200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2022 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
Size

1016KB
MD5

7c426cef8ecaa87b81ffe2b200ffe7e0
SHA1

a3523449271aba6cf346f2e2b3463b57fbdeccfa
SHA256

200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a
SHA512

0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14
SSDEEP

6144:oIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHU:oIXsgtvm1De5YlOx6lzBH46U

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	pwyrqtqlzgi.exe

UAC bypass 3 TTPs 13 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ehjnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ehjnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ehjnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ehjnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ehjnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ehjnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ehjnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ehjnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	pwyrqtqlzgi.exe

Adds policy Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\chlrchp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhwnjzsfaqiwfflvzb.exe"	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\chlrchp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\expjibxnlezqcfobinsld.exe"	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\chlrchp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phyrphcrogaqbdlxdhld.exe"	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjqznvglyg = "phyrphcrogaqbdlxdhld.exe"	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjqznvglyg = "ixlbwldpjypckjoxa.exe"	pwyrqtqlzgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\chlrchp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpcrlzqbuiykrptb.exe"	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\chlrchp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixlbwldpjypckjoxa.exe"	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\chlrchp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctjbypjxtkdscdkvadg.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjqznvglyg = "phyrphcrogaqbdlxdhld.exe"	ehjnw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjqznvglyg = "bpcrlzqbuiykrptb.exe"	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjqznvglyg = "rhwnjzsfaqiwfflvzb.exe"	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\chlrchp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhwnjzsfaqiwfflvzb.exe"	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\chlrchp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\expjibxnlezqcfobinsld.exe"	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjqznvglyg = "ixlbwldpjypckjoxa.exe"	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjqznvglyg = "ctjbypjxtkdscdkvadg.exe"	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjqznvglyg = "ixlbwldpjypckjoxa.exe"	ehjnw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\chlrchp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctjbypjxtkdscdkvadg.exe"	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\chlrchp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phyrphcrogaqbdlxdhld.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjqznvglyg = "bpcrlzqbuiykrptb.exe"	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjqznvglyg = "expjibxnlezqcfobinsld.exe"	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjqznvglyg = "ctjbypjxtkdscdkvadg.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\chlrchp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpcrlzqbuiykrptb.exe"	ehjnw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjqznvglyg = "rhwnjzsfaqiwfflvzb.exe"	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjqznvglyg = "expjibxnlezqcfobinsld.exe"	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\chlrchp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixlbwldpjypckjoxa.exe"	ehjnw.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ehjnw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ehjnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ehjnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ehjnw.exe

Executes dropped EXE 4 IoCs

pid	Process
4664	pwyrqtqlzgi.exe
2204	ehjnw.exe
3480	ehjnw.exe
3464	pwyrqtqlzgi.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	pwyrqtqlzgi.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ipvdqxhlx = "expjibxnlezqcfobinsld.exe ."	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ipvdqxhlx = "phyrphcrogaqbdlxdhld.exe ."	ehjnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ipvdqxhlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\expjibxnlezqcfobinsld.exe ."	ehjnw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sdnzqbpxnyluy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpcrlzqbuiykrptb.exe ."	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tdmxnxkrgqck = "ixlbwldpjypckjoxa.exe ."	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sdnzqbpxnyluy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpcrlzqbuiykrptb.exe ."	ehjnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rxcjvbkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctjbypjxtkdscdkvadg.exe"	ehjnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rxcjvbkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpcrlzqbuiykrptb.exe"	ehjnw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ehjnw.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sdnzqbpxnyluy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixlbwldpjypckjoxa.exe ."	ehjnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ipvdqxhlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpcrlzqbuiykrptb.exe ."	ehjnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ipvdqxhlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixlbwldpjypckjoxa.exe ."	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sdnzqbpxnyluy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phyrphcrogaqbdlxdhld.exe ."	ehjnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tdmxnxkrgqck = "ctjbypjxtkdscdkvadg.exe ."	ehjnw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rxcjvbkn = "ixlbwldpjypckjoxa.exe"	ehjnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfnxmvhnbkv = "rhwnjzsfaqiwfflvzb.exe"	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ipvdqxhlx = "expjibxnlezqcfobinsld.exe ."	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfqdvhwfwiwglh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpcrlzqbuiykrptb.exe"	ehjnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tdmxnxkrgqck = "rhwnjzsfaqiwfflvzb.exe ."	ehjnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rxcjvbkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctjbypjxtkdscdkvadg.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ipvdqxhlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phyrphcrogaqbdlxdhld.exe ."	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rxcjvbkn = "rhwnjzsfaqiwfflvzb.exe"	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sdnzqbpxnyluy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhwnjzsfaqiwfflvzb.exe ."	pwyrqtqlzgi.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfqdvhwfwiwglh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phyrphcrogaqbdlxdhld.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ipvdqxhlx = "ixlbwldpjypckjoxa.exe ."	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rxcjvbkn = "ixlbwldpjypckjoxa.exe"	ehjnw.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	ehjnw.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	ehjnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rxcjvbkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\expjibxnlezqcfobinsld.exe"	ehjnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rxcjvbkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhwnjzsfaqiwfflvzb.exe"	ehjnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tdmxnxkrgqck = "bpcrlzqbuiykrptb.exe ."	ehjnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rxcjvbkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpcrlzqbuiykrptb.exe"	ehjnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfnxmvhnbkv = "ixlbwldpjypckjoxa.exe"	ehjnw.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	pwyrqtqlzgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rxcjvbkn = "ctjbypjxtkdscdkvadg.exe"	ehjnw.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ipvdqxhlx = "ixlbwldpjypckjoxa.exe ."	ehjnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfnxmvhnbkv = "rhwnjzsfaqiwfflvzb.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rxcjvbkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\expjibxnlezqcfobinsld.exe"	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rxcjvbkn = "expjibxnlezqcfobinsld.exe"	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfqdvhwfwiwglh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctjbypjxtkdscdkvadg.exe"	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rxcjvbkn = "bpcrlzqbuiykrptb.exe"	ehjnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rxcjvbkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phyrphcrogaqbdlxdhld.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ipvdqxhlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phyrphcrogaqbdlxdhld.exe ."	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfqdvhwfwiwglh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\expjibxnlezqcfobinsld.exe"	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sdnzqbpxnyluy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhwnjzsfaqiwfflvzb.exe ."	ehjnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rxcjvbkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctjbypjxtkdscdkvadg.exe"	ehjnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfnxmvhnbkv = "ixlbwldpjypckjoxa.exe"	ehjnw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	ehjnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tdmxnxkrgqck = "expjibxnlezqcfobinsld.exe ."	ehjnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ipvdqxhlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhwnjzsfaqiwfflvzb.exe ."	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfqdvhwfwiwglh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhwnjzsfaqiwfflvzb.exe"	ehjnw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfnxmvhnbkv = "expjibxnlezqcfobinsld.exe"	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ipvdqxhlx = "bpcrlzqbuiykrptb.exe ."	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfqdvhwfwiwglh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phyrphcrogaqbdlxdhld.exe"	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfqdvhwfwiwglh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhwnjzsfaqiwfflvzb.exe"	ehjnw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfqdvhwfwiwglh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhwnjzsfaqiwfflvzb.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rxcjvbkn = "ixlbwldpjypckjoxa.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tdmxnxkrgqck = "rhwnjzsfaqiwfflvzb.exe ."	ehjnw.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pwyrqtqlzgi.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ehjnw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ehjnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ehjnw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ehjnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pwyrqtqlzgi.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	pwyrqtqlzgi.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	whatismyip.everdot.org
25	whatismyipaddress.com
49	whatismyipaddress.com
15	www.showmyipaddress.com

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	ehjnw.exe
File created	C:\autorun.inf	ehjnw.exe

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\vpiddxulkeasfjthpvbvoj.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\phyrphcrogaqbdlxdhld.exe	ehjnw.exe
File opened for modification	C:\Windows\SysWOW64\phyrphcrogaqbdlxdhld.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\phyrphcrogaqbdlxdhld.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\vpiddxulkeasfjthpvbvoj.exe	ehjnw.exe
File opened for modification	C:\Windows\SysWOW64\ctjbypjxtkdscdkvadg.exe	ehjnw.exe
File opened for modification	C:\Windows\SysWOW64\bpcrlzqbuiykrptb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\ctjbypjxtkdscdkvadg.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\rhwnjzsfaqiwfflvzb.exe	ehjnw.exe
File opened for modification	C:\Windows\SysWOW64\jjijppspuuwunxnhvhttstzz.zee	ehjnw.exe
File opened for modification	C:\Windows\SysWOW64\ixlbwldpjypckjoxa.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\phyrphcrogaqbdlxdhld.exe	ehjnw.exe
File opened for modification	C:\Windows\SysWOW64\vpiddxulkeasfjthpvbvoj.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\ctjbypjxtkdscdkvadg.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\expjibxnlezqcfobinsld.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\ctjbypjxtkdscdkvadg.exe	ehjnw.exe
File opened for modification	C:\Windows\SysWOW64\bpcrlzqbuiykrptb.exe	ehjnw.exe
File opened for modification	C:\Windows\SysWOW64\vpiddxulkeasfjthpvbvoj.exe	ehjnw.exe
File created	C:\Windows\SysWOW64\jjijppspuuwunxnhvhttstzz.zee	ehjnw.exe
File created	C:\Windows\SysWOW64\sdnzqbpxnyluytuzyvsdnzqbpxnyluytuzy.sdn	ehjnw.exe
File opened for modification	C:\Windows\SysWOW64\ixlbwldpjypckjoxa.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\rhwnjzsfaqiwfflvzb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\expjibxnlezqcfobinsld.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\rhwnjzsfaqiwfflvzb.exe	ehjnw.exe
File opened for modification	C:\Windows\SysWOW64\expjibxnlezqcfobinsld.exe	ehjnw.exe
File opened for modification	C:\Windows\SysWOW64\bpcrlzqbuiykrptb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\rhwnjzsfaqiwfflvzb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\bpcrlzqbuiykrptb.exe	ehjnw.exe
File opened for modification	C:\Windows\SysWOW64\ixlbwldpjypckjoxa.exe	ehjnw.exe
File opened for modification	C:\Windows\SysWOW64\expjibxnlezqcfobinsld.exe	ehjnw.exe
File opened for modification	C:\Windows\SysWOW64\sdnzqbpxnyluytuzyvsdnzqbpxnyluytuzy.sdn	ehjnw.exe
File opened for modification	C:\Windows\SysWOW64\ixlbwldpjypckjoxa.exe	ehjnw.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\sdnzqbpxnyluytuzyvsdnzqbpxnyluytuzy.sdn	ehjnw.exe
File opened for modification	C:\Program Files (x86)\jjijppspuuwunxnhvhttstzz.zee	ehjnw.exe
File created	C:\Program Files (x86)\jjijppspuuwunxnhvhttstzz.zee	ehjnw.exe
File opened for modification	C:\Program Files (x86)\sdnzqbpxnyluytuzyvsdnzqbpxnyluytuzy.sdn	ehjnw.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rhwnjzsfaqiwfflvzb.exe	ehjnw.exe
File opened for modification	C:\Windows\expjibxnlezqcfobinsld.exe	ehjnw.exe
File opened for modification	C:\Windows\ixlbwldpjypckjoxa.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\ixlbwldpjypckjoxa.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\expjibxnlezqcfobinsld.exe	ehjnw.exe
File opened for modification	C:\Windows\ctjbypjxtkdscdkvadg.exe	ehjnw.exe
File created	C:\Windows\jjijppspuuwunxnhvhttstzz.zee	ehjnw.exe
File created	C:\Windows\sdnzqbpxnyluytuzyvsdnzqbpxnyluytuzy.sdn	ehjnw.exe
File opened for modification	C:\Windows\vpiddxulkeasfjthpvbvoj.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\vpiddxulkeasfjthpvbvoj.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\rhwnjzsfaqiwfflvzb.exe	ehjnw.exe
File opened for modification	C:\Windows\ctjbypjxtkdscdkvadg.exe	ehjnw.exe
File opened for modification	C:\Windows\ixlbwldpjypckjoxa.exe	ehjnw.exe
File opened for modification	C:\Windows\jjijppspuuwunxnhvhttstzz.zee	ehjnw.exe
File opened for modification	C:\Windows\ctjbypjxtkdscdkvadg.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\ctjbypjxtkdscdkvadg.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\expjibxnlezqcfobinsld.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\bpcrlzqbuiykrptb.exe	ehjnw.exe
File opened for modification	C:\Windows\phyrphcrogaqbdlxdhld.exe	ehjnw.exe
File opened for modification	C:\Windows\sdnzqbpxnyluytuzyvsdnzqbpxnyluytuzy.sdn	ehjnw.exe
File opened for modification	C:\Windows\bpcrlzqbuiykrptb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\rhwnjzsfaqiwfflvzb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\bpcrlzqbuiykrptb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\phyrphcrogaqbdlxdhld.exe	ehjnw.exe
File opened for modification	C:\Windows\vpiddxulkeasfjthpvbvoj.exe	ehjnw.exe
File opened for modification	C:\Windows\phyrphcrogaqbdlxdhld.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\bpcrlzqbuiykrptb.exe	ehjnw.exe
File opened for modification	C:\Windows\rhwnjzsfaqiwfflvzb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\expjibxnlezqcfobinsld.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\ixlbwldpjypckjoxa.exe	ehjnw.exe
File opened for modification	C:\Windows\vpiddxulkeasfjthpvbvoj.exe	ehjnw.exe
File opened for modification	C:\Windows\phyrphcrogaqbdlxdhld.exe	pwyrqtqlzgi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
2204	ehjnw.exe
2204	ehjnw.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
2204	ehjnw.exe
2204	ehjnw.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2204	ehjnw.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 4664	3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe	85
PID 3368 wrote to memory of 4664	3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe	85
PID 3368 wrote to memory of 4664	3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe	85
PID 4664 wrote to memory of 2204	4664	pwyrqtqlzgi.exe	86
PID 4664 wrote to memory of 2204	4664	pwyrqtqlzgi.exe	86
PID 4664 wrote to memory of 2204	4664	pwyrqtqlzgi.exe	86
PID 4664 wrote to memory of 3480	4664	pwyrqtqlzgi.exe	87
PID 4664 wrote to memory of 3480	4664	pwyrqtqlzgi.exe	87
PID 4664 wrote to memory of 3480	4664	pwyrqtqlzgi.exe	87
PID 3368 wrote to memory of 3464	3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe	96
PID 3368 wrote to memory of 3464	3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe	96
PID 3368 wrote to memory of 3464	3368	200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe	96

System policy modification 1 TTPs 41 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ehjnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ehjnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ehjnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ehjnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	pwyrqtqlzgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ehjnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ehjnw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pwyrqtqlzgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ehjnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ehjnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ehjnw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ehjnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ehjnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ehjnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ehjnw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ehjnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ehjnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ehjnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ehjnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ehjnw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ehjnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ehjnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ehjnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ehjnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ehjnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ehjnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	pwyrqtqlzgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ehjnw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ehjnw.exe

C:\Users\Admin\AppData\Local\Temp\200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe
"C:\Users\Admin\AppData\Local\Temp\200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe
  "C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe" "c:\users\admin\appdata\local\temp\200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4664
- - C:\Users\Admin\AppData\Local\Temp\ehjnw.exe
    "C:\Users\Admin\AppData\Local\Temp\ehjnw.exe" "-C:\Users\Admin\AppData\Local\Temp\bpcrlzqbuiykrptb.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2204
- - C:\Users\Admin\AppData\Local\Temp\ehjnw.exe
    "C:\Users\Admin\AppData\Local\Temp\ehjnw.exe" "-C:\Users\Admin\AppData\Local\Temp\bpcrlzqbuiykrptb.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3480
- C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe
  "C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe" "c:\users\admin\appdata\local\temp\200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System policy modification
  PID:3464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bpcrlzqbuiykrptb.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctjbypjxtkdscdkvadg.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\ehjnw.exe

Filesize
688KB

MD5
bfe66643facc4ccb368d7ffe6ecdcfbb

SHA1
ca7f73ddfbc0e88b4eb4d86f7225ecd6973c78bf

SHA256
6ef982bbd6fd705b4a8afe1be4aba6058d2d1373a3f4e679abbcea44ac6e6050

SHA512
cfe36c8cd33652b92a9b93bd6e4e3b9d2cd9e9599a19dca11d9591967e877367c12c4e896862917828ab20fd6515d4439973e662c1502dcc00440cb835a3acbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ehjnw.exe

Filesize
688KB

MD5
bfe66643facc4ccb368d7ffe6ecdcfbb

SHA1
ca7f73ddfbc0e88b4eb4d86f7225ecd6973c78bf

SHA256
6ef982bbd6fd705b4a8afe1be4aba6058d2d1373a3f4e679abbcea44ac6e6050

SHA512
cfe36c8cd33652b92a9b93bd6e4e3b9d2cd9e9599a19dca11d9591967e877367c12c4e896862917828ab20fd6515d4439973e662c1502dcc00440cb835a3acbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ehjnw.exe

Filesize
688KB

MD5
bfe66643facc4ccb368d7ffe6ecdcfbb

SHA1
ca7f73ddfbc0e88b4eb4d86f7225ecd6973c78bf

SHA256
6ef982bbd6fd705b4a8afe1be4aba6058d2d1373a3f4e679abbcea44ac6e6050

SHA512
cfe36c8cd33652b92a9b93bd6e4e3b9d2cd9e9599a19dca11d9591967e877367c12c4e896862917828ab20fd6515d4439973e662c1502dcc00440cb835a3acbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\expjibxnlezqcfobinsld.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixlbwldpjypckjoxa.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\phyrphcrogaqbdlxdhld.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe

Filesize
320KB

MD5
223c845dfe1106a052412c37555758f0

SHA1
01f165d9cba77e295f8c3f0564aa4aeb0ecd24f4

SHA256
8718f6722541122ec957c9d3e7d0c6a04eed89284cfeb349d5d93835b27f364d

SHA512
c1014ec57b6a98c59dcc624e8c7efb4ec2ba4a75eb43621c7348cfd9d59c66f3a6f8d74870af375f2054a7b235e31e4c95124f9c76567aad764a671bc33ca95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe

Filesize
320KB

MD5
223c845dfe1106a052412c37555758f0

SHA1
01f165d9cba77e295f8c3f0564aa4aeb0ecd24f4

SHA256
8718f6722541122ec957c9d3e7d0c6a04eed89284cfeb349d5d93835b27f364d

SHA512
c1014ec57b6a98c59dcc624e8c7efb4ec2ba4a75eb43621c7348cfd9d59c66f3a6f8d74870af375f2054a7b235e31e4c95124f9c76567aad764a671bc33ca95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe

Filesize
320KB

MD5
223c845dfe1106a052412c37555758f0

SHA1
01f165d9cba77e295f8c3f0564aa4aeb0ecd24f4

SHA256
8718f6722541122ec957c9d3e7d0c6a04eed89284cfeb349d5d93835b27f364d

SHA512
c1014ec57b6a98c59dcc624e8c7efb4ec2ba4a75eb43621c7348cfd9d59c66f3a6f8d74870af375f2054a7b235e31e4c95124f9c76567aad764a671bc33ca95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhwnjzsfaqiwfflvzb.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\vpiddxulkeasfjthpvbvoj.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\SysWOW64\bpcrlzqbuiykrptb.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\SysWOW64\ctjbypjxtkdscdkvadg.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\SysWOW64\expjibxnlezqcfobinsld.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\SysWOW64\ixlbwldpjypckjoxa.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\SysWOW64\phyrphcrogaqbdlxdhld.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\SysWOW64\rhwnjzsfaqiwfflvzb.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\SysWOW64\vpiddxulkeasfjthpvbvoj.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\bpcrlzqbuiykrptb.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\bpcrlzqbuiykrptb.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\bpcrlzqbuiykrptb.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\ctjbypjxtkdscdkvadg.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\ctjbypjxtkdscdkvadg.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\ctjbypjxtkdscdkvadg.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\expjibxnlezqcfobinsld.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\expjibxnlezqcfobinsld.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\expjibxnlezqcfobinsld.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\ixlbwldpjypckjoxa.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\ixlbwldpjypckjoxa.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\ixlbwldpjypckjoxa.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\phyrphcrogaqbdlxdhld.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\phyrphcrogaqbdlxdhld.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\phyrphcrogaqbdlxdhld.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\rhwnjzsfaqiwfflvzb.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\rhwnjzsfaqiwfflvzb.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\rhwnjzsfaqiwfflvzb.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\vpiddxulkeasfjthpvbvoj.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\vpiddxulkeasfjthpvbvoj.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit
C:\Windows\vpiddxulkeasfjthpvbvoj.exe

Filesize
1016KB

MD5
7c426cef8ecaa87b81ffe2b200ffe7e0

SHA1
a3523449271aba6cf346f2e2b3463b57fbdeccfa

SHA256
200a0eaad2222057df3e4799f2962f5e998fef6bfce1649a3d2ac0dc6bb0a68a

SHA512
0a2ca0ed75b7109b0718a2705e639b89e1cfc4b927fbf26417735e039c7372b59c094ee89efc857c96d818fc460168b40b9f4f857dbdacc1bbf512c691628f14

Download Submit