c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11

Analysis

max time kernel
189s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 06:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
Size

1016KB
MD5

93c97d4b7b5ba1ef2c1c5811827ca110
SHA1

34772233f65eb2739d702227f261406b53aa99af
SHA256

c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11
SHA512

30990baa8f7faaf1fa6b6559dd231a05908a87a397c0c8d084f27693f6fe30bc0a59f76a29334f881f3225ba7c7297313bf167dc5b82a3b58e472529c70957c4
SSDEEP

6144:8IXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHU:8IXsgtvm1De5YlOx6lzBH46U

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bjkov.exe

UAC bypass 3 TTPs 13 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	bjkov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bjkov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bjkov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bjkov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bjkov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	bjkov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bjkov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bjkov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	yborjrewily.exe

Adds policy Run key to start application 2 TTPs 31 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zjmsbfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrdskxpjrjhphpmz.exe"	yborjrewily.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zjmsbfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fzmcvjcxgzyhajhvo.exe"	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zjmsbfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvkcxnifqlmxsddtood.exe"	yborjrewily.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zjmsbfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvkcxnifqlmxsddtood.exe"	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ylramtftvh = "zvkcxnifqlmxsddtood.exe"	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zjmsbfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvkcxnifqlmxsddtood.exe"	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zjmsbfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrdskxpjrjhphpmz.exe"	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ylramtftvh = "zvkcxnifqlmxsddtood.exe"	yborjrewily.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ylramtftvh = "fzmcvjcxgzyhajhvo.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zjmsbfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojxoixrnxrrbvfetnm.exe"	bjkov.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ylramtftvh = "mjzsofbzlhjvrdevrsif.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zjmsbfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bzqkhzwvifivsfhzwypne.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ylramtftvh = "ojxoixrnxrrbvfetnm.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ylramtftvh = "mjzsofbzlhjvrdevrsif.exe"	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ylramtftvh = "bzqkhzwvifivsfhzwypne.exe"	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ylramtftvh = "ojxoixrnxrrbvfetnm.exe"	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ylramtftvh = "bzqkhzwvifivsfhzwypne.exe"	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ylramtftvh = "fzmcvjcxgzyhajhvo.exe"	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ylramtftvh = "yrdskxpjrjhphpmz.exe"	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zjmsbfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojxoixrnxrrbvfetnm.exe"	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ylramtftvh = "mjzsofbzlhjvrdevrsif.exe"	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zjmsbfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fzmcvjcxgzyhajhvo.exe"	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zjmsbfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mjzsofbzlhjvrdevrsif.exe"	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ylramtftvh = "ojxoixrnxrrbvfetnm.exe"	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zjmsbfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bzqkhzwvifivsfhzwypne.exe"	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ylramtftvh = "yrdskxpjrjhphpmz.exe"	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ylramtftvh = "fzmcvjcxgzyhajhvo.exe"	bjkov.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yborjrewily.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bjkov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bjkov.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bjkov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bjkov.exe

Executes dropped EXE 4 IoCs

pid	Process
3172	yborjrewily.exe
1648	bjkov.exe
3212	bjkov.exe
3160	yborjrewily.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	yborjrewily.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\frwepvgtu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mjzsofbzlhjvrdevrsif.exe ."	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\frwepvgtu = "fzmcvjcxgzyhajhvo.exe ."	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qhreufvntjflbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvkcxnifqlmxsddtood.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ozdkuzjv = "fzmcvjcxgzyhajhvo.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ozdkuzjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvkcxnifqlmxsddtood.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ozdkuzjv = "bzqkhzwvifivsfhzwypne.exe"	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ozdkuzjv = "mjzsofbzlhjvrdevrsif.exe"	bjkov.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\thoyltgvyle = "zvkcxnifqlmxsddtood.exe"	bjkov.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\frwepvgtu = "yrdskxpjrjhphpmz.exe ."	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qhreufvntjflbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mjzsofbzlhjvrdevrsif.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ozdkuzjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fzmcvjcxgzyhajhvo.exe"	bjkov.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ozdkuzjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrdskxpjrjhphpmz.exe"	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\frwepvgtu = "ojxoixrnxrrbvfetnm.exe ."	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfoapzofkzuzo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bzqkhzwvifivsfhzwypne.exe ."	bjkov.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfoapzofkzuzo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fzmcvjcxgzyhajhvo.exe ."	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\thoyltgvyle = "yrdskxpjrjhphpmz.exe"	yborjrewily.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qhreufvntjflbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvkcxnifqlmxsddtood.exe"	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ozdkuzjv = "yrdskxpjrjhphpmz.exe"	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ozdkuzjv = "fzmcvjcxgzyhajhvo.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ozdkuzjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojxoixrnxrrbvfetnm.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\thoyltgvyle = "zvkcxnifqlmxsddtood.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfoapzofkzuzo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bzqkhzwvifivsfhzwypne.exe ."	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ozdkuzjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mjzsofbzlhjvrdevrsif.exe"	bjkov.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	yborjrewily.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	bjkov.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ozdkuzjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fzmcvjcxgzyhajhvo.exe"	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\frwepvgtu = "zvkcxnifqlmxsddtood.exe ."	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qhreufvntjflbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bzqkhzwvifivsfhzwypne.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfnymvjzdrlp = "ojxoixrnxrrbvfetnm.exe ."	bjkov.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\thoyltgvyle = "ojxoixrnxrrbvfetnm.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfnymvjzdrlp = "fzmcvjcxgzyhajhvo.exe ."	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\frwepvgtu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bzqkhzwvifivsfhzwypne.exe ."	bjkov.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\frwepvgtu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bzqkhzwvifivsfhzwypne.exe ."	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ozdkuzjv = "mjzsofbzlhjvrdevrsif.exe"	bjkov.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	bjkov.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ozdkuzjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrdskxpjrjhphpmz.exe"	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qhreufvntjflbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mjzsofbzlhjvrdevrsif.exe"	bjkov.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	bjkov.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfnymvjzdrlp = "bzqkhzwvifivsfhzwypne.exe ."	bjkov.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfoapzofkzuzo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvkcxnifqlmxsddtood.exe ."	bjkov.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ozdkuzjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojxoixrnxrrbvfetnm.exe"	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfoapzofkzuzo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fzmcvjcxgzyhajhvo.exe ."	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfoapzofkzuzo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvkcxnifqlmxsddtood.exe ."	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\frwepvgtu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojxoixrnxrrbvfetnm.exe ."	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfnymvjzdrlp = "zvkcxnifqlmxsddtood.exe ."	bjkov.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qhreufvntjflbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrdskxpjrjhphpmz.exe"	bjkov.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\frwepvgtu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvkcxnifqlmxsddtood.exe ."	bjkov.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ozdkuzjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvkcxnifqlmxsddtood.exe"	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qhreufvntjflbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bzqkhzwvifivsfhzwypne.exe"	bjkov.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\frwepvgtu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojxoixrnxrrbvfetnm.exe ."	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\frwepvgtu = "bzqkhzwvifivsfhzwypne.exe ."	yborjrewily.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\frwepvgtu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrdskxpjrjhphpmz.exe ."	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ozdkuzjv = "ojxoixrnxrrbvfetnm.exe"	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfoapzofkzuzo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fzmcvjcxgzyhajhvo.exe ."	bjkov.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\frwepvgtu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojxoixrnxrrbvfetnm.exe ."	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ozdkuzjv = "bzqkhzwvifivsfhzwypne.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfnymvjzdrlp = "mjzsofbzlhjvrdevrsif.exe ."	bjkov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ozdkuzjv = "zvkcxnifqlmxsddtood.exe"	bjkov.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yborjrewily.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bjkov.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bjkov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bjkov.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bjkov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yborjrewily.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	yborjrewily.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
42	whatismyip.everdot.org
21	www.showmyipaddress.com
23	whatismyipaddress.com
32	whatismyip.everdot.org

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	bjkov.exe
File created	C:\autorun.inf	bjkov.exe

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\srjecvtthfjxvjmfdgyxpk.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\yrdskxpjrjhphpmz.exe	bjkov.exe
File opened for modification	C:\Windows\SysWOW64\fzmcvjcxgzyhajhvo.exe	bjkov.exe
File opened for modification	C:\Windows\SysWOW64\zvkcxnifqlmxsddtood.exe	bjkov.exe
File opened for modification	C:\Windows\SysWOW64\qhreufvntjflbhcndyizjwmxnflbxdtzufvq.rbo	bjkov.exe
File opened for modification	C:\Windows\SysWOW64\bzqkhzwvifivsfhzwypne.exe	bjkov.exe
File opened for modification	C:\Windows\SysWOW64\mjzsofbzlhjvrdevrsif.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\yrdskxpjrjhphpmz.exe	bjkov.exe
File opened for modification	C:\Windows\SysWOW64\srjecvtthfjxvjmfdgyxpk.exe	bjkov.exe
File opened for modification	C:\Windows\SysWOW64\lrqsxxcjejupupzzeontsuzze.glw	bjkov.exe
File opened for modification	C:\Windows\SysWOW64\bzqkhzwvifivsfhzwypne.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\ojxoixrnxrrbvfetnm.exe	bjkov.exe
File created	C:\Windows\SysWOW64\lrqsxxcjejupupzzeontsuzze.glw	bjkov.exe
File opened for modification	C:\Windows\SysWOW64\srjecvtthfjxvjmfdgyxpk.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\yrdskxpjrjhphpmz.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\fzmcvjcxgzyhajhvo.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\zvkcxnifqlmxsddtood.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\mjzsofbzlhjvrdevrsif.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\srjecvtthfjxvjmfdgyxpk.exe	bjkov.exe
File opened for modification	C:\Windows\SysWOW64\fzmcvjcxgzyhajhvo.exe	bjkov.exe
File opened for modification	C:\Windows\SysWOW64\mjzsofbzlhjvrdevrsif.exe	bjkov.exe
File created	C:\Windows\SysWOW64\qhreufvntjflbhcndyizjwmxnflbxdtzufvq.rbo	bjkov.exe
File opened for modification	C:\Windows\SysWOW64\ojxoixrnxrrbvfetnm.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\ojxoixrnxrrbvfetnm.exe	bjkov.exe
File opened for modification	C:\Windows\SysWOW64\mjzsofbzlhjvrdevrsif.exe	bjkov.exe
File opened for modification	C:\Windows\SysWOW64\bzqkhzwvifivsfhzwypne.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\bzqkhzwvifivsfhzwypne.exe	bjkov.exe
File opened for modification	C:\Windows\SysWOW64\yrdskxpjrjhphpmz.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\zvkcxnifqlmxsddtood.exe	bjkov.exe
File opened for modification	C:\Windows\SysWOW64\fzmcvjcxgzyhajhvo.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\ojxoixrnxrrbvfetnm.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\zvkcxnifqlmxsddtood.exe	yborjrewily.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\lrqsxxcjejupupzzeontsuzze.glw	bjkov.exe
File opened for modification	C:\Program Files (x86)\qhreufvntjflbhcndyizjwmxnflbxdtzufvq.rbo	bjkov.exe
File created	C:\Program Files (x86)\qhreufvntjflbhcndyizjwmxnflbxdtzufvq.rbo	bjkov.exe
File opened for modification	C:\Program Files (x86)\lrqsxxcjejupupzzeontsuzze.glw	bjkov.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\yrdskxpjrjhphpmz.exe	bjkov.exe
File opened for modification	C:\Windows\bzqkhzwvifivsfhzwypne.exe	bjkov.exe
File opened for modification	C:\Windows\zvkcxnifqlmxsddtood.exe	yborjrewily.exe
File opened for modification	C:\Windows\srjecvtthfjxvjmfdgyxpk.exe	yborjrewily.exe
File opened for modification	C:\Windows\bzqkhzwvifivsfhzwypne.exe	yborjrewily.exe
File opened for modification	C:\Windows\ojxoixrnxrrbvfetnm.exe	bjkov.exe
File opened for modification	C:\Windows\zvkcxnifqlmxsddtood.exe	bjkov.exe
File opened for modification	C:\Windows\fzmcvjcxgzyhajhvo.exe	yborjrewily.exe
File opened for modification	C:\Windows\ojxoixrnxrrbvfetnm.exe	yborjrewily.exe
File opened for modification	C:\Windows\bzqkhzwvifivsfhzwypne.exe	yborjrewily.exe
File opened for modification	C:\Windows\zvkcxnifqlmxsddtood.exe	yborjrewily.exe
File opened for modification	C:\Windows\mjzsofbzlhjvrdevrsif.exe	bjkov.exe
File opened for modification	C:\Windows\yrdskxpjrjhphpmz.exe	bjkov.exe
File opened for modification	C:\Windows\mjzsofbzlhjvrdevrsif.exe	yborjrewily.exe
File opened for modification	C:\Windows\fzmcvjcxgzyhajhvo.exe	yborjrewily.exe
File created	C:\Windows\lrqsxxcjejupupzzeontsuzze.glw	bjkov.exe
File opened for modification	C:\Windows\srjecvtthfjxvjmfdgyxpk.exe	bjkov.exe
File opened for modification	C:\Windows\fzmcvjcxgzyhajhvo.exe	bjkov.exe
File opened for modification	C:\Windows\ojxoixrnxrrbvfetnm.exe	bjkov.exe
File opened for modification	C:\Windows\mjzsofbzlhjvrdevrsif.exe	bjkov.exe
File opened for modification	C:\Windows\lrqsxxcjejupupzzeontsuzze.glw	bjkov.exe
File opened for modification	C:\Windows\qhreufvntjflbhcndyizjwmxnflbxdtzufvq.rbo	bjkov.exe
File opened for modification	C:\Windows\yrdskxpjrjhphpmz.exe	yborjrewily.exe
File opened for modification	C:\Windows\fzmcvjcxgzyhajhvo.exe	bjkov.exe
File opened for modification	C:\Windows\ojxoixrnxrrbvfetnm.exe	yborjrewily.exe
File opened for modification	C:\Windows\mjzsofbzlhjvrdevrsif.exe	yborjrewily.exe
File opened for modification	C:\Windows\zvkcxnifqlmxsddtood.exe	bjkov.exe
File opened for modification	C:\Windows\bzqkhzwvifivsfhzwypne.exe	bjkov.exe
File opened for modification	C:\Windows\srjecvtthfjxvjmfdgyxpk.exe	yborjrewily.exe
File opened for modification	C:\Windows\yrdskxpjrjhphpmz.exe	yborjrewily.exe
File created	C:\Windows\qhreufvntjflbhcndyizjwmxnflbxdtzufvq.rbo	bjkov.exe
File opened for modification	C:\Windows\srjecvtthfjxvjmfdgyxpk.exe	bjkov.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
1648	bjkov.exe
1648	bjkov.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1648	bjkov.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 3172	5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe	81
PID 5040 wrote to memory of 3172	5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe	81
PID 5040 wrote to memory of 3172	5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe	81
PID 3172 wrote to memory of 1648	3172	yborjrewily.exe	83
PID 3172 wrote to memory of 1648	3172	yborjrewily.exe	83
PID 3172 wrote to memory of 1648	3172	yborjrewily.exe	83
PID 3172 wrote to memory of 3212	3172	yborjrewily.exe	82
PID 3172 wrote to memory of 3212	3172	yborjrewily.exe	82
PID 3172 wrote to memory of 3212	3172	yborjrewily.exe	82
PID 5040 wrote to memory of 3160	5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe	91
PID 5040 wrote to memory of 3160	5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe	91
PID 5040 wrote to memory of 3160	5040	c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe	91

System policy modification 1 TTPs 41 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bjkov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	bjkov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	bjkov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	bjkov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	bjkov.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bjkov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bjkov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bjkov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	bjkov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bjkov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yborjrewily.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	bjkov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	bjkov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	bjkov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	bjkov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	bjkov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bjkov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	bjkov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	bjkov.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	bjkov.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	yborjrewily.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bjkov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bjkov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	bjkov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	bjkov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	yborjrewily.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	yborjrewily.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bjkov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	bjkov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bjkov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	yborjrewily.exe

C:\Users\Admin\AppData\Local\Temp\c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe
"C:\Users\Admin\AppData\Local\Temp\c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Users\Admin\AppData\Local\Temp\yborjrewily.exe
  "C:\Users\Admin\AppData\Local\Temp\yborjrewily.exe" "c:\users\admin\appdata\local\temp\c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3172
- - C:\Users\Admin\AppData\Local\Temp\bjkov.exe
    "C:\Users\Admin\AppData\Local\Temp\bjkov.exe" "-C:\Users\Admin\AppData\Local\Temp\yrdskxpjrjhphpmz.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3212
- - C:\Users\Admin\AppData\Local\Temp\bjkov.exe
    "C:\Users\Admin\AppData\Local\Temp\bjkov.exe" "-C:\Users\Admin\AppData\Local\Temp\yrdskxpjrjhphpmz.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1648
- C:\Users\Admin\AppData\Local\Temp\yborjrewily.exe
  "C:\Users\Admin\AppData\Local\Temp\yborjrewily.exe" "c:\users\admin\appdata\local\temp\c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System policy modification
  PID:3160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bjkov.exe

Filesize
724KB

MD5
c548d78fdca83da527444e496547b8df

SHA1
08d091e5c3415a907040778fbc755ebf49c30c1d

SHA256
dcbd50df5e957530c140e2ff66fced1e03b458ffd05588758caa275a0da5722e

SHA512
854632820e60ecdca53b5b47614048b94731ab96e0ba2f6944518f45754194cf5508e0e10ff44e3acf82d9170655b34e7b2210ab2f483523170bc36871535db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bjkov.exe

Filesize
724KB

MD5
c548d78fdca83da527444e496547b8df

SHA1
08d091e5c3415a907040778fbc755ebf49c30c1d

SHA256
dcbd50df5e957530c140e2ff66fced1e03b458ffd05588758caa275a0da5722e

SHA512
854632820e60ecdca53b5b47614048b94731ab96e0ba2f6944518f45754194cf5508e0e10ff44e3acf82d9170655b34e7b2210ab2f483523170bc36871535db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bjkov.exe

Filesize
724KB

MD5
c548d78fdca83da527444e496547b8df

SHA1
08d091e5c3415a907040778fbc755ebf49c30c1d

SHA256
dcbd50df5e957530c140e2ff66fced1e03b458ffd05588758caa275a0da5722e

SHA512
854632820e60ecdca53b5b47614048b94731ab96e0ba2f6944518f45754194cf5508e0e10ff44e3acf82d9170655b34e7b2210ab2f483523170bc36871535db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bzqkhzwvifivsfhzwypne.exe

Filesize
1016KB

MD5
93c97d4b7b5ba1ef2c1c5811827ca110

SHA1
34772233f65eb2739d702227f261406b53aa99af

SHA256
c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11

SHA512
30990baa8f7faaf1fa6b6559dd231a05908a87a397c0c8d084f27693f6fe30bc0a59f76a29334f881f3225ba7c7297313bf167dc5b82a3b58e472529c70957c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fzmcvjcxgzyhajhvo.exe

Filesize
1016KB

MD5
93c97d4b7b5ba1ef2c1c5811827ca110

SHA1
34772233f65eb2739d702227f261406b53aa99af

SHA256
c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11

SHA512
30990baa8f7faaf1fa6b6559dd231a05908a87a397c0c8d084f27693f6fe30bc0a59f76a29334f881f3225ba7c7297313bf167dc5b82a3b58e472529c70957c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mjzsofbzlhjvrdevrsif.exe

Filesize
1016KB

MD5
93c97d4b7b5ba1ef2c1c5811827ca110

SHA1
34772233f65eb2739d702227f261406b53aa99af

SHA256
c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11

SHA512
30990baa8f7faaf1fa6b6559dd231a05908a87a397c0c8d084f27693f6fe30bc0a59f76a29334f881f3225ba7c7297313bf167dc5b82a3b58e472529c70957c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ojxoixrnxrrbvfetnm.exe

Filesize
1016KB

MD5
93c97d4b7b5ba1ef2c1c5811827ca110

SHA1
34772233f65eb2739d702227f261406b53aa99af

SHA256
c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11

SHA512
30990baa8f7faaf1fa6b6559dd231a05908a87a397c0c8d084f27693f6fe30bc0a59f76a29334f881f3225ba7c7297313bf167dc5b82a3b58e472529c70957c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\srjecvtthfjxvjmfdgyxpk.exe

Filesize
1016KB

MD5
93c97d4b7b5ba1ef2c1c5811827ca110

SHA1
34772233f65eb2739d702227f261406b53aa99af

SHA256
c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11

SHA512
30990baa8f7faaf1fa6b6559dd231a05908a87a397c0c8d084f27693f6fe30bc0a59f76a29334f881f3225ba7c7297313bf167dc5b82a3b58e472529c70957c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\yborjrewily.exe

Filesize
320KB

MD5
f4233e077f978eb32d0e6bf45b516b26

SHA1
d8901fede24ecdbff1753c153af887e18a0a8291

SHA256
86c9b91950a40416df3b94ffcc3ed4dfa12e2f729b06c35a4cbb18f58cd90468

SHA512
7750d173f9467551d7bb24b039617df93a6ff547658bb885a9af6afaccd5e4a418cad1500197f2cfd0317b546988e66fe82b2765446fa6fd40e16832eb2d87d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yborjrewily.exe

Filesize
320KB

MD5
f4233e077f978eb32d0e6bf45b516b26

SHA1
d8901fede24ecdbff1753c153af887e18a0a8291

SHA256
86c9b91950a40416df3b94ffcc3ed4dfa12e2f729b06c35a4cbb18f58cd90468

SHA512
7750d173f9467551d7bb24b039617df93a6ff547658bb885a9af6afaccd5e4a418cad1500197f2cfd0317b546988e66fe82b2765446fa6fd40e16832eb2d87d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yborjrewily.exe

Filesize
320KB

MD5
f4233e077f978eb32d0e6bf45b516b26

SHA1
d8901fede24ecdbff1753c153af887e18a0a8291

SHA256
86c9b91950a40416df3b94ffcc3ed4dfa12e2f729b06c35a4cbb18f58cd90468

SHA512
7750d173f9467551d7bb24b039617df93a6ff547658bb885a9af6afaccd5e4a418cad1500197f2cfd0317b546988e66fe82b2765446fa6fd40e16832eb2d87d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yrdskxpjrjhphpmz.exe

Filesize
1016KB

MD5
93c97d4b7b5ba1ef2c1c5811827ca110

SHA1
34772233f65eb2739d702227f261406b53aa99af

SHA256
c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11

SHA512
30990baa8f7faaf1fa6b6559dd231a05908a87a397c0c8d084f27693f6fe30bc0a59f76a29334f881f3225ba7c7297313bf167dc5b82a3b58e472529c70957c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvkcxnifqlmxsddtood.exe

Filesize
1016KB

MD5
93c97d4b7b5ba1ef2c1c5811827ca110

SHA1
34772233f65eb2739d702227f261406b53aa99af

SHA256
c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11

SHA512
30990baa8f7faaf1fa6b6559dd231a05908a87a397c0c8d084f27693f6fe30bc0a59f76a29334f881f3225ba7c7297313bf167dc5b82a3b58e472529c70957c4

Download Submit
C:\Windows\SysWOW64\bzqkhzwvifivsfhzwypne.exe

Filesize
1016KB

MD5
93c97d4b7b5ba1ef2c1c5811827ca110

SHA1
34772233f65eb2739d702227f261406b53aa99af

SHA256
c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11

SHA512
30990baa8f7faaf1fa6b6559dd231a05908a87a397c0c8d084f27693f6fe30bc0a59f76a29334f881f3225ba7c7297313bf167dc5b82a3b58e472529c70957c4

Download Submit
C:\Windows\SysWOW64\fzmcvjcxgzyhajhvo.exe

Filesize
1016KB

MD5
93c97d4b7b5ba1ef2c1c5811827ca110

SHA1
34772233f65eb2739d702227f261406b53aa99af

SHA256
c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11

SHA512
30990baa8f7faaf1fa6b6559dd231a05908a87a397c0c8d084f27693f6fe30bc0a59f76a29334f881f3225ba7c7297313bf167dc5b82a3b58e472529c70957c4

Download Submit
C:\Windows\SysWOW64\mjzsofbzlhjvrdevrsif.exe

Filesize
1016KB

MD5
93c97d4b7b5ba1ef2c1c5811827ca110

SHA1
34772233f65eb2739d702227f261406b53aa99af

SHA256
c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11

SHA512
30990baa8f7faaf1fa6b6559dd231a05908a87a397c0c8d084f27693f6fe30bc0a59f76a29334f881f3225ba7c7297313bf167dc5b82a3b58e472529c70957c4

Download Submit
C:\Windows\SysWOW64\ojxoixrnxrrbvfetnm.exe

Filesize
1016KB

MD5
93c97d4b7b5ba1ef2c1c5811827ca110

SHA1
34772233f65eb2739d702227f261406b53aa99af

SHA256
c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11

SHA512
30990baa8f7faaf1fa6b6559dd231a05908a87a397c0c8d084f27693f6fe30bc0a59f76a29334f881f3225ba7c7297313bf167dc5b82a3b58e472529c70957c4

Download Submit
C:\Windows\SysWOW64\srjecvtthfjxvjmfdgyxpk.exe

Filesize
1016KB

MD5
93c97d4b7b5ba1ef2c1c5811827ca110

SHA1
34772233f65eb2739d702227f261406b53aa99af

SHA256
c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11

SHA512
30990baa8f7faaf1fa6b6559dd231a05908a87a397c0c8d084f27693f6fe30bc0a59f76a29334f881f3225ba7c7297313bf167dc5b82a3b58e472529c70957c4

Download Submit
C:\Windows\SysWOW64\yrdskxpjrjhphpmz.exe

Filesize
1016KB

MD5
93c97d4b7b5ba1ef2c1c5811827ca110

SHA1
34772233f65eb2739d702227f261406b53aa99af

SHA256
c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11

SHA512
30990baa8f7faaf1fa6b6559dd231a05908a87a397c0c8d084f27693f6fe30bc0a59f76a29334f881f3225ba7c7297313bf167dc5b82a3b58e472529c70957c4

Download Submit
C:\Windows\SysWOW64\zvkcxnifqlmxsddtood.exe

Filesize
1016KB

MD5
93c97d4b7b5ba1ef2c1c5811827ca110

SHA1
34772233f65eb2739d702227f261406b53aa99af

SHA256
c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11

SHA512
30990baa8f7faaf1fa6b6559dd231a05908a87a397c0c8d084f27693f6fe30bc0a59f76a29334f881f3225ba7c7297313bf167dc5b82a3b58e472529c70957c4

Download Submit
C:\Windows\bzqkhzwvifivsfhzwypne.exe

Filesize
1016KB

MD5
93c97d4b7b5ba1ef2c1c5811827ca110

SHA1
34772233f65eb2739d702227f261406b53aa99af

SHA256
c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11

SHA512
30990baa8f7faaf1fa6b6559dd231a05908a87a397c0c8d084f27693f6fe30bc0a59f76a29334f881f3225ba7c7297313bf167dc5b82a3b58e472529c70957c4

Download Submit
C:\Windows\bzqkhzwvifivsfhzwypne.exe

Filesize
1016KB

MD5
93c97d4b7b5ba1ef2c1c5811827ca110

SHA1
34772233f65eb2739d702227f261406b53aa99af

SHA256
c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11

SHA512
30990baa8f7faaf1fa6b6559dd231a05908a87a397c0c8d084f27693f6fe30bc0a59f76a29334f881f3225ba7c7297313bf167dc5b82a3b58e472529c70957c4

Download Submit
C:\Windows\bzqkhzwvifivsfhzwypne.exe

Filesize
1016KB

MD5
93c97d4b7b5ba1ef2c1c5811827ca110

SHA1
34772233f65eb2739d702227f261406b53aa99af

SHA256
c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11

SHA512
30990baa8f7faaf1fa6b6559dd231a05908a87a397c0c8d084f27693f6fe30bc0a59f76a29334f881f3225ba7c7297313bf167dc5b82a3b58e472529c70957c4

Download Submit
C:\Windows\fzmcvjcxgzyhajhvo.exe

Filesize
1016KB

MD5
93c97d4b7b5ba1ef2c1c5811827ca110

SHA1
34772233f65eb2739d702227f261406b53aa99af

SHA256
c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11

SHA512
30990baa8f7faaf1fa6b6559dd231a05908a87a397c0c8d084f27693f6fe30bc0a59f76a29334f881f3225ba7c7297313bf167dc5b82a3b58e472529c70957c4

Download Submit
C:\Windows\fzmcvjcxgzyhajhvo.exe

Filesize
1016KB

MD5
93c97d4b7b5ba1ef2c1c5811827ca110

SHA1
34772233f65eb2739d702227f261406b53aa99af

SHA256
c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11

SHA512
30990baa8f7faaf1fa6b6559dd231a05908a87a397c0c8d084f27693f6fe30bc0a59f76a29334f881f3225ba7c7297313bf167dc5b82a3b58e472529c70957c4

Download Submit
C:\Windows\fzmcvjcxgzyhajhvo.exe

Filesize
1016KB

MD5
93c97d4b7b5ba1ef2c1c5811827ca110

SHA1
34772233f65eb2739d702227f261406b53aa99af

SHA256
c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11

SHA512
30990baa8f7faaf1fa6b6559dd231a05908a87a397c0c8d084f27693f6fe30bc0a59f76a29334f881f3225ba7c7297313bf167dc5b82a3b58e472529c70957c4

Download Submit
C:\Windows\mjzsofbzlhjvrdevrsif.exe

Filesize
1016KB

MD5
93c97d4b7b5ba1ef2c1c5811827ca110

SHA1
34772233f65eb2739d702227f261406b53aa99af

SHA256
c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11

SHA512
30990baa8f7faaf1fa6b6559dd231a05908a87a397c0c8d084f27693f6fe30bc0a59f76a29334f881f3225ba7c7297313bf167dc5b82a3b58e472529c70957c4

Download Submit
C:\Windows\mjzsofbzlhjvrdevrsif.exe

Filesize
1016KB

MD5
93c97d4b7b5ba1ef2c1c5811827ca110

SHA1
34772233f65eb2739d702227f261406b53aa99af

SHA256
c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11

SHA512
30990baa8f7faaf1fa6b6559dd231a05908a87a397c0c8d084f27693f6fe30bc0a59f76a29334f881f3225ba7c7297313bf167dc5b82a3b58e472529c70957c4

Download Submit
C:\Windows\mjzsofbzlhjvrdevrsif.exe

Filesize
1016KB

MD5
93c97d4b7b5ba1ef2c1c5811827ca110

SHA1
34772233f65eb2739d702227f261406b53aa99af

SHA256
c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11

SHA512
30990baa8f7faaf1fa6b6559dd231a05908a87a397c0c8d084f27693f6fe30bc0a59f76a29334f881f3225ba7c7297313bf167dc5b82a3b58e472529c70957c4

Download Submit
C:\Windows\ojxoixrnxrrbvfetnm.exe

Filesize
1016KB

MD5
93c97d4b7b5ba1ef2c1c5811827ca110

SHA1
34772233f65eb2739d702227f261406b53aa99af

SHA256
c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11

SHA512
30990baa8f7faaf1fa6b6559dd231a05908a87a397c0c8d084f27693f6fe30bc0a59f76a29334f881f3225ba7c7297313bf167dc5b82a3b58e472529c70957c4

Download Submit
C:\Windows\ojxoixrnxrrbvfetnm.exe

Filesize
1016KB

MD5
93c97d4b7b5ba1ef2c1c5811827ca110

SHA1
34772233f65eb2739d702227f261406b53aa99af

SHA256
c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11

SHA512
30990baa8f7faaf1fa6b6559dd231a05908a87a397c0c8d084f27693f6fe30bc0a59f76a29334f881f3225ba7c7297313bf167dc5b82a3b58e472529c70957c4

Download Submit
C:\Windows\ojxoixrnxrrbvfetnm.exe

Filesize
1016KB

MD5
93c97d4b7b5ba1ef2c1c5811827ca110

SHA1
34772233f65eb2739d702227f261406b53aa99af

SHA256
c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11

SHA512
30990baa8f7faaf1fa6b6559dd231a05908a87a397c0c8d084f27693f6fe30bc0a59f76a29334f881f3225ba7c7297313bf167dc5b82a3b58e472529c70957c4

Download Submit
C:\Windows\srjecvtthfjxvjmfdgyxpk.exe

Filesize
1016KB

MD5
93c97d4b7b5ba1ef2c1c5811827ca110

SHA1
34772233f65eb2739d702227f261406b53aa99af

SHA256
c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11

SHA512
30990baa8f7faaf1fa6b6559dd231a05908a87a397c0c8d084f27693f6fe30bc0a59f76a29334f881f3225ba7c7297313bf167dc5b82a3b58e472529c70957c4

Download Submit
C:\Windows\srjecvtthfjxvjmfdgyxpk.exe

Filesize
1016KB

MD5
93c97d4b7b5ba1ef2c1c5811827ca110

SHA1
34772233f65eb2739d702227f261406b53aa99af

SHA256
c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11

SHA512
30990baa8f7faaf1fa6b6559dd231a05908a87a397c0c8d084f27693f6fe30bc0a59f76a29334f881f3225ba7c7297313bf167dc5b82a3b58e472529c70957c4

Download Submit
C:\Windows\srjecvtthfjxvjmfdgyxpk.exe

Filesize
1016KB

MD5
93c97d4b7b5ba1ef2c1c5811827ca110

SHA1
34772233f65eb2739d702227f261406b53aa99af

SHA256
c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11

SHA512
30990baa8f7faaf1fa6b6559dd231a05908a87a397c0c8d084f27693f6fe30bc0a59f76a29334f881f3225ba7c7297313bf167dc5b82a3b58e472529c70957c4

Download Submit
C:\Windows\yrdskxpjrjhphpmz.exe

Filesize
1016KB

MD5
93c97d4b7b5ba1ef2c1c5811827ca110

SHA1
34772233f65eb2739d702227f261406b53aa99af

SHA256
c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11

SHA512
30990baa8f7faaf1fa6b6559dd231a05908a87a397c0c8d084f27693f6fe30bc0a59f76a29334f881f3225ba7c7297313bf167dc5b82a3b58e472529c70957c4

Download Submit
C:\Windows\yrdskxpjrjhphpmz.exe

Filesize
1016KB

MD5
93c97d4b7b5ba1ef2c1c5811827ca110

SHA1
34772233f65eb2739d702227f261406b53aa99af

SHA256
c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11

SHA512
30990baa8f7faaf1fa6b6559dd231a05908a87a397c0c8d084f27693f6fe30bc0a59f76a29334f881f3225ba7c7297313bf167dc5b82a3b58e472529c70957c4

Download Submit
C:\Windows\yrdskxpjrjhphpmz.exe

Filesize
1016KB

MD5
93c97d4b7b5ba1ef2c1c5811827ca110

SHA1
34772233f65eb2739d702227f261406b53aa99af

SHA256
c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11

SHA512
30990baa8f7faaf1fa6b6559dd231a05908a87a397c0c8d084f27693f6fe30bc0a59f76a29334f881f3225ba7c7297313bf167dc5b82a3b58e472529c70957c4

Download Submit
C:\Windows\zvkcxnifqlmxsddtood.exe

Filesize
1016KB

MD5
93c97d4b7b5ba1ef2c1c5811827ca110

SHA1
34772233f65eb2739d702227f261406b53aa99af

SHA256
c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11

SHA512
30990baa8f7faaf1fa6b6559dd231a05908a87a397c0c8d084f27693f6fe30bc0a59f76a29334f881f3225ba7c7297313bf167dc5b82a3b58e472529c70957c4

Download Submit
C:\Windows\zvkcxnifqlmxsddtood.exe

Filesize
1016KB

MD5
93c97d4b7b5ba1ef2c1c5811827ca110

SHA1
34772233f65eb2739d702227f261406b53aa99af

SHA256
c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11

SHA512
30990baa8f7faaf1fa6b6559dd231a05908a87a397c0c8d084f27693f6fe30bc0a59f76a29334f881f3225ba7c7297313bf167dc5b82a3b58e472529c70957c4

Download Submit
C:\Windows\zvkcxnifqlmxsddtood.exe

Filesize
1016KB

MD5
93c97d4b7b5ba1ef2c1c5811827ca110

SHA1
34772233f65eb2739d702227f261406b53aa99af

SHA256
c91f3a7eb9eff446a1597cd4d005384cfc773a9a550bef1a3ecacf43fe6d2e11

SHA512
30990baa8f7faaf1fa6b6559dd231a05908a87a397c0c8d084f27693f6fe30bc0a59f76a29334f881f3225ba7c7297313bf167dc5b82a3b58e472529c70957c4

Download Submit