Filesize
1016KB

MD5
80222288b66d339b74f2f8e4d4901df0

SHA1
045bdfa2ed1256a8968190cc66e3a41fb35041a5

SHA256
d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344

SHA512
73667bb22df2a884a855c3136ff1cc6e058df667e7a507f50ac60f916b165d7f31376164382556696b22d9a8597e28e82db026af40020b92a487324ac4c453f5

Download Submit
C:\Windows\libpnczrmzxrqkoclnkd.exe

Filesize
1016KB

MD5
80222288b66d339b74f2f8e4d4901df0

SHA1
045bdfa2ed1256a8968190cc66e3a41fb35041a5

SHA256
d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344

SHA512
73667bb22df2a884a855c3136ff1cc6e058df667e7a507f50ac60f916b165d7f31376164382556696b22d9a8597e28e82db026af40020b92a487324ac4c453f5

Download Submit
C:\Windows\libpnczrmzxrqkoclnkd.exe

Filesize
1016KB

MD5
80222288b66d339b74f2f8e4d4901df0

SHA1
045bdfa2ed1256a8968190cc66e3a41fb35041a5

SHA256
d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344

SHA512
73667bb22df2a884a855c3136ff1cc6e058df667e7a507f50ac60f916b165d7f31376164382556696b22d9a8597e28e82db026af40020b92a487324ac4c453f5

Download Submit
C:\Windows\nizlhupfyjfxumoahh.exe

Filesize
1016KB

MD5
80222288b66d339b74f2f8e4d4901df0

SHA1
045bdfa2ed1256a8968190cc66e3a41fb35041a5

SHA256
d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344

SHA512
73667bb22df2a884a855c3136ff1cc6e058df667e7a507f50ac60f916b165d7f31376164382556696b22d9a8597e28e82db026af40020b92a487324ac4c453f5

Download Submit
C:\Windows\nizlhupfyjfxumoahh.exe

Filesize
1016KB

MD5
80222288b66d339b74f2f8e4d4901df0

SHA1
045bdfa2ed1256a8968190cc66e3a41fb35041a5

SHA256
d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344

SHA512
73667bb22df2a884a855c3136ff1cc6e058df667e7a507f50ac60f916b165d7f31376164382556696b22d9a8597e28e82db026af40020b92a487324ac4c453f5

Download Submit
C:\Windows\rqlbbsrlixxtuqwmxbavll.exe

Filesize
1016KB

MD5
80222288b66d339b74f2f8e4d4901df0

SHA1
045bdfa2ed1256a8968190cc66e3a41fb35041a5

SHA256
d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344

SHA512
73667bb22df2a884a855c3136ff1cc6e058df667e7a507f50ac60f916b165d7f31376164382556696b22d9a8597e28e82db026af40020b92a487324ac4c453f5

Download Submit
C:\Windows\rqlbbsrlixxtuqwmxbavll.exe

Filesize
1016KB

MD5
80222288b66d339b74f2f8e4d4901df0

SHA1
045bdfa2ed1256a8968190cc66e3a41fb35041a5

SHA256
d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344

SHA512
73667bb22df2a884a855c3136ff1cc6e058df667e7a507f50ac60f916b165d7f31376164382556696b22d9a8597e28e82db026af40020b92a487324ac4c453f5

Download Submit
C:\Windows\xqfpjunbsbvlgwwg.exe

Filesize
1016KB

MD5
80222288b66d339b74f2f8e4d4901df0

SHA1
045bdfa2ed1256a8968190cc66e3a41fb35041a5

SHA256
d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344

SHA512
73667bb22df2a884a855c3136ff1cc6e058df667e7a507f50ac60f916b165d7f31376164382556696b22d9a8597e28e82db026af40020b92a487324ac4c453f5

Download Submit
C:\Windows\xqfpjunbsbvlgwwg.exe

Filesize
1016KB

MD5
80222288b66d339b74f2f8e4d4901df0

SHA1
045bdfa2ed1256a8968190cc66e3a41fb35041a5

SHA256
d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344

SHA512
73667bb22df2a884a855c3136ff1cc6e058df667e7a507f50ac60f916b165d7f31376164382556696b22d9a8597e28e82db026af40020b92a487324ac4c453f5

Download Submit
C:\Windows\yumzwkgxrdatrknaijf.exe

Filesize
1016KB

MD5
80222288b66d339b74f2f8e4d4901df0

SHA1
045bdfa2ed1256a8968190cc66e3a41fb35041a5

SHA256
d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344

SHA512
73667bb22df2a884a855c3136ff1cc6e058df667e7a507f50ac60f916b165d7f31376164382556696b22d9a8597e28e82db026af40020b92a487324ac4c453f5

Download Submit
C:\Windows\yumzwkgxrdatrknaijf.exe

Filesize
1016KB

MD5
80222288b66d339b74f2f8e4d4901df0

SHA1
045bdfa2ed1256a8968190cc66e3a41fb35041a5

SHA256
d29dfea8e5de80764a6cdabbb27404b8f72f990eda3ce571b2cf8e949e7b6344

SHA512
73667bb22df2a884a855c3136ff1cc6e058df667e7a507f50ac60f916b165d7f31376164382556696b22d9a8597e28e82db026af40020b92a487324ac4c453f5

Download Submit
\Users\Admin\AppData\Local\Temp\aimlu.exe

Filesize
708KB

MD5
830e59258c5789307434eac60fb20110

SHA1
226ff36e7e7719523ff572de460dfec67beb519e

SHA256
d17a611261070069625f7dbad6629e12c6127280ed10781efb976d040bfcb11d

SHA512
6fa0d964e9bd38e2c849acb74b7d7d47288a71216e0d5a8968fc68bcd69575a865a399b7443a3d4aca4030933353246bb9f6acd862c989a32524f063626ec6f1

Download Submit
\Users\Admin\AppData\Local\Temp\aimlu.exe

Filesize
708KB

MD5
830e59258c5789307434eac60fb20110

SHA1
226ff36e7e7719523ff572de460dfec67beb519e

SHA256
d17a611261070069625f7dbad6629e12c6127280ed10781efb976d040bfcb11d

SHA512
6fa0d964e9bd38e2c849acb74b7d7d47288a71216e0d5a8968fc68bcd69575a865a399b7443a3d4aca4030933353246bb9f6acd862c989a32524f063626ec6f1

Download Submit
\Users\Admin\AppData\Local\Temp\aimlu.exe

Filesize
708KB

MD5
830e59258c5789307434eac60fb20110

SHA1
226ff36e7e7719523ff572de460dfec67beb519e

SHA256
d17a611261070069625f7dbad6629e12c6127280ed10781efb976d040bfcb11d

SHA512
6fa0d964e9bd38e2c849acb74b7d7d47288a71216e0d5a8968fc68bcd69575a865a399b7443a3d4aca4030933353246bb9f6acd862c989a32524f063626ec6f1

Download Submit
\Users\Admin\AppData\Local\Temp\aimlu.exe

Filesize
708KB

MD5
830e59258c5789307434eac60fb20110

SHA1
226ff36e7e7719523ff572de460dfec67beb519e

SHA256
d17a611261070069625f7dbad6629e12c6127280ed10781efb976d040bfcb11d

SHA512
6fa0d964e9bd38e2c849acb74b7d7d47288a71216e0d5a8968fc68bcd69575a865a399b7443a3d4aca4030933353246bb9f6acd862c989a32524f063626ec6f1

Download Submit
\Users\Admin\AppData\Local\Temp\ixiyjejjshs.exe

Filesize
320KB

MD5
12b3dce939aab67108ce0ef94e7237bf

SHA1
44a54a100833b60777d4f0892f5f105f0b9346e8

SHA256
7fd9f207fc4e35eb0a9d8b934654aaaebd4d1729cf428fbea8b158c9b7e7caf7

SHA512
97d066c453f9a7f3ad7f540d342210bbfe28b27843351bb69b5367260b540fa36684bc8c19390efa0d40197357782fdc5f8d78ea189ffea92cd6189deef5ec3f

Download Submit
\Users\Admin\AppData\Local\Temp\ixiyjejjshs.exe

Filesize
320KB

MD5
12b3dce939aab67108ce0ef94e7237bf

SHA1
44a54a100833b60777d4f0892f5f105f0b9346e8

SHA256
7fd9f207fc4e35eb0a9d8b934654aaaebd4d1729cf428fbea8b158c9b7e7caf7

SHA512
97d066c453f9a7f3ad7f540d342210bbfe28b27843351bb69b5367260b540fa36684bc8c19390efa0d40197357782fdc5f8d78ea189ffea92cd6189deef5ec3f

Download Submit
memory/864-54-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download