eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan-Ransom.Win32.Blocker.exe
Size

564KB
MD5

08f1c0665abb76735cf733a018f3c76e
SHA1

14966a4e6c22337c05487bfb732a588733616ef0
SHA256

eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974
SHA512

08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791
SSDEEP

6144:B8XXRUw9Oz5+iUU03pej1YpTYzOb0kLXhlJFTaLTGu0yvHcr+JB8aU:qnRy+ZyYpaCDJFuPyAHcqrU

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wjixckr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wjixckr.exe

UAC bypass 3 TTPs 13 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wjixckr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	wjixckr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wjixckr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wjixckr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wjixckr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	wjixckr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wjixckr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wjixckr.exe

Adds policy Run key to start application 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzzpvems = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrzxlcsgyiykrptb.exe"	wjixckr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzzpvems = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jjvxpkewsgaqbdlxdhff.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzzpvems = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jjvxpkewsgaqbdlxdhff.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhkdmyjsfkv = "ljttjcukeqiwfflvzb.exe"	wjixckr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhkdmyjsfkv = "ljttjcukeqiwfflvzb.exe"	wjixckr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzzpvems = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yzmpiezspezqcfobinmna.exe"	wjixckr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzzpvems = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wvghyslcxkdscdkvada.exe"	wjixckr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzzpvems = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrzxlcsgyiykrptb.exe"	wjixckr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhkdmyjsfkv = "yzmpiezspezqcfobinmna.exe"	wjixckr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhkdmyjsfkv = "czihwofunypckjoxa.exe"	pwyrqtqlzgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wjixckr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzzpvems = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jjvxpkewsgaqbdlxdhff.exe"	wjixckr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhkdmyjsfkv = "wvghyslcxkdscdkvada.exe"	wjixckr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzzpvems = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czihwofunypckjoxa.exe"	wjixckr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzzpvems = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czihwofunypckjoxa.exe"	wjixckr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzzpvems = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljttjcukeqiwfflvzb.exe"	wjixckr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhkdmyjsfkv = "czihwofunypckjoxa.exe"	wjixckr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhkdmyjsfkv = "jjvxpkewsgaqbdlxdhff.exe"	wjixckr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhkdmyjsfkv = "jjvxpkewsgaqbdlxdhff.exe"	pwyrqtqlzgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wjixckr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhkdmyjsfkv = "jjvxpkewsgaqbdlxdhff.exe"	wjixckr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhkdmyjsfkv = "vrzxlcsgyiykrptb.exe"	wjixckr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhkdmyjsfkv = "vrzxlcsgyiykrptb.exe"	wjixckr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzzpvems = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jjvxpkewsgaqbdlxdhff.exe"	wjixckr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhkdmyjsfkv = "wvghyslcxkdscdkvada.exe"	wjixckr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzzpvems = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljttjcukeqiwfflvzb.exe"	wjixckr.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wjixckr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wjixckr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wjixckr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wjixckr.exe

Executes dropped EXE 4 IoCs

pid	Process
4340	pwyrqtqlzgi.exe
2264	wjixckr.exe
504	wjixckr.exe
3124	pwyrqtqlzgi.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Trojan-Ransom.Win32.Blocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	pwyrqtqlzgi.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vlnfnyiqcg = "czihwofunypckjoxa.exe ."	wjixckr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vlnfnyiqcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czihwofunypckjoxa.exe ."	wjixckr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crsjqajqb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yzmpiezspezqcfobinmna.exe"	wjixckr.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	wjixckr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nfjdnamwkqck = "ljttjcukeqiwfflvzb.exe"	wjixckr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nfjdnamwkqck = "yzmpiezspezqcfobinmna.exe"	wjixckr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vlnfnyiqcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czihwofunypckjoxa.exe ."	wjixckr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crsjqajqb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czihwofunypckjoxa.exe"	wjixckr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfkfqercryluy = "czihwofunypckjoxa.exe ."	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crsjqajqb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wvghyslcxkdscdkvada.exe"	wjixckr.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	wjixckr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vlnfnyiqcg = "ljttjcukeqiwfflvzb.exe ."	wjixckr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nfjdnamwkqck = "ljttjcukeqiwfflvzb.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nhnjvkykaiwglh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czihwofunypckjoxa.exe ."	wjixckr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfkfqercryluy = "yzmpiezspezqcfobinmna.exe ."	wjixckr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfkfqercryluy = "vrzxlcsgyiykrptb.exe ."	wjixckr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qlspcshulujuaxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czihwofunypckjoxa.exe"	wjixckr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vlnfnyiqcg = "yzmpiezspezqcfobinmna.exe ."	pwyrqtqlzgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	wjixckr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vlnfnyiqcg = "vrzxlcsgyiykrptb.exe ."	wjixckr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qlspcshulujuaxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wvghyslcxkdscdkvada.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\crsjqajqb = "wvghyslcxkdscdkvada.exe"	wjixckr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qlspcshulujuaxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jjvxpkewsgaqbdlxdhff.exe"	wjixckr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nhnjvkykaiwglh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljttjcukeqiwfflvzb.exe ."	wjixckr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nhnjvkykaiwglh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jjvxpkewsgaqbdlxdhff.exe ."	wjixckr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vlnfnyiqcg = "jjvxpkewsgaqbdlxdhff.exe ."	wjixckr.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	wjixckr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfkfqercryluy = "ljttjcukeqiwfflvzb.exe ."	wjixckr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vlnfnyiqcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yzmpiezspezqcfobinmna.exe ."	wjixckr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vlnfnyiqcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrzxlcsgyiykrptb.exe ."	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nhnjvkykaiwglh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yzmpiezspezqcfobinmna.exe ."	wjixckr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\crsjqajqb = "czihwofunypckjoxa.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qlspcshulujuaxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrzxlcsgyiykrptb.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crsjqajqb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jjvxpkewsgaqbdlxdhff.exe"	wjixckr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	wjixckr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qlspcshulujuaxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wvghyslcxkdscdkvada.exe"	wjixckr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crsjqajqb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yzmpiezspezqcfobinmna.exe"	wjixckr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\crsjqajqb = "ljttjcukeqiwfflvzb.exe"	wjixckr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crsjqajqb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jjvxpkewsgaqbdlxdhff.exe"	wjixckr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vlnfnyiqcg = "yzmpiezspezqcfobinmna.exe ."	wjixckr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nfjdnamwkqck = "wvghyslcxkdscdkvada.exe"	wjixckr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vlnfnyiqcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yzmpiezspezqcfobinmna.exe ."	wjixckr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\crsjqajqb = "yzmpiezspezqcfobinmna.exe"	wjixckr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfkfqercryluy = "czihwofunypckjoxa.exe ."	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crsjqajqb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jjvxpkewsgaqbdlxdhff.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vlnfnyiqcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yzmpiezspezqcfobinmna.exe ."	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vlnfnyiqcg = "ljttjcukeqiwfflvzb.exe ."	wjixckr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vlnfnyiqcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wvghyslcxkdscdkvada.exe ."	wjixckr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\crsjqajqb = "wvghyslcxkdscdkvada.exe"	wjixckr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crsjqajqb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jjvxpkewsgaqbdlxdhff.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nhnjvkykaiwglh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jjvxpkewsgaqbdlxdhff.exe ."	wjixckr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nhnjvkykaiwglh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljttjcukeqiwfflvzb.exe ."	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crsjqajqb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljttjcukeqiwfflvzb.exe"	wjixckr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crsjqajqb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljttjcukeqiwfflvzb.exe"	wjixckr.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crsjqajqb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrzxlcsgyiykrptb.exe"	wjixckr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vlnfnyiqcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrzxlcsgyiykrptb.exe ."	wjixckr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nhnjvkykaiwglh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrzxlcsgyiykrptb.exe ."	wjixckr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vlnfnyiqcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jjvxpkewsgaqbdlxdhff.exe ."	wjixckr.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	pwyrqtqlzgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\crsjqajqb = "ljttjcukeqiwfflvzb.exe"	wjixckr.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wjixckr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wjixckr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wjixckr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wjixckr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pwyrqtqlzgi.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pwyrqtqlzgi.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	pwyrqtqlzgi.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	www.showmyipaddress.com
44	whatismyip.everdot.org
10	whatismyipaddress.com
19	whatismyip.everdot.org

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	wjixckr.exe
File created	C:\autorun.inf	wjixckr.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wvghyslcxkdscdkvada.exe	wjixckr.exe
File created	C:\Windows\SysWOW64\ljttjcukeqiwfflvzb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\yzmpiezspezqcfobinmna.exe	pwyrqtqlzgi.exe
File created	C:\Windows\SysWOW64\jjvxpkewsgaqbdlxdhff.exe	wjixckr.exe
File created	C:\Windows\SysWOW64\jjvxpkewsgaqbdlxdhff.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\wvghyslcxkdscdkvada.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\prfjdawqoeasfjthpvvxlp.exe	pwyrqtqlzgi.exe
File created	C:\Windows\SysWOW64\vrzxlcsgyiykrptb.exe	wjixckr.exe
File created	C:\Windows\SysWOW64\wvghyslcxkdscdkvada.exe	wjixckr.exe
File opened for modification	C:\Windows\SysWOW64\jjvxpkewsgaqbdlxdhff.exe	pwyrqtqlzgi.exe
File created	C:\Windows\SysWOW64\prfjdawqoeasfjthpvvxlp.exe	pwyrqtqlzgi.exe
File created	C:\Windows\SysWOW64\czihwofunypckjoxa.exe	pwyrqtqlzgi.exe
File created	C:\Windows\SysWOW64\prfjdawqoeasfjthpvvxlp.exe	wjixckr.exe
File opened for modification	C:\Windows\SysWOW64\ljttjcukeqiwfflvzb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\czihwofunypckjoxa.exe	pwyrqtqlzgi.exe
File created	C:\Windows\SysWOW64\wvghyslcxkdscdkvada.exe	pwyrqtqlzgi.exe
File created	C:\Windows\SysWOW64\jjvxpkewsgaqbdlxdhff.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\vrzxlcsgyiykrptb.exe	wjixckr.exe
File created	C:\Windows\SysWOW64\wvghyslcxkdscdkvada.exe	wjixckr.exe
File opened for modification	C:\Windows\SysWOW64\czihwofunypckjoxa.exe	wjixckr.exe
File opened for modification	C:\Windows\SysWOW64\irmxycfglilkepgbqdktozaeh.nkn	wjixckr.exe
File opened for modification	C:\Windows\SysWOW64\wvghyslcxkdscdkvada.exe	pwyrqtqlzgi.exe
File created	C:\Windows\SysWOW64\vrzxlcsgyiykrptb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\prfjdawqoeasfjthpvvxlp.exe	pwyrqtqlzgi.exe
File created	C:\Windows\SysWOW64\prfjdawqoeasfjthpvvxlp.exe	pwyrqtqlzgi.exe
File created	C:\Windows\SysWOW64\yzmpiezspezqcfobinmna.exe	wjixckr.exe
File created	C:\Windows\SysWOW64\vrzxlcsgyiykrptb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\czihwofunypckjoxa.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\vrzxlcsgyiykrptb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\prfjdawqoeasfjthpvvxlp.exe	wjixckr.exe
File opened for modification	C:\Windows\SysWOW64\vrzxlcsgyiykrptb.exe	wjixckr.exe
File opened for modification	C:\Windows\SysWOW64\jjvxpkewsgaqbdlxdhff.exe	wjixckr.exe
File opened for modification	C:\Windows\SysWOW64\prfjdawqoeasfjthpvvxlp.exe	wjixckr.exe
File created	C:\Windows\SysWOW64\irmxycfglilkepgbqdktozaeh.nkn	wjixckr.exe
File opened for modification	C:\Windows\SysWOW64\ljttjcukeqiwfflvzb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\nhnjvkykaiwglhjppnfzfbncqcsaoydzbhhf.rxt	wjixckr.exe
File opened for modification	C:\Windows\SysWOW64\yzmpiezspezqcfobinmna.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\ljttjcukeqiwfflvzb.exe	wjixckr.exe
File created	C:\Windows\SysWOW64\yzmpiezspezqcfobinmna.exe	wjixckr.exe
File created	C:\Windows\SysWOW64\vrzxlcsgyiykrptb.exe	wjixckr.exe
File created	C:\Windows\SysWOW64\ljttjcukeqiwfflvzb.exe	wjixckr.exe
File created	C:\Windows\SysWOW64\nhnjvkykaiwglhjppnfzfbncqcsaoydzbhhf.rxt	wjixckr.exe
File created	C:\Windows\SysWOW64\wvghyslcxkdscdkvada.exe	pwyrqtqlzgi.exe
File created	C:\Windows\SysWOW64\yzmpiezspezqcfobinmna.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\yzmpiezspezqcfobinmna.exe	wjixckr.exe
File created	C:\Windows\SysWOW64\yzmpiezspezqcfobinmna.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\jjvxpkewsgaqbdlxdhff.exe	wjixckr.exe
File created	C:\Windows\SysWOW64\czihwofunypckjoxa.exe	wjixckr.exe
File opened for modification	C:\Windows\SysWOW64\wvghyslcxkdscdkvada.exe	wjixckr.exe
File opened for modification	C:\Windows\SysWOW64\vrzxlcsgyiykrptb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\czihwofunypckjoxa.exe	wjixckr.exe
File opened for modification	C:\Windows\SysWOW64\ljttjcukeqiwfflvzb.exe	wjixckr.exe
File created	C:\Windows\SysWOW64\czihwofunypckjoxa.exe	pwyrqtqlzgi.exe
File created	C:\Windows\SysWOW64\ljttjcukeqiwfflvzb.exe	pwyrqtqlzgi.exe
File created	C:\Windows\SysWOW64\jjvxpkewsgaqbdlxdhff.exe	wjixckr.exe
File opened for modification	C:\Windows\SysWOW64\yzmpiezspezqcfobinmna.exe	wjixckr.exe
File created	C:\Windows\SysWOW64\ljttjcukeqiwfflvzb.exe	wjixckr.exe
File created	C:\Windows\SysWOW64\czihwofunypckjoxa.exe	wjixckr.exe
File created	C:\Windows\SysWOW64\prfjdawqoeasfjthpvvxlp.exe	wjixckr.exe
File opened for modification	C:\Windows\SysWOW64\jjvxpkewsgaqbdlxdhff.exe	pwyrqtqlzgi.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\nhnjvkykaiwglhjppnfzfbncqcsaoydzbhhf.rxt	wjixckr.exe
File created	C:\Program Files (x86)\nhnjvkykaiwglhjppnfzfbncqcsaoydzbhhf.rxt	wjixckr.exe
File opened for modification	C:\Program Files (x86)\irmxycfglilkepgbqdktozaeh.nkn	wjixckr.exe
File created	C:\Program Files (x86)\irmxycfglilkepgbqdktozaeh.nkn	wjixckr.exe

Drops file in Windows directory 39 IoCs

description	ioc	Process
File created	C:\Windows\prfjdawqoeasfjthpvvxlp.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\irmxycfglilkepgbqdktozaeh.nkn	wjixckr.exe
File opened for modification	C:\Windows\czihwofunypckjoxa.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\yzmpiezspezqcfobinmna.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\prfjdawqoeasfjthpvvxlp.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\ljttjcukeqiwfflvzb.exe	wjixckr.exe
File opened for modification	C:\Windows\prfjdawqoeasfjthpvvxlp.exe	wjixckr.exe
File opened for modification	C:\Windows\czihwofunypckjoxa.exe	wjixckr.exe
File opened for modification	C:\Windows\jjvxpkewsgaqbdlxdhff.exe	wjixckr.exe
File opened for modification	C:\Windows\prfjdawqoeasfjthpvvxlp.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\ljttjcukeqiwfflvzb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\vrzxlcsgyiykrptb.exe	wjixckr.exe
File opened for modification	C:\Windows\vrzxlcsgyiykrptb.exe	wjixckr.exe
File opened for modification	C:\Windows\czihwofunypckjoxa.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\jjvxpkewsgaqbdlxdhff.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\yzmpiezspezqcfobinmna.exe	wjixckr.exe
File opened for modification	C:\Windows\prfjdawqoeasfjthpvvxlp.exe	wjixckr.exe
File created	C:\Windows\nhnjvkykaiwglhjppnfzfbncqcsaoydzbhhf.rxt	wjixckr.exe
File opened for modification	C:\Windows\vrzxlcsgyiykrptb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\vrzxlcsgyiykrptb.exe	pwyrqtqlzgi.exe
File created	C:\Windows\czihwofunypckjoxa.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\wvghyslcxkdscdkvada.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\czihwofunypckjoxa.exe	wjixckr.exe
File opened for modification	C:\Windows\jjvxpkewsgaqbdlxdhff.exe	wjixckr.exe
File opened for modification	C:\Windows\wvghyslcxkdscdkvada.exe	wjixckr.exe
File opened for modification	C:\Windows\yzmpiezspezqcfobinmna.exe	wjixckr.exe
File created	C:\Windows\irmxycfglilkepgbqdktozaeh.nkn	wjixckr.exe
File created	C:\Windows\vrzxlcsgyiykrptb.exe	pwyrqtqlzgi.exe
File created	C:\Windows\ljttjcukeqiwfflvzb.exe	pwyrqtqlzgi.exe
File created	C:\Windows\wvghyslcxkdscdkvada.exe	pwyrqtqlzgi.exe
File created	C:\Windows\yzmpiezspezqcfobinmna.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\wvghyslcxkdscdkvada.exe	wjixckr.exe
File opened for modification	C:\Windows\ljttjcukeqiwfflvzb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\wvghyslcxkdscdkvada.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\jjvxpkewsgaqbdlxdhff.exe	pwyrqtqlzgi.exe
File created	C:\Windows\jjvxpkewsgaqbdlxdhff.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\yzmpiezspezqcfobinmna.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\ljttjcukeqiwfflvzb.exe	wjixckr.exe
File opened for modification	C:\Windows\nhnjvkykaiwglhjppnfzfbncqcsaoydzbhhf.rxt	wjixckr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
2264	wjixckr.exe
4384	Trojan-Ransom.Win32.Blocker.exe
2264	wjixckr.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
2264	wjixckr.exe
2264	wjixckr.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe
4384	Trojan-Ransom.Win32.Blocker.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2264	wjixckr.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4384 wrote to memory of 4340	4384	Trojan-Ransom.Win32.Blocker.exe	81
PID 4384 wrote to memory of 4340	4384	Trojan-Ransom.Win32.Blocker.exe	81
PID 4384 wrote to memory of 4340	4384	Trojan-Ransom.Win32.Blocker.exe	81
PID 4340 wrote to memory of 2264	4340	pwyrqtqlzgi.exe	82
PID 4340 wrote to memory of 2264	4340	pwyrqtqlzgi.exe	82
PID 4340 wrote to memory of 2264	4340	pwyrqtqlzgi.exe	82
PID 4340 wrote to memory of 504	4340	pwyrqtqlzgi.exe	83
PID 4340 wrote to memory of 504	4340	pwyrqtqlzgi.exe	83
PID 4340 wrote to memory of 504	4340	pwyrqtqlzgi.exe	83
PID 4384 wrote to memory of 3124	4384	Trojan-Ransom.Win32.Blocker.exe	92
PID 4384 wrote to memory of 3124	4384	Trojan-Ransom.Win32.Blocker.exe	92
PID 4384 wrote to memory of 3124	4384	Trojan-Ransom.Win32.Blocker.exe	92

System policy modification 1 TTPs 41 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wjixckr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	wjixckr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	wjixckr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	wjixckr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	wjixckr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	wjixckr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	wjixckr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	pwyrqtqlzgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wjixckr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wjixckr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	wjixckr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	wjixckr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	wjixckr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	pwyrqtqlzgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wjixckr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wjixckr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	wjixckr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	wjixckr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wjixckr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wjixckr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	wjixckr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wjixckr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wjixckr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	wjixckr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	wjixckr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	wjixckr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	wjixckr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wjixckr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pwyrqtqlzgi.exe

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4384
- C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe
  "C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe" "c:\users\admin\appdata\local\temp\trojan-ransom.win32.blocker.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4340
- - C:\Users\Admin\AppData\Local\Temp\wjixckr.exe
    "C:\Users\Admin\AppData\Local\Temp\wjixckr.exe" "-c:\users\admin\appdata\local\temp\trojan-ransom.win32.blocker.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2264
- - C:\Users\Admin\AppData\Local\Temp\wjixckr.exe
    "C:\Users\Admin\AppData\Local\Temp\wjixckr.exe" "-c:\users\admin\appdata\local\temp\trojan-ransom.win32.blocker.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:504
- C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe
  "C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe" "c:\users\admin\appdata\local\temp\trojan-ransom.win32.blocker.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System policy modification
  PID:3124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\czihwofunypckjoxa.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Users\Admin\AppData\Local\Temp\jjvxpkewsgaqbdlxdhff.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Users\Admin\AppData\Local\Temp\ljttjcukeqiwfflvzb.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Users\Admin\AppData\Local\Temp\prfjdawqoeasfjthpvvxlp.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe

Filesize
308KB

MD5
85cb856b920e7b0b7b75115336fc2af2

SHA1
1d1a207efec2f5187583b652c35aef74ee4c473f

SHA256
6fff20aabe8265b6e811c9dbcb987f9c15cf07d1d8b80ced7b287d96900f5c62

SHA512
120ff9c77c19216e5691b6ba812f09f7db7b46685a391027fff56e5b73200f4211b6bac2c2d28cdfe461d1fbf10f1a3204adeedbd0a34a034a862c6278d901e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe

Filesize
308KB

MD5
85cb856b920e7b0b7b75115336fc2af2

SHA1
1d1a207efec2f5187583b652c35aef74ee4c473f

SHA256
6fff20aabe8265b6e811c9dbcb987f9c15cf07d1d8b80ced7b287d96900f5c62

SHA512
120ff9c77c19216e5691b6ba812f09f7db7b46685a391027fff56e5b73200f4211b6bac2c2d28cdfe461d1fbf10f1a3204adeedbd0a34a034a862c6278d901e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe

Filesize
308KB

MD5
85cb856b920e7b0b7b75115336fc2af2

SHA1
1d1a207efec2f5187583b652c35aef74ee4c473f

SHA256
6fff20aabe8265b6e811c9dbcb987f9c15cf07d1d8b80ced7b287d96900f5c62

SHA512
120ff9c77c19216e5691b6ba812f09f7db7b46685a391027fff56e5b73200f4211b6bac2c2d28cdfe461d1fbf10f1a3204adeedbd0a34a034a862c6278d901e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vrzxlcsgyiykrptb.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Users\Admin\AppData\Local\Temp\wjixckr.exe

Filesize
696KB

MD5
901d97959c8b98af5a9c6df8f8aabdc7

SHA1
8c5142dfa0ca80c1d735533f8205d074710b3b02

SHA256
c51f4c5496b33c46e2b5967419c2533b1807af70f3e4d062376076298a1f1c27

SHA512
29b98cb0b6065aae0e1a31f4b1790300a58398b77ffeae3755ee3622fc977d452f364b44457e23bea97235d9a36dcb5815bc99db2c93169656d47b5e339e4789

Download Submit
C:\Users\Admin\AppData\Local\Temp\wjixckr.exe

Filesize
696KB

MD5
901d97959c8b98af5a9c6df8f8aabdc7

SHA1
8c5142dfa0ca80c1d735533f8205d074710b3b02

SHA256
c51f4c5496b33c46e2b5967419c2533b1807af70f3e4d062376076298a1f1c27

SHA512
29b98cb0b6065aae0e1a31f4b1790300a58398b77ffeae3755ee3622fc977d452f364b44457e23bea97235d9a36dcb5815bc99db2c93169656d47b5e339e4789

Download Submit
C:\Users\Admin\AppData\Local\Temp\wjixckr.exe

Filesize
696KB

MD5
901d97959c8b98af5a9c6df8f8aabdc7

SHA1
8c5142dfa0ca80c1d735533f8205d074710b3b02

SHA256
c51f4c5496b33c46e2b5967419c2533b1807af70f3e4d062376076298a1f1c27

SHA512
29b98cb0b6065aae0e1a31f4b1790300a58398b77ffeae3755ee3622fc977d452f364b44457e23bea97235d9a36dcb5815bc99db2c93169656d47b5e339e4789

Download Submit
C:\Users\Admin\AppData\Local\Temp\wvghyslcxkdscdkvada.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Users\Admin\AppData\Local\Temp\yzmpiezspezqcfobinmna.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\SysWOW64\czihwofunypckjoxa.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\SysWOW64\jjvxpkewsgaqbdlxdhff.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\SysWOW64\ljttjcukeqiwfflvzb.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\SysWOW64\prfjdawqoeasfjthpvvxlp.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\SysWOW64\vrzxlcsgyiykrptb.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\SysWOW64\wvghyslcxkdscdkvada.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\SysWOW64\yzmpiezspezqcfobinmna.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\czihwofunypckjoxa.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\czihwofunypckjoxa.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\czihwofunypckjoxa.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\jjvxpkewsgaqbdlxdhff.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\jjvxpkewsgaqbdlxdhff.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\jjvxpkewsgaqbdlxdhff.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\ljttjcukeqiwfflvzb.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\ljttjcukeqiwfflvzb.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\ljttjcukeqiwfflvzb.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\prfjdawqoeasfjthpvvxlp.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\prfjdawqoeasfjthpvvxlp.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\prfjdawqoeasfjthpvvxlp.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\vrzxlcsgyiykrptb.exe

Filesize
64KB

MD5
6b2c7ca6c808ede972667971cbddbdcd

SHA1
c606084f2eed190fdcf6fba0b4198b5f45ea46b8

SHA256
31c3ac7fb0e256e6599c1ce09cfddf54138dae31f34dc988ba834981390bc827

SHA512
e3d440c710a969d4111956101aeababd5f601a95d5b55eb75302b0f69252c72e4f4e99598828f942541c47fd68a10ae942e1953943030511653315d9e8cb3558

Download Submit
C:\Windows\vrzxlcsgyiykrptb.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\vrzxlcsgyiykrptb.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\wvghyslcxkdscdkvada.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\wvghyslcxkdscdkvada.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\wvghyslcxkdscdkvada.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\yzmpiezspezqcfobinmna.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\yzmpiezspezqcfobinmna.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\yzmpiezspezqcfobinmna.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit