74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7

Analysis

max time kernel
153s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 02:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
Size

1016KB
MD5

088efce33e3437bcd86493a04a59ca50
SHA1

8534b1ad9da1994dc6a428d9e5d43bfa9542e6be
SHA256

74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7
SHA512

c467a54c3947951930080e972c9267dd00fc51216ed083a9ce09e3273d35d4ec20c749ed527d67c9314f45d727066ed281485e745759abda8eaa77c19080df94
SSDEEP

6144:wIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUPzo0zo:wIXsgtvm1De5YlOx6lzBH46UPzo0zo

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	yborjrewily.exe

UAC bypass 3 TTPs 13 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	aimoy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aimoy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	aimoy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	aimoy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aimoy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	aimoy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	aimoy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	aimoy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yborjrewily.exe

Adds policy Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyfkxcis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyocymbumzyhajhvo.exe"	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgqyowfsele = "nizolaqkdrrbvfetnm.exe"	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyfkxcis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyocymbumzyhajhvo.exe"	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgqyowfsele = "xqfsnaogxjhphpmz.exe"	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyfkxcis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yumcaqhcwlmxsddtooc.exe"	yborjrewily.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgqyowfsele = "ayskkcvsofivsfhzwyomg.exe"	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyfkxcis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ayskkcvsofivsfhzwyomg.exe"	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgqyowfsele = "eyocymbumzyhajhvo.exe"	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgqyowfsele = "yumcaqhcwlmxsddtooc.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgqyowfsele = "libsriawrhjvrdevrshe.exe"	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgqyowfsele = "xqfsnaogxjhphpmz.exe"	aimoy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	aimoy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgqyowfsele = "libsriawrhjvrdevrshe.exe"	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgqyowfsele = "nizolaqkdrrbvfetnm.exe"	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgqyowfsele = "yumcaqhcwlmxsddtooc.exe"	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyfkxcis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqfsnaogxjhphpmz.exe"	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyfkxcis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yumcaqhcwlmxsddtooc.exe"	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyfkxcis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nizolaqkdrrbvfetnm.exe"	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgqyowfsele = "eyocymbumzyhajhvo.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyfkxcis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ayskkcvsofivsfhzwyomg.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgqyowfsele = "ayskkcvsofivsfhzwyomg.exe"	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgqyowfsele = "eyocymbumzyhajhvo.exe"	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgqyowfsele = "yumcaqhcwlmxsddtooc.exe"	aimoy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyfkxcis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nizolaqkdrrbvfetnm.exe"	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyfkxcis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yumcaqhcwlmxsddtooc.exe"	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyfkxcis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqfsnaogxjhphpmz.exe"	aimoy.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yborjrewily.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	aimoy.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	aimoy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	aimoy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	aimoy.exe

Executes dropped EXE 4 IoCs

pid	Process
3576	yborjrewily.exe
2508	aimoy.exe
4960	aimoy.exe
4604	yborjrewily.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	yborjrewily.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\skykeqdukvszqxt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ayskkcvsofivsfhzwyomg.exe"	aimoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oeqascncqzuzo = "libsriawrhjvrdevrshe.exe ."	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xktapweqbh = "eyocymbumzyhajhvo.exe ."	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pgtexiukzjflbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyocymbumzyhajhvo.exe ."	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eqyesyfqa = "ayskkcvsofivsfhzwyomg.exe"	aimoy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	aimoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eqyesyfqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yumcaqhcwlmxsddtooc.exe"	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eqyesyfqa = "nizolaqkdrrbvfetnm.exe"	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eqyesyfqa = "libsriawrhjvrdevrshe.exe"	aimoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pepypyiwjrlp = "eyocymbumzyhajhvo.exe"	yborjrewily.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eqyesyfqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\libsriawrhjvrdevrshe.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pepypyiwjrlp = "eyocymbumzyhajhvo.exe"	aimoy.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pgtexiukzjflbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nizolaqkdrrbvfetnm.exe ."	aimoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oeqascncqzuzo = "libsriawrhjvrdevrshe.exe ."	aimoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eqyesyfqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ayskkcvsofivsfhzwyomg.exe"	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eqyesyfqa = "xqfsnaogxjhphpmz.exe"	yborjrewily.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xktapweqbh = "eyocymbumzyhajhvo.exe ."	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xktapweqbh = "xqfsnaogxjhphpmz.exe ."	aimoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eqyesyfqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyocymbumzyhajhvo.exe"	aimoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xktapweqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqfsnaogxjhphpmz.exe ."	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eqyesyfqa = "xqfsnaogxjhphpmz.exe"	aimoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xktapweqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nizolaqkdrrbvfetnm.exe ."	aimoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pepypyiwjrlp = "yumcaqhcwlmxsddtooc.exe"	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\skykeqdukvszqxt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ayskkcvsofivsfhzwyomg.exe"	aimoy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xktapweqbh = "libsriawrhjvrdevrshe.exe ."	aimoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eqyesyfqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yumcaqhcwlmxsddtooc.exe"	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\skykeqdukvszqxt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nizolaqkdrrbvfetnm.exe"	aimoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pepypyiwjrlp = "xqfsnaogxjhphpmz.exe"	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\skykeqdukvszqxt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\libsriawrhjvrdevrshe.exe"	aimoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xktapweqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ayskkcvsofivsfhzwyomg.exe ."	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xktapweqbh = "nizolaqkdrrbvfetnm.exe ."	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xktapweqbh = "xqfsnaogxjhphpmz.exe ."	yborjrewily.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eqyesyfqa = "xqfsnaogxjhphpmz.exe"	aimoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eqyesyfqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyocymbumzyhajhvo.exe"	aimoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oeqascncqzuzo = "nizolaqkdrrbvfetnm.exe ."	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oeqascncqzuzo = "eyocymbumzyhajhvo.exe ."	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pgtexiukzjflbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqfsnaogxjhphpmz.exe ."	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pgtexiukzjflbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\libsriawrhjvrdevrshe.exe ."	aimoy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eqyesyfqa = "libsriawrhjvrdevrshe.exe"	aimoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oeqascncqzuzo = "nizolaqkdrrbvfetnm.exe ."	aimoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xktapweqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yumcaqhcwlmxsddtooc.exe ."	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xktapweqbh = "ayskkcvsofivsfhzwyomg.exe ."	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pgtexiukzjflbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yumcaqhcwlmxsddtooc.exe ."	aimoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xktapweqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyocymbumzyhajhvo.exe ."	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xktapweqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nizolaqkdrrbvfetnm.exe ."	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xktapweqbh = "xqfsnaogxjhphpmz.exe ."	aimoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eqyesyfqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ayskkcvsofivsfhzwyomg.exe"	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\skykeqdukvszqxt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyocymbumzyhajhvo.exe"	aimoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eqyesyfqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nizolaqkdrrbvfetnm.exe"	aimoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eqyesyfqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nizolaqkdrrbvfetnm.exe"	yborjrewily.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\skykeqdukvszqxt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqfsnaogxjhphpmz.exe"	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\skykeqdukvszqxt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\libsriawrhjvrdevrshe.exe"	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xktapweqbh = "yumcaqhcwlmxsddtooc.exe ."	aimoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oeqascncqzuzo = "eyocymbumzyhajhvo.exe ."	aimoy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xktapweqbh = "nizolaqkdrrbvfetnm.exe ."	yborjrewily.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eqyesyfqa = "eyocymbumzyhajhvo.exe"	aimoy.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yborjrewily.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yborjrewily.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aimoy.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	aimoy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aimoy.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	aimoy.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
34	www.showmyipaddress.com
46	whatismyip.everdot.org
14	www.showmyipaddress.com
20	whatismyip.everdot.org

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	aimoy.exe
File created	C:\autorun.inf	aimoy.exe

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\yumcaqhcwlmxsddtooc.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\ayskkcvsofivsfhzwyomg.exe	aimoy.exe
File opened for modification	C:\Windows\SysWOW64\rqlefysqnfjxvjmfdgxwrk.exe	aimoy.exe
File opened for modification	C:\Windows\SysWOW64\eyocymbumzyhajhvo.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\yumcaqhcwlmxsddtooc.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\nizolaqkdrrbvfetnm.exe	aimoy.exe
File opened for modification	C:\Windows\SysWOW64\xqfsnaogxjhphpmz.exe	aimoy.exe
File opened for modification	C:\Windows\SysWOW64\eyocymbumzyhajhvo.exe	aimoy.exe
File opened for modification	C:\Windows\SysWOW64\nizolaqkdrrbvfetnm.exe	aimoy.exe
File opened for modification	C:\Windows\SysWOW64\ayskkcvsofivsfhzwyomg.exe	aimoy.exe
File opened for modification	C:\Windows\SysWOW64\nizolaqkdrrbvfetnm.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\xqfsnaogxjhphpmz.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\nizolaqkdrrbvfetnm.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\rqlefysqnfjxvjmfdgxwrk.exe	aimoy.exe
File opened for modification	C:\Windows\SysWOW64\libsriawrhjvrdevrshe.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\libsriawrhjvrdevrshe.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\rqlefysqnfjxvjmfdgxwrk.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\xqfsnaogxjhphpmz.exe	aimoy.exe
File opened for modification	C:\Windows\SysWOW64\eyocymbumzyhajhvo.exe	aimoy.exe
File opened for modification	C:\Windows\SysWOW64\cecycyvwwrypqhnjkqkmk.kgd	aimoy.exe
File created	C:\Windows\SysWOW64\cecycyvwwrypqhnjkqkmk.kgd	aimoy.exe
File opened for modification	C:\Windows\SysWOW64\xktapweqbhzbnpgnzqvirynucozfxzln.lxo	aimoy.exe
File opened for modification	C:\Windows\SysWOW64\ayskkcvsofivsfhzwyomg.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\yumcaqhcwlmxsddtooc.exe	aimoy.exe
File opened for modification	C:\Windows\SysWOW64\libsriawrhjvrdevrshe.exe	aimoy.exe
File opened for modification	C:\Windows\SysWOW64\xqfsnaogxjhphpmz.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\ayskkcvsofivsfhzwyomg.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\libsriawrhjvrdevrshe.exe	aimoy.exe
File opened for modification	C:\Windows\SysWOW64\eyocymbumzyhajhvo.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\yumcaqhcwlmxsddtooc.exe	aimoy.exe
File opened for modification	C:\Windows\SysWOW64\rqlefysqnfjxvjmfdgxwrk.exe	yborjrewily.exe
File created	C:\Windows\SysWOW64\xktapweqbhzbnpgnzqvirynucozfxzln.lxo	aimoy.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\cecycyvwwrypqhnjkqkmk.kgd	aimoy.exe
File created	C:\Program Files (x86)\cecycyvwwrypqhnjkqkmk.kgd	aimoy.exe
File opened for modification	C:\Program Files (x86)\xktapweqbhzbnpgnzqvirynucozfxzln.lxo	aimoy.exe
File created	C:\Program Files (x86)\xktapweqbhzbnpgnzqvirynucozfxzln.lxo	aimoy.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\eyocymbumzyhajhvo.exe	aimoy.exe
File opened for modification	C:\Windows\ayskkcvsofivsfhzwyomg.exe	aimoy.exe
File opened for modification	C:\Windows\nizolaqkdrrbvfetnm.exe	aimoy.exe
File opened for modification	C:\Windows\rqlefysqnfjxvjmfdgxwrk.exe	aimoy.exe
File opened for modification	C:\Windows\xktapweqbhzbnpgnzqvirynucozfxzln.lxo	aimoy.exe
File opened for modification	C:\Windows\eyocymbumzyhajhvo.exe	yborjrewily.exe
File opened for modification	C:\Windows\libsriawrhjvrdevrshe.exe	yborjrewily.exe
File opened for modification	C:\Windows\rqlefysqnfjxvjmfdgxwrk.exe	yborjrewily.exe
File opened for modification	C:\Windows\nizolaqkdrrbvfetnm.exe	yborjrewily.exe
File opened for modification	C:\Windows\libsriawrhjvrdevrshe.exe	yborjrewily.exe
File created	C:\Windows\xktapweqbhzbnpgnzqvirynucozfxzln.lxo	aimoy.exe
File opened for modification	C:\Windows\xqfsnaogxjhphpmz.exe	yborjrewily.exe
File opened for modification	C:\Windows\yumcaqhcwlmxsddtooc.exe	yborjrewily.exe
File created	C:\Windows\cecycyvwwrypqhnjkqkmk.kgd	aimoy.exe
File opened for modification	C:\Windows\nizolaqkdrrbvfetnm.exe	aimoy.exe
File opened for modification	C:\Windows\yumcaqhcwlmxsddtooc.exe	aimoy.exe
File opened for modification	C:\Windows\rqlefysqnfjxvjmfdgxwrk.exe	yborjrewily.exe
File opened for modification	C:\Windows\ayskkcvsofivsfhzwyomg.exe	yborjrewily.exe
File opened for modification	C:\Windows\eyocymbumzyhajhvo.exe	aimoy.exe
File opened for modification	C:\Windows\yumcaqhcwlmxsddtooc.exe	yborjrewily.exe
File opened for modification	C:\Windows\eyocymbumzyhajhvo.exe	yborjrewily.exe
File opened for modification	C:\Windows\ayskkcvsofivsfhzwyomg.exe	aimoy.exe
File opened for modification	C:\Windows\cecycyvwwrypqhnjkqkmk.kgd	aimoy.exe
File opened for modification	C:\Windows\ayskkcvsofivsfhzwyomg.exe	yborjrewily.exe
File opened for modification	C:\Windows\yumcaqhcwlmxsddtooc.exe	aimoy.exe
File opened for modification	C:\Windows\xqfsnaogxjhphpmz.exe	aimoy.exe
File opened for modification	C:\Windows\nizolaqkdrrbvfetnm.exe	yborjrewily.exe
File opened for modification	C:\Windows\libsriawrhjvrdevrshe.exe	aimoy.exe
File opened for modification	C:\Windows\rqlefysqnfjxvjmfdgxwrk.exe	aimoy.exe
File opened for modification	C:\Windows\xqfsnaogxjhphpmz.exe	yborjrewily.exe
File opened for modification	C:\Windows\xqfsnaogxjhphpmz.exe	aimoy.exe
File opened for modification	C:\Windows\libsriawrhjvrdevrshe.exe	aimoy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
2508	aimoy.exe
2508	aimoy.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
2508	aimoy.exe
2508	aimoy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	aimoy.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3744 wrote to memory of 3576	3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe	81
PID 3744 wrote to memory of 3576	3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe	81
PID 3744 wrote to memory of 3576	3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe	81
PID 3576 wrote to memory of 2508	3576	yborjrewily.exe	82
PID 3576 wrote to memory of 2508	3576	yborjrewily.exe	82
PID 3576 wrote to memory of 2508	3576	yborjrewily.exe	82
PID 3576 wrote to memory of 4960	3576	yborjrewily.exe	83
PID 3576 wrote to memory of 4960	3576	yborjrewily.exe	83
PID 3576 wrote to memory of 4960	3576	yborjrewily.exe	83
PID 3744 wrote to memory of 4604	3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe	89
PID 3744 wrote to memory of 4604	3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe	89
PID 3744 wrote to memory of 4604	3744	74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe	89

System policy modification 1 TTPs 41 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	aimoy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	aimoy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	aimoy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	aimoy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	aimoy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	yborjrewily.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	aimoy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	aimoy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	aimoy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	aimoy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	aimoy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	aimoy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	aimoy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	aimoy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	aimoy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yborjrewily.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aimoy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	aimoy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	yborjrewily.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	aimoy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	aimoy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	aimoy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	aimoy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	aimoy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	aimoy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aimoy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	yborjrewily.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	aimoy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	aimoy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	aimoy.exe

C:\Users\Admin\AppData\Local\Temp\74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe
"C:\Users\Admin\AppData\Local\Temp\74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Users\Admin\AppData\Local\Temp\yborjrewily.exe
  "C:\Users\Admin\AppData\Local\Temp\yborjrewily.exe" "c:\users\admin\appdata\local\temp\74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3576
- - C:\Users\Admin\AppData\Local\Temp\aimoy.exe
    "C:\Users\Admin\AppData\Local\Temp\aimoy.exe" "-C:\Users\Admin\AppData\Local\Temp\xqfsnaogxjhphpmz.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2508
- - C:\Users\Admin\AppData\Local\Temp\aimoy.exe
    "C:\Users\Admin\AppData\Local\Temp\aimoy.exe" "-C:\Users\Admin\AppData\Local\Temp\xqfsnaogxjhphpmz.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4960
- C:\Users\Admin\AppData\Local\Temp\yborjrewily.exe
  "C:\Users\Admin\AppData\Local\Temp\yborjrewily.exe" "c:\users\admin\appdata\local\temp\74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System policy modification
  PID:4604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aimoy.exe

Filesize
716KB

MD5
5065a64fbaab5fe47c3014d576d7b90e

SHA1
ee5070a03b3a7b7aff852fdd2d6e2af6fd2542db

SHA256
a37e8575696e84d35e08deccd818fceb3a054520bd9cfb04a52e7e3b2a832b86

SHA512
9eb99416e120488174a32762ac5a903cf5dece62c70a796f21d625803c90df92b994e64cb87e6336c9cc018b38763e7e0c65852540700a6ddbecc972f97d9210

Download Submit
C:\Users\Admin\AppData\Local\Temp\aimoy.exe

Filesize
716KB

MD5
5065a64fbaab5fe47c3014d576d7b90e

SHA1
ee5070a03b3a7b7aff852fdd2d6e2af6fd2542db

SHA256
a37e8575696e84d35e08deccd818fceb3a054520bd9cfb04a52e7e3b2a832b86

SHA512
9eb99416e120488174a32762ac5a903cf5dece62c70a796f21d625803c90df92b994e64cb87e6336c9cc018b38763e7e0c65852540700a6ddbecc972f97d9210

Download Submit
C:\Users\Admin\AppData\Local\Temp\aimoy.exe

Filesize
716KB

MD5
5065a64fbaab5fe47c3014d576d7b90e

SHA1
ee5070a03b3a7b7aff852fdd2d6e2af6fd2542db

SHA256
a37e8575696e84d35e08deccd818fceb3a054520bd9cfb04a52e7e3b2a832b86

SHA512
9eb99416e120488174a32762ac5a903cf5dece62c70a796f21d625803c90df92b994e64cb87e6336c9cc018b38763e7e0c65852540700a6ddbecc972f97d9210

Download Submit
C:\Users\Admin\AppData\Local\Temp\ayskkcvsofivsfhzwyomg.exe

Filesize
1016KB

MD5
088efce33e3437bcd86493a04a59ca50

SHA1
8534b1ad9da1994dc6a428d9e5d43bfa9542e6be

SHA256
74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7

SHA512
c467a54c3947951930080e972c9267dd00fc51216ed083a9ce09e3273d35d4ec20c749ed527d67c9314f45d727066ed281485e745759abda8eaa77c19080df94

Download Submit
C:\Users\Admin\AppData\Local\Temp\eyocymbumzyhajhvo.exe

Filesize
1016KB

MD5
088efce33e3437bcd86493a04a59ca50

SHA1
8534b1ad9da1994dc6a428d9e5d43bfa9542e6be

SHA256
74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7

SHA512
c467a54c3947951930080e972c9267dd00fc51216ed083a9ce09e3273d35d4ec20c749ed527d67c9314f45d727066ed281485e745759abda8eaa77c19080df94

Download Submit
C:\Users\Admin\AppData\Local\Temp\libsriawrhjvrdevrshe.exe

Filesize
1016KB

MD5
088efce33e3437bcd86493a04a59ca50

SHA1
8534b1ad9da1994dc6a428d9e5d43bfa9542e6be

SHA256
74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7

SHA512
c467a54c3947951930080e972c9267dd00fc51216ed083a9ce09e3273d35d4ec20c749ed527d67c9314f45d727066ed281485e745759abda8eaa77c19080df94

Download Submit
C:\Users\Admin\AppData\Local\Temp\nizolaqkdrrbvfetnm.exe

Filesize
1016KB

MD5
088efce33e3437bcd86493a04a59ca50

SHA1
8534b1ad9da1994dc6a428d9e5d43bfa9542e6be

SHA256
74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7

SHA512
c467a54c3947951930080e972c9267dd00fc51216ed083a9ce09e3273d35d4ec20c749ed527d67c9314f45d727066ed281485e745759abda8eaa77c19080df94

Download Submit
C:\Users\Admin\AppData\Local\Temp\rqlefysqnfjxvjmfdgxwrk.exe

Filesize
1016KB

MD5
088efce33e3437bcd86493a04a59ca50

SHA1
8534b1ad9da1994dc6a428d9e5d43bfa9542e6be

SHA256
74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7

SHA512
c467a54c3947951930080e972c9267dd00fc51216ed083a9ce09e3273d35d4ec20c749ed527d67c9314f45d727066ed281485e745759abda8eaa77c19080df94

Download Submit
C:\Users\Admin\AppData\Local\Temp\xqfsnaogxjhphpmz.exe

Filesize
1016KB

MD5
088efce33e3437bcd86493a04a59ca50

SHA1
8534b1ad9da1994dc6a428d9e5d43bfa9542e6be

SHA256
74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7

SHA512
c467a54c3947951930080e972c9267dd00fc51216ed083a9ce09e3273d35d4ec20c749ed527d67c9314f45d727066ed281485e745759abda8eaa77c19080df94

Download Submit
C:\Users\Admin\AppData\Local\Temp\yborjrewily.exe

Filesize
320KB

MD5
fc105e8c6ebcd8e7994ba8d2c7bb2d0f

SHA1
74da45b80995569e4c3442be31bec99ecab8445c

SHA256
346d24f35ff3011dae9375ed8c790144a87c55215912d0eda6a755ec2ee60465

SHA512
a751bb1e7b02c3e065d9c3c67750f5769bd9a1bcc7f9c13208f01b2a3cd67ff342bb953316a59a9caf03c2abb7f5bb98135e19030f4b663a745e3a3d0dbe3070

Download Submit
C:\Users\Admin\AppData\Local\Temp\yborjrewily.exe

Filesize
320KB

MD5
fc105e8c6ebcd8e7994ba8d2c7bb2d0f

SHA1
74da45b80995569e4c3442be31bec99ecab8445c

SHA256
346d24f35ff3011dae9375ed8c790144a87c55215912d0eda6a755ec2ee60465

SHA512
a751bb1e7b02c3e065d9c3c67750f5769bd9a1bcc7f9c13208f01b2a3cd67ff342bb953316a59a9caf03c2abb7f5bb98135e19030f4b663a745e3a3d0dbe3070

Download Submit
C:\Users\Admin\AppData\Local\Temp\yborjrewily.exe

Filesize
320KB

MD5
fc105e8c6ebcd8e7994ba8d2c7bb2d0f

SHA1
74da45b80995569e4c3442be31bec99ecab8445c

SHA256
346d24f35ff3011dae9375ed8c790144a87c55215912d0eda6a755ec2ee60465

SHA512
a751bb1e7b02c3e065d9c3c67750f5769bd9a1bcc7f9c13208f01b2a3cd67ff342bb953316a59a9caf03c2abb7f5bb98135e19030f4b663a745e3a3d0dbe3070

Download Submit
C:\Users\Admin\AppData\Local\Temp\yumcaqhcwlmxsddtooc.exe

Filesize
1016KB

MD5
088efce33e3437bcd86493a04a59ca50

SHA1
8534b1ad9da1994dc6a428d9e5d43bfa9542e6be

SHA256
74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7

SHA512
c467a54c3947951930080e972c9267dd00fc51216ed083a9ce09e3273d35d4ec20c749ed527d67c9314f45d727066ed281485e745759abda8eaa77c19080df94

Download Submit
C:\Windows\SysWOW64\ayskkcvsofivsfhzwyomg.exe

Filesize
1016KB

MD5
088efce33e3437bcd86493a04a59ca50

SHA1
8534b1ad9da1994dc6a428d9e5d43bfa9542e6be

SHA256
74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7

SHA512
c467a54c3947951930080e972c9267dd00fc51216ed083a9ce09e3273d35d4ec20c749ed527d67c9314f45d727066ed281485e745759abda8eaa77c19080df94

Download Submit
C:\Windows\SysWOW64\eyocymbumzyhajhvo.exe

Filesize
1016KB

MD5
088efce33e3437bcd86493a04a59ca50

SHA1
8534b1ad9da1994dc6a428d9e5d43bfa9542e6be

SHA256
74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7

SHA512
c467a54c3947951930080e972c9267dd00fc51216ed083a9ce09e3273d35d4ec20c749ed527d67c9314f45d727066ed281485e745759abda8eaa77c19080df94

Download Submit
C:\Windows\SysWOW64\libsriawrhjvrdevrshe.exe

Filesize
1016KB

MD5
088efce33e3437bcd86493a04a59ca50

SHA1
8534b1ad9da1994dc6a428d9e5d43bfa9542e6be

SHA256
74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7

SHA512
c467a54c3947951930080e972c9267dd00fc51216ed083a9ce09e3273d35d4ec20c749ed527d67c9314f45d727066ed281485e745759abda8eaa77c19080df94

Download Submit
C:\Windows\SysWOW64\nizolaqkdrrbvfetnm.exe

Filesize
1016KB

MD5
088efce33e3437bcd86493a04a59ca50

SHA1
8534b1ad9da1994dc6a428d9e5d43bfa9542e6be

SHA256
74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7

SHA512
c467a54c3947951930080e972c9267dd00fc51216ed083a9ce09e3273d35d4ec20c749ed527d67c9314f45d727066ed281485e745759abda8eaa77c19080df94

Download Submit
C:\Windows\SysWOW64\rqlefysqnfjxvjmfdgxwrk.exe

Filesize
1016KB

MD5
088efce33e3437bcd86493a04a59ca50

SHA1
8534b1ad9da1994dc6a428d9e5d43bfa9542e6be

SHA256
74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7

SHA512
c467a54c3947951930080e972c9267dd00fc51216ed083a9ce09e3273d35d4ec20c749ed527d67c9314f45d727066ed281485e745759abda8eaa77c19080df94

Download Submit
C:\Windows\SysWOW64\xqfsnaogxjhphpmz.exe

Filesize
1016KB

MD5
088efce33e3437bcd86493a04a59ca50

SHA1
8534b1ad9da1994dc6a428d9e5d43bfa9542e6be

SHA256
74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7

SHA512
c467a54c3947951930080e972c9267dd00fc51216ed083a9ce09e3273d35d4ec20c749ed527d67c9314f45d727066ed281485e745759abda8eaa77c19080df94

Download Submit
C:\Windows\SysWOW64\yumcaqhcwlmxsddtooc.exe

Filesize
1016KB

MD5
088efce33e3437bcd86493a04a59ca50

SHA1
8534b1ad9da1994dc6a428d9e5d43bfa9542e6be

SHA256
74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7

SHA512
c467a54c3947951930080e972c9267dd00fc51216ed083a9ce09e3273d35d4ec20c749ed527d67c9314f45d727066ed281485e745759abda8eaa77c19080df94

Download Submit
C:\Windows\ayskkcvsofivsfhzwyomg.exe

Filesize
1016KB

MD5
088efce33e3437bcd86493a04a59ca50

SHA1
8534b1ad9da1994dc6a428d9e5d43bfa9542e6be

SHA256
74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7

SHA512
c467a54c3947951930080e972c9267dd00fc51216ed083a9ce09e3273d35d4ec20c749ed527d67c9314f45d727066ed281485e745759abda8eaa77c19080df94

Download Submit
C:\Windows\ayskkcvsofivsfhzwyomg.exe

Filesize
1016KB

MD5
088efce33e3437bcd86493a04a59ca50

SHA1
8534b1ad9da1994dc6a428d9e5d43bfa9542e6be

SHA256
74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7

SHA512
c467a54c3947951930080e972c9267dd00fc51216ed083a9ce09e3273d35d4ec20c749ed527d67c9314f45d727066ed281485e745759abda8eaa77c19080df94

Download Submit
C:\Windows\ayskkcvsofivsfhzwyomg.exe

Filesize
1016KB

MD5
088efce33e3437bcd86493a04a59ca50

SHA1
8534b1ad9da1994dc6a428d9e5d43bfa9542e6be

SHA256
74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7

SHA512
c467a54c3947951930080e972c9267dd00fc51216ed083a9ce09e3273d35d4ec20c749ed527d67c9314f45d727066ed281485e745759abda8eaa77c19080df94

Download Submit
C:\Windows\eyocymbumzyhajhvo.exe

Filesize
1016KB

MD5
088efce33e3437bcd86493a04a59ca50

SHA1
8534b1ad9da1994dc6a428d9e5d43bfa9542e6be

SHA256
74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7

SHA512
c467a54c3947951930080e972c9267dd00fc51216ed083a9ce09e3273d35d4ec20c749ed527d67c9314f45d727066ed281485e745759abda8eaa77c19080df94

Download Submit
C:\Windows\eyocymbumzyhajhvo.exe

Filesize
1016KB

MD5
088efce33e3437bcd86493a04a59ca50

SHA1
8534b1ad9da1994dc6a428d9e5d43bfa9542e6be

SHA256
74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7

SHA512
c467a54c3947951930080e972c9267dd00fc51216ed083a9ce09e3273d35d4ec20c749ed527d67c9314f45d727066ed281485e745759abda8eaa77c19080df94

Download Submit
C:\Windows\eyocymbumzyhajhvo.exe

Filesize
1016KB

MD5
088efce33e3437bcd86493a04a59ca50

SHA1
8534b1ad9da1994dc6a428d9e5d43bfa9542e6be

SHA256
74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7

SHA512
c467a54c3947951930080e972c9267dd00fc51216ed083a9ce09e3273d35d4ec20c749ed527d67c9314f45d727066ed281485e745759abda8eaa77c19080df94

Download Submit
C:\Windows\libsriawrhjvrdevrshe.exe

Filesize
1016KB

MD5
088efce33e3437bcd86493a04a59ca50

SHA1
8534b1ad9da1994dc6a428d9e5d43bfa9542e6be

SHA256
74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7

SHA512
c467a54c3947951930080e972c9267dd00fc51216ed083a9ce09e3273d35d4ec20c749ed527d67c9314f45d727066ed281485e745759abda8eaa77c19080df94

Download Submit
C:\Windows\libsriawrhjvrdevrshe.exe

Filesize
1016KB

MD5
088efce33e3437bcd86493a04a59ca50

SHA1
8534b1ad9da1994dc6a428d9e5d43bfa9542e6be

SHA256
74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7

SHA512
c467a54c3947951930080e972c9267dd00fc51216ed083a9ce09e3273d35d4ec20c749ed527d67c9314f45d727066ed281485e745759abda8eaa77c19080df94

Download Submit
C:\Windows\libsriawrhjvrdevrshe.exe

Filesize
1016KB

MD5
088efce33e3437bcd86493a04a59ca50

SHA1
8534b1ad9da1994dc6a428d9e5d43bfa9542e6be

SHA256
74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7

SHA512
c467a54c3947951930080e972c9267dd00fc51216ed083a9ce09e3273d35d4ec20c749ed527d67c9314f45d727066ed281485e745759abda8eaa77c19080df94

Download Submit
C:\Windows\nizolaqkdrrbvfetnm.exe

Filesize
1016KB

MD5
088efce33e3437bcd86493a04a59ca50

SHA1
8534b1ad9da1994dc6a428d9e5d43bfa9542e6be

SHA256
74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7

SHA512
c467a54c3947951930080e972c9267dd00fc51216ed083a9ce09e3273d35d4ec20c749ed527d67c9314f45d727066ed281485e745759abda8eaa77c19080df94

Download Submit
C:\Windows\nizolaqkdrrbvfetnm.exe

Filesize
1016KB

MD5
088efce33e3437bcd86493a04a59ca50

SHA1
8534b1ad9da1994dc6a428d9e5d43bfa9542e6be

SHA256
74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7

SHA512
c467a54c3947951930080e972c9267dd00fc51216ed083a9ce09e3273d35d4ec20c749ed527d67c9314f45d727066ed281485e745759abda8eaa77c19080df94

Download Submit
C:\Windows\nizolaqkdrrbvfetnm.exe

Filesize
1016KB

MD5
088efce33e3437bcd86493a04a59ca50

SHA1
8534b1ad9da1994dc6a428d9e5d43bfa9542e6be

SHA256
74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7

SHA512
c467a54c3947951930080e972c9267dd00fc51216ed083a9ce09e3273d35d4ec20c749ed527d67c9314f45d727066ed281485e745759abda8eaa77c19080df94

Download Submit
C:\Windows\rqlefysqnfjxvjmfdgxwrk.exe

Filesize
1016KB

MD5
088efce33e3437bcd86493a04a59ca50

SHA1
8534b1ad9da1994dc6a428d9e5d43bfa9542e6be

SHA256
74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7

SHA512
c467a54c3947951930080e972c9267dd00fc51216ed083a9ce09e3273d35d4ec20c749ed527d67c9314f45d727066ed281485e745759abda8eaa77c19080df94

Download Submit
C:\Windows\rqlefysqnfjxvjmfdgxwrk.exe

Filesize
1016KB

MD5
088efce33e3437bcd86493a04a59ca50

SHA1
8534b1ad9da1994dc6a428d9e5d43bfa9542e6be

SHA256
74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7

SHA512
c467a54c3947951930080e972c9267dd00fc51216ed083a9ce09e3273d35d4ec20c749ed527d67c9314f45d727066ed281485e745759abda8eaa77c19080df94

Download Submit
C:\Windows\rqlefysqnfjxvjmfdgxwrk.exe

Filesize
1016KB

MD5
088efce33e3437bcd86493a04a59ca50

SHA1
8534b1ad9da1994dc6a428d9e5d43bfa9542e6be

SHA256
74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7

SHA512
c467a54c3947951930080e972c9267dd00fc51216ed083a9ce09e3273d35d4ec20c749ed527d67c9314f45d727066ed281485e745759abda8eaa77c19080df94

Download Submit
C:\Windows\xqfsnaogxjhphpmz.exe

Filesize
1016KB

MD5
088efce33e3437bcd86493a04a59ca50

SHA1
8534b1ad9da1994dc6a428d9e5d43bfa9542e6be

SHA256
74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7

SHA512
c467a54c3947951930080e972c9267dd00fc51216ed083a9ce09e3273d35d4ec20c749ed527d67c9314f45d727066ed281485e745759abda8eaa77c19080df94

Download Submit
C:\Windows\xqfsnaogxjhphpmz.exe

Filesize
1016KB

MD5
088efce33e3437bcd86493a04a59ca50

SHA1
8534b1ad9da1994dc6a428d9e5d43bfa9542e6be

SHA256
74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7

SHA512
c467a54c3947951930080e972c9267dd00fc51216ed083a9ce09e3273d35d4ec20c749ed527d67c9314f45d727066ed281485e745759abda8eaa77c19080df94

Download Submit
C:\Windows\xqfsnaogxjhphpmz.exe

Filesize
1016KB

MD5
088efce33e3437bcd86493a04a59ca50

SHA1
8534b1ad9da1994dc6a428d9e5d43bfa9542e6be

SHA256
74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7

SHA512
c467a54c3947951930080e972c9267dd00fc51216ed083a9ce09e3273d35d4ec20c749ed527d67c9314f45d727066ed281485e745759abda8eaa77c19080df94

Download Submit
C:\Windows\yumcaqhcwlmxsddtooc.exe

Filesize
1016KB

MD5
088efce33e3437bcd86493a04a59ca50

SHA1
8534b1ad9da1994dc6a428d9e5d43bfa9542e6be

SHA256
74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7

SHA512
c467a54c3947951930080e972c9267dd00fc51216ed083a9ce09e3273d35d4ec20c749ed527d67c9314f45d727066ed281485e745759abda8eaa77c19080df94

Download Submit
C:\Windows\yumcaqhcwlmxsddtooc.exe

Filesize
1016KB

MD5
088efce33e3437bcd86493a04a59ca50

SHA1
8534b1ad9da1994dc6a428d9e5d43bfa9542e6be

SHA256
74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7

SHA512
c467a54c3947951930080e972c9267dd00fc51216ed083a9ce09e3273d35d4ec20c749ed527d67c9314f45d727066ed281485e745759abda8eaa77c19080df94

Download Submit
C:\Windows\yumcaqhcwlmxsddtooc.exe

Filesize
1016KB

MD5
088efce33e3437bcd86493a04a59ca50

SHA1
8534b1ad9da1994dc6a428d9e5d43bfa9542e6be

SHA256
74fffac395ec26e3bee8dccee011a3215307fe43bb5a0cdf2c32e1328a3938a7

SHA512
c467a54c3947951930080e972c9267dd00fc51216ed083a9ce09e3273d35d4ec20c749ed527d67c9314f45d727066ed281485e745759abda8eaa77c19080df94

Download Submit