660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2022 06:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
Size

1016KB
MD5

928e5ae49d212720359baa5f7a310b70
SHA1

d88f71ef69600762a9cd122b4506235bb3d5319d
SHA256

660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658
SHA512

41907f1d2b4c8d77494b21bc0c62dae86a2fc098c67d0375c091ee4272f38048a69ea658b7a1b16d8c8fb98fcb362ef60e1bd497fd19d9d5856273fbc98454b9
SSDEEP

6144:2IXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHU:2IXsgtvm1De5YlOx6lzBH46U

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	pwyrqtqlzgi.exe

UAC bypass 3 TTPs 13 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ceiuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ceiuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ceiuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ceiuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ceiuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ceiuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ceiuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ceiuajs.exe

Adds policy Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bgnclxjtbg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pevunjfzrgwhjrdjnrgx.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sakcodsfqyhlg = "pevunjfzrgwhjrdjnrgx.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bgnclxjtbg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pevunjfzrgwhjrdjnrgx.exe"	ceiuajs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sakcodsfqyhlg = "pevunjfzrgwhjrdjnrgx.exe"	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bgnclxjtbg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqgewrmfwkzjkrchknb.exe"	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bgnclxjtbg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\retqhbvndqenntdhjl.exe"	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bgnclxjtbg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmzujbtjxiubzdln.exe"	pwyrqtqlzgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bgnclxjtbg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pevunjfzrgwhjrdjnrgx.exe"	ceiuajs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bgnclxjtbg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\retqhbvndqenntdhjl.exe"	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sakcodsfqyhlg = "pevunjfzrgwhjrdjnrgx.exe"	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sakcodsfqyhlg = "eummgdavoevhktgnsxnff.exe"	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sakcodsfqyhlg = "iuieungxmyltsxgjk.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sakcodsfqyhlg = "retqhbvndqenntdhjl.exe"	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bgnclxjtbg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eummgdavoevhktgnsxnff.exe"	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bgnclxjtbg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iuieungxmyltsxgjk.exe"	ceiuajs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sakcodsfqyhlg = "pevunjfzrgwhjrdjnrgx.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bgnclxjtbg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eummgdavoevhktgnsxnff.exe"	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sakcodsfqyhlg = "bmzujbtjxiubzdln.exe"	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sakcodsfqyhlg = "bmzujbtjxiubzdln.exe"	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sakcodsfqyhlg = "iuieungxmyltsxgjk.exe"	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bgnclxjtbg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmzujbtjxiubzdln.exe"	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sakcodsfqyhlg = "eummgdavoevhktgnsxnff.exe"	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bgnclxjtbg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqgewrmfwkzjkrchknb.exe"	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sakcodsfqyhlg = "cqgewrmfwkzjkrchknb.exe"	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sakcodsfqyhlg = "retqhbvndqenntdhjl.exe"	ceiuajs.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ceiuajs.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ceiuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ceiuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ceiuajs.exe

Executes dropped EXE 4 IoCs

pid	Process
2576	pwyrqtqlzgi.exe
1420	ceiuajs.exe
1980	ceiuajs.exe
2352	pwyrqtqlzgi.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	pwyrqtqlzgi.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tajalznzjqyb = "bmzujbtjxiubzdln.exe ."	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iuieungxmyltsxgjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmzujbtjxiubzdln.exe"	ceiuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wckakxkvekr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmzujbtjxiubzdln.exe"	ceiuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wgsmarixkuflils = "bmzujbtjxiubzdln.exe ."	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tajalznzjqyb = "cqgewrmfwkzjkrchknb.exe ."	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tcngtjznzisxtv = "iuieungxmyltsxgjk.exe"	ceiuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tajalznzjqyb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\retqhbvndqenntdhjl.exe ."	ceiuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wgsmarixkuflils = "iuieungxmyltsxgjk.exe ."	ceiuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wgsmarixkuflils = "cqgewrmfwkzjkrchknb.exe ."	ceiuajs.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wckakxkvekr = "pevunjfzrgwhjrdjnrgx.exe"	ceiuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wckakxkvekr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iuieungxmyltsxgjk.exe"	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tajalznzjqyb = "iuieungxmyltsxgjk.exe ."	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iuieungxmyltsxgjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmzujbtjxiubzdln.exe"	ceiuajs.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iuieungxmyltsxgjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\retqhbvndqenntdhjl.exe"	ceiuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wckakxkvekr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iuieungxmyltsxgjk.exe"	ceiuajs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ceiuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tcngtjznzisxtv = "eummgdavoevhktgnsxnff.exe"	ceiuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wckakxkvekr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\retqhbvndqenntdhjl.exe"	ceiuajs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wckakxkvekr = "pevunjfzrgwhjrdjnrgx.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wckakxkvekr = "cqgewrmfwkzjkrchknb.exe"	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wckakxkvekr = "retqhbvndqenntdhjl.exe"	ceiuajs.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	ceiuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wckakxkvekr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqgewrmfwkzjkrchknb.exe"	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iuieungxmyltsxgjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\retqhbvndqenntdhjl.exe"	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tajalznzjqyb = "retqhbvndqenntdhjl.exe ."	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bmzujbtjxiubzdln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\retqhbvndqenntdhjl.exe ."	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iuieungxmyltsxgjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmzujbtjxiubzdln.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tajalznzjqyb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pevunjfzrgwhjrdjnrgx.exe ."	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bmzujbtjxiubzdln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eummgdavoevhktgnsxnff.exe ."	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bmzujbtjxiubzdln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\retqhbvndqenntdhjl.exe ."	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tajalznzjqyb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqgewrmfwkzjkrchknb.exe ."	ceiuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tcngtjznzisxtv = "iuieungxmyltsxgjk.exe"	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bmzujbtjxiubzdln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pevunjfzrgwhjrdjnrgx.exe ."	ceiuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tcngtjznzisxtv = "cqgewrmfwkzjkrchknb.exe"	ceiuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tajalznzjqyb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pevunjfzrgwhjrdjnrgx.exe ."	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bmzujbtjxiubzdln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqgewrmfwkzjkrchknb.exe ."	ceiuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tajalznzjqyb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iuieungxmyltsxgjk.exe ."	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bmzujbtjxiubzdln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iuieungxmyltsxgjk.exe ."	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wckakxkvekr = "cqgewrmfwkzjkrchknb.exe"	ceiuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tajalznzjqyb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmzujbtjxiubzdln.exe ."	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tajalznzjqyb = "eummgdavoevhktgnsxnff.exe ."	ceiuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wgsmarixkuflils = "cqgewrmfwkzjkrchknb.exe ."	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wckakxkvekr = "retqhbvndqenntdhjl.exe"	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bmzujbtjxiubzdln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmzujbtjxiubzdln.exe ."	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iuieungxmyltsxgjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iuieungxmyltsxgjk.exe"	pwyrqtqlzgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bmzujbtjxiubzdln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqgewrmfwkzjkrchknb.exe ."	pwyrqtqlzgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wckakxkvekr = "eummgdavoevhktgnsxnff.exe"	ceiuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wgsmarixkuflils = "retqhbvndqenntdhjl.exe ."	ceiuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tcngtjznzisxtv = "iuieungxmyltsxgjk.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wckakxkvekr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmzujbtjxiubzdln.exe"	pwyrqtqlzgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wckakxkvekr = "eummgdavoevhktgnsxnff.exe"	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tajalznzjqyb = "pevunjfzrgwhjrdjnrgx.exe ."	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iuieungxmyltsxgjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqgewrmfwkzjkrchknb.exe"	ceiuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tajalznzjqyb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmzujbtjxiubzdln.exe ."	ceiuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tcngtjznzisxtv = "cqgewrmfwkzjkrchknb.exe"	ceiuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wckakxkvekr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eummgdavoevhktgnsxnff.exe"	ceiuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wckakxkvekr = "bmzujbtjxiubzdln.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wckakxkvekr = "bmzujbtjxiubzdln.exe"	ceiuajs.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ceiuajs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ceiuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ceiuajs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ceiuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pwyrqtqlzgi.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pwyrqtqlzgi.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
36	whatismyip.everdot.org
21	whatismyipaddress.com
25	whatismyip.everdot.org
32	www.showmyipaddress.com

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	ceiuajs.exe
File created	C:\autorun.inf	ceiuajs.exe

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\bmzujbtjxiubzdln.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\vmfgbzxtnewjnxltzfwpql.exe	ceiuajs.exe
File opened for modification	C:\Windows\SysWOW64\eummgdavoevhktgnsxnff.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\cqgewrmfwkzjkrchknb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\iuieungxmyltsxgjk.exe	ceiuajs.exe
File opened for modification	C:\Windows\SysWOW64\retqhbvndqenntdhjl.exe	ceiuajs.exe
File opened for modification	C:\Windows\SysWOW64\cqgewrmfwkzjkrchknb.exe	ceiuajs.exe
File created	C:\Windows\SysWOW64\tajalznzjqybvvzxtpwfwhvjvfmuxrrvtp.sbs	ceiuajs.exe
File opened for modification	C:\Windows\SysWOW64\iuieungxmyltsxgjk.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\iuieungxmyltsxgjk.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\retqhbvndqenntdhjl.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\eummgdavoevhktgnsxnff.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\bmzujbtjxiubzdln.exe	ceiuajs.exe
File opened for modification	C:\Windows\SysWOW64\vmfgbzxtnewjnxltzfwpql.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\vmfgbzxtnewjnxltzfwpql.exe	ceiuajs.exe
File opened for modification	C:\Windows\SysWOW64\tajalznzjqybvvzxtpwfwhvjvfmuxrrvtp.sbs	ceiuajs.exe
File opened for modification	C:\Windows\SysWOW64\vmfgbzxtnewjnxltzfwpql.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\pevunjfzrgwhjrdjnrgx.exe	ceiuajs.exe
File opened for modification	C:\Windows\SysWOW64\pevunjfzrgwhjrdjnrgx.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\iuieungxmyltsxgjk.exe	ceiuajs.exe
File opened for modification	C:\Windows\SysWOW64\cqgewrmfwkzjkrchknb.exe	ceiuajs.exe
File opened for modification	C:\Windows\SysWOW64\bmzujbtjxiubzdln.exe	ceiuajs.exe
File opened for modification	C:\Windows\SysWOW64\bmzujbtjxiubzdln.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\retqhbvndqenntdhjl.exe	ceiuajs.exe
File opened for modification	C:\Windows\SysWOW64\pevunjfzrgwhjrdjnrgx.exe	ceiuajs.exe
File created	C:\Windows\SysWOW64\gcaggjmnmifxgvobmxtrxxa.edz	ceiuajs.exe
File opened for modification	C:\Windows\SysWOW64\cqgewrmfwkzjkrchknb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\pevunjfzrgwhjrdjnrgx.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\eummgdavoevhktgnsxnff.exe	ceiuajs.exe
File opened for modification	C:\Windows\SysWOW64\eummgdavoevhktgnsxnff.exe	ceiuajs.exe
File opened for modification	C:\Windows\SysWOW64\gcaggjmnmifxgvobmxtrxxa.edz	ceiuajs.exe
File opened for modification	C:\Windows\SysWOW64\retqhbvndqenntdhjl.exe	pwyrqtqlzgi.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\gcaggjmnmifxgvobmxtrxxa.edz	ceiuajs.exe
File created	C:\Program Files (x86)\gcaggjmnmifxgvobmxtrxxa.edz	ceiuajs.exe
File opened for modification	C:\Program Files (x86)\tajalznzjqybvvzxtpwfwhvjvfmuxrrvtp.sbs	ceiuajs.exe
File created	C:\Program Files (x86)\tajalznzjqybvvzxtpwfwhvjvfmuxrrvtp.sbs	ceiuajs.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\cqgewrmfwkzjkrchknb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\eummgdavoevhktgnsxnff.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\pevunjfzrgwhjrdjnrgx.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\bmzujbtjxiubzdln.exe	ceiuajs.exe
File opened for modification	C:\Windows\tajalznzjqybvvzxtpwfwhvjvfmuxrrvtp.sbs	ceiuajs.exe
File opened for modification	C:\Windows\retqhbvndqenntdhjl.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\cqgewrmfwkzjkrchknb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\eummgdavoevhktgnsxnff.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\pevunjfzrgwhjrdjnrgx.exe	ceiuajs.exe
File opened for modification	C:\Windows\cqgewrmfwkzjkrchknb.exe	ceiuajs.exe
File opened for modification	C:\Windows\iuieungxmyltsxgjk.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\vmfgbzxtnewjnxltzfwpql.exe	ceiuajs.exe
File opened for modification	C:\Windows\bmzujbtjxiubzdln.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\bmzujbtjxiubzdln.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\retqhbvndqenntdhjl.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\iuieungxmyltsxgjk.exe	ceiuajs.exe
File opened for modification	C:\Windows\iuieungxmyltsxgjk.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\vmfgbzxtnewjnxltzfwpql.exe	ceiuajs.exe
File opened for modification	C:\Windows\iuieungxmyltsxgjk.exe	ceiuajs.exe
File opened for modification	C:\Windows\vmfgbzxtnewjnxltzfwpql.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\cqgewrmfwkzjkrchknb.exe	ceiuajs.exe
File created	C:\Windows\tajalznzjqybvvzxtpwfwhvjvfmuxrrvtp.sbs	ceiuajs.exe
File opened for modification	C:\Windows\gcaggjmnmifxgvobmxtrxxa.edz	ceiuajs.exe
File created	C:\Windows\gcaggjmnmifxgvobmxtrxxa.edz	ceiuajs.exe
File opened for modification	C:\Windows\vmfgbzxtnewjnxltzfwpql.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\pevunjfzrgwhjrdjnrgx.exe	ceiuajs.exe
File opened for modification	C:\Windows\retqhbvndqenntdhjl.exe	ceiuajs.exe
File opened for modification	C:\Windows\eummgdavoevhktgnsxnff.exe	ceiuajs.exe
File opened for modification	C:\Windows\pevunjfzrgwhjrdjnrgx.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\bmzujbtjxiubzdln.exe	ceiuajs.exe
File opened for modification	C:\Windows\retqhbvndqenntdhjl.exe	ceiuajs.exe
File opened for modification	C:\Windows\eummgdavoevhktgnsxnff.exe	ceiuajs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
1420	ceiuajs.exe
1420	ceiuajs.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
1420	ceiuajs.exe
1420	ceiuajs.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1420	ceiuajs.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 2576	4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe	82
PID 4636 wrote to memory of 2576	4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe	82
PID 4636 wrote to memory of 2576	4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe	82
PID 2576 wrote to memory of 1420	2576	pwyrqtqlzgi.exe	83
PID 2576 wrote to memory of 1420	2576	pwyrqtqlzgi.exe	83
PID 2576 wrote to memory of 1420	2576	pwyrqtqlzgi.exe	83
PID 2576 wrote to memory of 1980	2576	pwyrqtqlzgi.exe	84
PID 2576 wrote to memory of 1980	2576	pwyrqtqlzgi.exe	84
PID 2576 wrote to memory of 1980	2576	pwyrqtqlzgi.exe	84
PID 4636 wrote to memory of 2352	4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe	92
PID 4636 wrote to memory of 2352	4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe	92
PID 4636 wrote to memory of 2352	4636	660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe	92

System policy modification 1 TTPs 41 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ceiuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ceiuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ceiuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ceiuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ceiuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ceiuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ceiuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ceiuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ceiuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ceiuajs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ceiuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ceiuajs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ceiuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	pwyrqtqlzgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ceiuajs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ceiuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ceiuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ceiuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ceiuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ceiuajs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ceiuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ceiuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ceiuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ceiuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ceiuajs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ceiuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	pwyrqtqlzgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ceiuajs.exe

C:\Users\Admin\AppData\Local\Temp\660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe
"C:\Users\Admin\AppData\Local\Temp\660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe
  "C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe" "c:\users\admin\appdata\local\temp\660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\ceiuajs.exe
    "C:\Users\Admin\AppData\Local\Temp\ceiuajs.exe" "-C:\Users\Admin\AppData\Local\Temp\bmzujbtjxiubzdln.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1420
- - C:\Users\Admin\AppData\Local\Temp\ceiuajs.exe
    "C:\Users\Admin\AppData\Local\Temp\ceiuajs.exe" "-C:\Users\Admin\AppData\Local\Temp\bmzujbtjxiubzdln.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1980
- C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe
  "C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe" "c:\users\admin\appdata\local\temp\660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System policy modification
  PID:2352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bmzujbtjxiubzdln.exe

Filesize
1016KB

MD5
928e5ae49d212720359baa5f7a310b70

SHA1
d88f71ef69600762a9cd122b4506235bb3d5319d

SHA256
660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658

SHA512
41907f1d2b4c8d77494b21bc0c62dae86a2fc098c67d0375c091ee4272f38048a69ea658b7a1b16d8c8fb98fcb362ef60e1bd497fd19d9d5856273fbc98454b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ceiuajs.exe

Filesize
720KB

MD5
f79be529253dd0c0fa089817eb74109a

SHA1
0cec0655d77ea96c6177063c6a81c2dfca13ad42

SHA256
09183c58710998fda6fa33ec961633d337b09ccb284dbc0ca2296fdc26768bf8

SHA512
0b065eb05aa766b6ded4eb4f23049235a2d0fd2eea0548af21f7b472cf21ee034b97b2957868415378526e46dcd02c53f2cfbb771bf77e19a93d9dd5974b54aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ceiuajs.exe

Filesize
720KB

MD5
f79be529253dd0c0fa089817eb74109a

SHA1
0cec0655d77ea96c6177063c6a81c2dfca13ad42

SHA256
09183c58710998fda6fa33ec961633d337b09ccb284dbc0ca2296fdc26768bf8

SHA512
0b065eb05aa766b6ded4eb4f23049235a2d0fd2eea0548af21f7b472cf21ee034b97b2957868415378526e46dcd02c53f2cfbb771bf77e19a93d9dd5974b54aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ceiuajs.exe

Filesize
720KB

MD5
f79be529253dd0c0fa089817eb74109a

SHA1
0cec0655d77ea96c6177063c6a81c2dfca13ad42

SHA256
09183c58710998fda6fa33ec961633d337b09ccb284dbc0ca2296fdc26768bf8

SHA512
0b065eb05aa766b6ded4eb4f23049235a2d0fd2eea0548af21f7b472cf21ee034b97b2957868415378526e46dcd02c53f2cfbb771bf77e19a93d9dd5974b54aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqgewrmfwkzjkrchknb.exe

Filesize
1016KB

MD5
928e5ae49d212720359baa5f7a310b70

SHA1
d88f71ef69600762a9cd122b4506235bb3d5319d

SHA256
660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658

SHA512
41907f1d2b4c8d77494b21bc0c62dae86a2fc098c67d0375c091ee4272f38048a69ea658b7a1b16d8c8fb98fcb362ef60e1bd497fd19d9d5856273fbc98454b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\eummgdavoevhktgnsxnff.exe

Filesize
1016KB

MD5
928e5ae49d212720359baa5f7a310b70

SHA1
d88f71ef69600762a9cd122b4506235bb3d5319d

SHA256
660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658

SHA512
41907f1d2b4c8d77494b21bc0c62dae86a2fc098c67d0375c091ee4272f38048a69ea658b7a1b16d8c8fb98fcb362ef60e1bd497fd19d9d5856273fbc98454b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\iuieungxmyltsxgjk.exe

Filesize
1016KB

MD5
928e5ae49d212720359baa5f7a310b70

SHA1
d88f71ef69600762a9cd122b4506235bb3d5319d

SHA256
660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658

SHA512
41907f1d2b4c8d77494b21bc0c62dae86a2fc098c67d0375c091ee4272f38048a69ea658b7a1b16d8c8fb98fcb362ef60e1bd497fd19d9d5856273fbc98454b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pevunjfzrgwhjrdjnrgx.exe

Filesize
1016KB

MD5
928e5ae49d212720359baa5f7a310b70

SHA1
d88f71ef69600762a9cd122b4506235bb3d5319d

SHA256
660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658

SHA512
41907f1d2b4c8d77494b21bc0c62dae86a2fc098c67d0375c091ee4272f38048a69ea658b7a1b16d8c8fb98fcb362ef60e1bd497fd19d9d5856273fbc98454b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe

Filesize
320KB

MD5
1224ca930de8f7f8571b4f06466512b1

SHA1
6b1acf6e03160e27af72d6fb6e4320413589e79c

SHA256
abebc60c7e6e740fe24d032c2d03310f0f8d551906f307097ff1599a1d0b2a13

SHA512
b200b77e011e372e40326d96522324a7c75ff1d146c46c6b49fb3b66886b66f8a6b964f96cf2100d6901e164f0b1bb3ca4dca68253d22238ece077e55e2606cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe

Filesize
320KB

MD5
1224ca930de8f7f8571b4f06466512b1

SHA1
6b1acf6e03160e27af72d6fb6e4320413589e79c

SHA256
abebc60c7e6e740fe24d032c2d03310f0f8d551906f307097ff1599a1d0b2a13

SHA512
b200b77e011e372e40326d96522324a7c75ff1d146c46c6b49fb3b66886b66f8a6b964f96cf2100d6901e164f0b1bb3ca4dca68253d22238ece077e55e2606cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe

Filesize
320KB

MD5
1224ca930de8f7f8571b4f06466512b1

SHA1
6b1acf6e03160e27af72d6fb6e4320413589e79c

SHA256
abebc60c7e6e740fe24d032c2d03310f0f8d551906f307097ff1599a1d0b2a13

SHA512
b200b77e011e372e40326d96522324a7c75ff1d146c46c6b49fb3b66886b66f8a6b964f96cf2100d6901e164f0b1bb3ca4dca68253d22238ece077e55e2606cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\retqhbvndqenntdhjl.exe

Filesize
1016KB

MD5
928e5ae49d212720359baa5f7a310b70

SHA1
d88f71ef69600762a9cd122b4506235bb3d5319d

SHA256
660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658

SHA512
41907f1d2b4c8d77494b21bc0c62dae86a2fc098c67d0375c091ee4272f38048a69ea658b7a1b16d8c8fb98fcb362ef60e1bd497fd19d9d5856273fbc98454b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmfgbzxtnewjnxltzfwpql.exe

Filesize
1016KB

MD5
928e5ae49d212720359baa5f7a310b70

SHA1
d88f71ef69600762a9cd122b4506235bb3d5319d

SHA256
660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658

SHA512
41907f1d2b4c8d77494b21bc0c62dae86a2fc098c67d0375c091ee4272f38048a69ea658b7a1b16d8c8fb98fcb362ef60e1bd497fd19d9d5856273fbc98454b9

Download Submit
C:\Windows\SysWOW64\bmzujbtjxiubzdln.exe

Filesize
1016KB

MD5
928e5ae49d212720359baa5f7a310b70

SHA1
d88f71ef69600762a9cd122b4506235bb3d5319d

SHA256
660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658

SHA512
41907f1d2b4c8d77494b21bc0c62dae86a2fc098c67d0375c091ee4272f38048a69ea658b7a1b16d8c8fb98fcb362ef60e1bd497fd19d9d5856273fbc98454b9

Download Submit
C:\Windows\SysWOW64\cqgewrmfwkzjkrchknb.exe

Filesize
1016KB

MD5
928e5ae49d212720359baa5f7a310b70

SHA1
d88f71ef69600762a9cd122b4506235bb3d5319d

SHA256
660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658

SHA512
41907f1d2b4c8d77494b21bc0c62dae86a2fc098c67d0375c091ee4272f38048a69ea658b7a1b16d8c8fb98fcb362ef60e1bd497fd19d9d5856273fbc98454b9

Download Submit
C:\Windows\SysWOW64\eummgdavoevhktgnsxnff.exe

Filesize
1016KB

MD5
928e5ae49d212720359baa5f7a310b70

SHA1
d88f71ef69600762a9cd122b4506235bb3d5319d

SHA256
660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658

SHA512
41907f1d2b4c8d77494b21bc0c62dae86a2fc098c67d0375c091ee4272f38048a69ea658b7a1b16d8c8fb98fcb362ef60e1bd497fd19d9d5856273fbc98454b9

Download Submit
C:\Windows\SysWOW64\iuieungxmyltsxgjk.exe

Filesize
1016KB

MD5
928e5ae49d212720359baa5f7a310b70

SHA1
d88f71ef69600762a9cd122b4506235bb3d5319d

SHA256
660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658

SHA512
41907f1d2b4c8d77494b21bc0c62dae86a2fc098c67d0375c091ee4272f38048a69ea658b7a1b16d8c8fb98fcb362ef60e1bd497fd19d9d5856273fbc98454b9

Download Submit
C:\Windows\SysWOW64\pevunjfzrgwhjrdjnrgx.exe

Filesize
1016KB

MD5
928e5ae49d212720359baa5f7a310b70

SHA1
d88f71ef69600762a9cd122b4506235bb3d5319d

SHA256
660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658

SHA512
41907f1d2b4c8d77494b21bc0c62dae86a2fc098c67d0375c091ee4272f38048a69ea658b7a1b16d8c8fb98fcb362ef60e1bd497fd19d9d5856273fbc98454b9

Download Submit
C:\Windows\SysWOW64\retqhbvndqenntdhjl.exe

Filesize
1016KB

MD5
928e5ae49d212720359baa5f7a310b70

SHA1
d88f71ef69600762a9cd122b4506235bb3d5319d

SHA256
660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658

SHA512
41907f1d2b4c8d77494b21bc0c62dae86a2fc098c67d0375c091ee4272f38048a69ea658b7a1b16d8c8fb98fcb362ef60e1bd497fd19d9d5856273fbc98454b9

Download Submit
C:\Windows\SysWOW64\vmfgbzxtnewjnxltzfwpql.exe

Filesize
1016KB

MD5
928e5ae49d212720359baa5f7a310b70

SHA1
d88f71ef69600762a9cd122b4506235bb3d5319d

SHA256
660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658

SHA512
41907f1d2b4c8d77494b21bc0c62dae86a2fc098c67d0375c091ee4272f38048a69ea658b7a1b16d8c8fb98fcb362ef60e1bd497fd19d9d5856273fbc98454b9

Download Submit
C:\Windows\bmzujbtjxiubzdln.exe

Filesize
1016KB

MD5
928e5ae49d212720359baa5f7a310b70

SHA1
d88f71ef69600762a9cd122b4506235bb3d5319d

SHA256
660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658

SHA512
41907f1d2b4c8d77494b21bc0c62dae86a2fc098c67d0375c091ee4272f38048a69ea658b7a1b16d8c8fb98fcb362ef60e1bd497fd19d9d5856273fbc98454b9

Download Submit
C:\Windows\bmzujbtjxiubzdln.exe

Filesize
1016KB

MD5
928e5ae49d212720359baa5f7a310b70

SHA1
d88f71ef69600762a9cd122b4506235bb3d5319d

SHA256
660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658

SHA512
41907f1d2b4c8d77494b21bc0c62dae86a2fc098c67d0375c091ee4272f38048a69ea658b7a1b16d8c8fb98fcb362ef60e1bd497fd19d9d5856273fbc98454b9

Download Submit
C:\Windows\bmzujbtjxiubzdln.exe

Filesize
1016KB

MD5
928e5ae49d212720359baa5f7a310b70

SHA1
d88f71ef69600762a9cd122b4506235bb3d5319d

SHA256
660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658

SHA512
41907f1d2b4c8d77494b21bc0c62dae86a2fc098c67d0375c091ee4272f38048a69ea658b7a1b16d8c8fb98fcb362ef60e1bd497fd19d9d5856273fbc98454b9

Download Submit
C:\Windows\cqgewrmfwkzjkrchknb.exe

Filesize
1016KB

MD5
928e5ae49d212720359baa5f7a310b70

SHA1
d88f71ef69600762a9cd122b4506235bb3d5319d

SHA256
660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658

SHA512
41907f1d2b4c8d77494b21bc0c62dae86a2fc098c67d0375c091ee4272f38048a69ea658b7a1b16d8c8fb98fcb362ef60e1bd497fd19d9d5856273fbc98454b9

Download Submit
C:\Windows\cqgewrmfwkzjkrchknb.exe

Filesize
1016KB

MD5
928e5ae49d212720359baa5f7a310b70

SHA1
d88f71ef69600762a9cd122b4506235bb3d5319d

SHA256
660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658

SHA512
41907f1d2b4c8d77494b21bc0c62dae86a2fc098c67d0375c091ee4272f38048a69ea658b7a1b16d8c8fb98fcb362ef60e1bd497fd19d9d5856273fbc98454b9

Download Submit
C:\Windows\cqgewrmfwkzjkrchknb.exe

Filesize
1016KB

MD5
928e5ae49d212720359baa5f7a310b70

SHA1
d88f71ef69600762a9cd122b4506235bb3d5319d

SHA256
660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658

SHA512
41907f1d2b4c8d77494b21bc0c62dae86a2fc098c67d0375c091ee4272f38048a69ea658b7a1b16d8c8fb98fcb362ef60e1bd497fd19d9d5856273fbc98454b9

Download Submit
C:\Windows\eummgdavoevhktgnsxnff.exe

Filesize
1016KB

MD5
928e5ae49d212720359baa5f7a310b70

SHA1
d88f71ef69600762a9cd122b4506235bb3d5319d

SHA256
660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658

SHA512
41907f1d2b4c8d77494b21bc0c62dae86a2fc098c67d0375c091ee4272f38048a69ea658b7a1b16d8c8fb98fcb362ef60e1bd497fd19d9d5856273fbc98454b9

Download Submit
C:\Windows\eummgdavoevhktgnsxnff.exe

Filesize
1016KB

MD5
928e5ae49d212720359baa5f7a310b70

SHA1
d88f71ef69600762a9cd122b4506235bb3d5319d

SHA256
660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658

SHA512
41907f1d2b4c8d77494b21bc0c62dae86a2fc098c67d0375c091ee4272f38048a69ea658b7a1b16d8c8fb98fcb362ef60e1bd497fd19d9d5856273fbc98454b9

Download Submit
C:\Windows\eummgdavoevhktgnsxnff.exe

Filesize
1016KB

MD5
928e5ae49d212720359baa5f7a310b70

SHA1
d88f71ef69600762a9cd122b4506235bb3d5319d

SHA256
660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658

SHA512
41907f1d2b4c8d77494b21bc0c62dae86a2fc098c67d0375c091ee4272f38048a69ea658b7a1b16d8c8fb98fcb362ef60e1bd497fd19d9d5856273fbc98454b9

Download Submit
C:\Windows\iuieungxmyltsxgjk.exe

Filesize
1016KB

MD5
928e5ae49d212720359baa5f7a310b70

SHA1
d88f71ef69600762a9cd122b4506235bb3d5319d

SHA256
660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658

SHA512
41907f1d2b4c8d77494b21bc0c62dae86a2fc098c67d0375c091ee4272f38048a69ea658b7a1b16d8c8fb98fcb362ef60e1bd497fd19d9d5856273fbc98454b9

Download Submit
C:\Windows\iuieungxmyltsxgjk.exe

Filesize
1016KB

MD5
928e5ae49d212720359baa5f7a310b70

SHA1
d88f71ef69600762a9cd122b4506235bb3d5319d

SHA256
660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658

SHA512
41907f1d2b4c8d77494b21bc0c62dae86a2fc098c67d0375c091ee4272f38048a69ea658b7a1b16d8c8fb98fcb362ef60e1bd497fd19d9d5856273fbc98454b9

Download Submit
C:\Windows\iuieungxmyltsxgjk.exe

Filesize
1016KB

MD5
928e5ae49d212720359baa5f7a310b70

SHA1
d88f71ef69600762a9cd122b4506235bb3d5319d

SHA256
660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658

SHA512
41907f1d2b4c8d77494b21bc0c62dae86a2fc098c67d0375c091ee4272f38048a69ea658b7a1b16d8c8fb98fcb362ef60e1bd497fd19d9d5856273fbc98454b9

Download Submit
C:\Windows\pevunjfzrgwhjrdjnrgx.exe

Filesize
1016KB

MD5
928e5ae49d212720359baa5f7a310b70

SHA1
d88f71ef69600762a9cd122b4506235bb3d5319d

SHA256
660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658

SHA512
41907f1d2b4c8d77494b21bc0c62dae86a2fc098c67d0375c091ee4272f38048a69ea658b7a1b16d8c8fb98fcb362ef60e1bd497fd19d9d5856273fbc98454b9

Download Submit
C:\Windows\pevunjfzrgwhjrdjnrgx.exe

Filesize
1016KB

MD5
928e5ae49d212720359baa5f7a310b70

SHA1
d88f71ef69600762a9cd122b4506235bb3d5319d

SHA256
660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658

SHA512
41907f1d2b4c8d77494b21bc0c62dae86a2fc098c67d0375c091ee4272f38048a69ea658b7a1b16d8c8fb98fcb362ef60e1bd497fd19d9d5856273fbc98454b9

Download Submit
C:\Windows\pevunjfzrgwhjrdjnrgx.exe

Filesize
1016KB

MD5
928e5ae49d212720359baa5f7a310b70

SHA1
d88f71ef69600762a9cd122b4506235bb3d5319d

SHA256
660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658

SHA512
41907f1d2b4c8d77494b21bc0c62dae86a2fc098c67d0375c091ee4272f38048a69ea658b7a1b16d8c8fb98fcb362ef60e1bd497fd19d9d5856273fbc98454b9

Download Submit
C:\Windows\retqhbvndqenntdhjl.exe

Filesize
1016KB

MD5
928e5ae49d212720359baa5f7a310b70

SHA1
d88f71ef69600762a9cd122b4506235bb3d5319d

SHA256
660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658

SHA512
41907f1d2b4c8d77494b21bc0c62dae86a2fc098c67d0375c091ee4272f38048a69ea658b7a1b16d8c8fb98fcb362ef60e1bd497fd19d9d5856273fbc98454b9

Download Submit
C:\Windows\retqhbvndqenntdhjl.exe

Filesize
1016KB

MD5
928e5ae49d212720359baa5f7a310b70

SHA1
d88f71ef69600762a9cd122b4506235bb3d5319d

SHA256
660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658

SHA512
41907f1d2b4c8d77494b21bc0c62dae86a2fc098c67d0375c091ee4272f38048a69ea658b7a1b16d8c8fb98fcb362ef60e1bd497fd19d9d5856273fbc98454b9

Download Submit
C:\Windows\retqhbvndqenntdhjl.exe

Filesize
1016KB

MD5
928e5ae49d212720359baa5f7a310b70

SHA1
d88f71ef69600762a9cd122b4506235bb3d5319d

SHA256
660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658

SHA512
41907f1d2b4c8d77494b21bc0c62dae86a2fc098c67d0375c091ee4272f38048a69ea658b7a1b16d8c8fb98fcb362ef60e1bd497fd19d9d5856273fbc98454b9

Download Submit
C:\Windows\vmfgbzxtnewjnxltzfwpql.exe

Filesize
1016KB

MD5
928e5ae49d212720359baa5f7a310b70

SHA1
d88f71ef69600762a9cd122b4506235bb3d5319d

SHA256
660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658

SHA512
41907f1d2b4c8d77494b21bc0c62dae86a2fc098c67d0375c091ee4272f38048a69ea658b7a1b16d8c8fb98fcb362ef60e1bd497fd19d9d5856273fbc98454b9

Download Submit
C:\Windows\vmfgbzxtnewjnxltzfwpql.exe

Filesize
1016KB

MD5
928e5ae49d212720359baa5f7a310b70

SHA1
d88f71ef69600762a9cd122b4506235bb3d5319d

SHA256
660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658

SHA512
41907f1d2b4c8d77494b21bc0c62dae86a2fc098c67d0375c091ee4272f38048a69ea658b7a1b16d8c8fb98fcb362ef60e1bd497fd19d9d5856273fbc98454b9

Download Submit
C:\Windows\vmfgbzxtnewjnxltzfwpql.exe

Filesize
1016KB

MD5
928e5ae49d212720359baa5f7a310b70

SHA1
d88f71ef69600762a9cd122b4506235bb3d5319d

SHA256
660abfaa776f2ad8db69d82bbf076d9e773cf7c2ec24b8246fe47ac303569658

SHA512
41907f1d2b4c8d77494b21bc0c62dae86a2fc098c67d0375c091ee4272f38048a69ea658b7a1b16d8c8fb98fcb362ef60e1bd497fd19d9d5856273fbc98454b9

Download Submit
memory/1420-137-0x0000000000000000-mapping.dmp

Download
memory/1980-140-0x0000000000000000-mapping.dmp

Download
memory/2352-170-0x0000000000000000-mapping.dmp

Download
memory/2576-134-0x0000000000000000-mapping.dmp

Download