227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0

Analysis

max time kernel
168s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
Size

1016KB
MD5

5b6e8a6f541a736a36677974605efe20
SHA1

5ae664a82587fe992e1b1a21eb535f8fd89e8ae6
SHA256

227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0
SHA512

bf9f8dae5674c4d13aa3e8b7c6b7addb79d02550c1d342fce02a47fe15856e3f0cf5883f4e51a12fb2a0bcc8a7bffa262fb7e1910049bcb09633157b1909853c
SSDEEP

6144:VIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUry:VIXsgtvm1De5YlOx6lzBH46Ury

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

yborjrewily.execajobln.execajobln.exeyborjrewily.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	yborjrewily.exe

UAC bypass 3 TTPs 13 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

cajobln.exeyborjrewily.execajobln.exeyborjrewily.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cajobln.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cajobln.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cajobln.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cajobln.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cajobln.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cajobln.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cajobln.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cajobln.exe

Adds policy Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cajobln.exeyborjrewily.execajobln.exeyborjrewily.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pmuykt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmhyxthcqtezkkavvnx.exe"	cajobln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pmuykt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pawoolawlpbxjkbxyrcy.exe"	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pmuykt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\biaokdogrrzrzwjb.exe"	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pmuykt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\raukidqkxzjdnmbvul.exe"	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pmuykt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmhyxthcqtezkkavvnx.exe"	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pmuykt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqnghfvsinaxkmebdxjgz.exe"	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iitapbfqu = "pawoolawlpbxjkbxyrcy.exe"	cajobln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iitapbfqu = "biaokdogrrzrzwjb.exe"	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iitapbfqu = "iqjyvpbughqjsqexv.exe"	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iitapbfqu = "biaokdogrrzrzwjb.exe"	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iitapbfqu = "raukidqkxzjdnmbvul.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pmuykt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqnghfvsinaxkmebdxjgz.exe"	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pmuykt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\raukidqkxzjdnmbvul.exe"	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pmuykt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\biaokdogrrzrzwjb.exe"	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iitapbfqu = "eqnghfvsinaxkmebdxjgz.exe"	cajobln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iitapbfqu = "pawoolawlpbxjkbxyrcy.exe"	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iitapbfqu = "pawoolawlpbxjkbxyrcy.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pmuykt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iqjyvpbughqjsqexv.exe"	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iitapbfqu = "raukidqkxzjdnmbvul.exe"	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iitapbfqu = "raukidqkxzjdnmbvul.exe"	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iitapbfqu = "cmhyxthcqtezkkavvnx.exe"	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pmuykt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iqjyvpbughqjsqexv.exe"	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pmuykt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iqjyvpbughqjsqexv.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iitapbfqu = "iqjyvpbughqjsqexv.exe"	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pmuykt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\raukidqkxzjdnmbvul.exe"	yborjrewily.exe

Disables RegEdit via registry modification 6 IoCs

evasion

Processes:

cajobln.exeyborjrewily.execajobln.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cajobln.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yborjrewily.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cajobln.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cajobln.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cajobln.exe

Executes dropped EXE 4 IoCs

Processes:

yborjrewily.execajobln.execajobln.exeyborjrewily.exe

pid process

3972 yborjrewily.exe
4508 cajobln.exe
1524 cajobln.exe
1984 yborjrewily.exe

pid	process
3972	yborjrewily.exe
4508	cajobln.exe
1524	cajobln.exe
1984	yborjrewily.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exeyborjrewily.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	yborjrewily.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

yborjrewily.execajobln.execajobln.exeyborjrewily.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bcowmzeqvp = "raukidqkxzjdnmbvul.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cajobln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pawoolawlpbxjkbxyrcy.exe"	cajobln.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rqagufis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iqjyvpbughqjsqexv.exe ."	cajobln.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cajobln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmhyxthcqtezkkavvnx.exe"	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\swlwpfnckhmbg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmhyxthcqtezkkavvnx.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\twkumbiwdzdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmhyxthcqtezkkavvnx.exe ."	yborjrewily.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	cajobln.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wylulzfsytw = "iqjyvpbughqjsqexv.exe ."	cajobln.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wylulzfsytw = "raukidqkxzjdnmbvul.exe ."	cajobln.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bcowmzeqvp = "cmhyxthcqtezkkavvnx.exe"	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\twkumbiwdzdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqnghfvsinaxkmebdxjgz.exe ."	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\swlwpfnckhmbg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pawoolawlpbxjkbxyrcy.exe"	cajobln.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rqagufis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmhyxthcqtezkkavvnx.exe ."	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rqagufis = "raukidqkxzjdnmbvul.exe ."	cajobln.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\twkumbiwdzdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\raukidqkxzjdnmbvul.exe ."	cajobln.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wylulzfsytw = "eqnghfvsinaxkmebdxjgz.exe ."	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\swlwpfnckhmbg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqnghfvsinaxkmebdxjgz.exe"	cajobln.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cajobln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\raukidqkxzjdnmbvul.exe"	cajobln.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bcowmzeqvp = "biaokdogrrzrzwjb.exe"	cajobln.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\swlwpfnckhmbg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmhyxthcqtezkkavvnx.exe"	cajobln.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rqagufis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\raukidqkxzjdnmbvul.exe ."	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\twkumbiwdzdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqnghfvsinaxkmebdxjgz.exe ."	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\swlwpfnckhmbg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iqjyvpbughqjsqexv.exe"	cajobln.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wylulzfsytw = "biaokdogrrzrzwjb.exe ."	cajobln.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bcowmzeqvp = "pawoolawlpbxjkbxyrcy.exe"	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cajobln = "raukidqkxzjdnmbvul.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cajobln = "eqnghfvsinaxkmebdxjgz.exe"	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rqagufis = "pawoolawlpbxjkbxyrcy.exe ."	cajobln.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wylulzfsytw = "pawoolawlpbxjkbxyrcy.exe ."	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cajobln = "iqjyvpbughqjsqexv.exe"	cajobln.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rqagufis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqnghfvsinaxkmebdxjgz.exe ."	cajobln.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wylulzfsytw = "pawoolawlpbxjkbxyrcy.exe ."	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\twkumbiwdzdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pawoolawlpbxjkbxyrcy.exe ."	cajobln.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cajobln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iqjyvpbughqjsqexv.exe"	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rqagufis = "iqjyvpbughqjsqexv.exe ."	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\swlwpfnckhmbg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pawoolawlpbxjkbxyrcy.exe"	cajobln.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cajobln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\biaokdogrrzrzwjb.exe"	cajobln.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rqagufis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\biaokdogrrzrzwjb.exe ."	cajobln.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cajobln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iqjyvpbughqjsqexv.exe"	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rqagufis = "cmhyxthcqtezkkavvnx.exe ."	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\twkumbiwdzdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmhyxthcqtezkkavvnx.exe ."	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rqagufis = "pawoolawlpbxjkbxyrcy.exe ."	yborjrewily.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	yborjrewily.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	yborjrewily.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rqagufis = "eqnghfvsinaxkmebdxjgz.exe ."	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\swlwpfnckhmbg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\raukidqkxzjdnmbvul.exe"	cajobln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wylulzfsytw = "iqjyvpbughqjsqexv.exe ."	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cajobln = "eqnghfvsinaxkmebdxjgz.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wylulzfsytw = "eqnghfvsinaxkmebdxjgz.exe ."	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\swlwpfnckhmbg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\biaokdogrrzrzwjb.exe"	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\swlwpfnckhmbg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\biaokdogrrzrzwjb.exe"	cajobln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rqagufis = "raukidqkxzjdnmbvul.exe ."	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cajobln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\raukidqkxzjdnmbvul.exe"	yborjrewily.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	cajobln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	yborjrewily.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bcowmzeqvp = "iqjyvpbughqjsqexv.exe"	cajobln.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rqagufis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iqjyvpbughqjsqexv.exe ."	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rqagufis = "pawoolawlpbxjkbxyrcy.exe ."	cajobln.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

yborjrewily.exeyborjrewily.execajobln.execajobln.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yborjrewily.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cajobln.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cajobln.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cajobln.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cajobln.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yborjrewily.exe

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
47	whatismyip.everdot.org
13	whatismyip.everdot.org
15	whatismyipaddress.com
28	www.showmyipaddress.com
31	whatismyip.everdot.org
34	whatismyip.everdot.org

Drops file in System32 directory 32 IoCs

Processes:

cajobln.exeyborjrewily.exeyborjrewily.execajobln.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\pawoolawlpbxjkbxyrcy.exe	cajobln.exe
File opened for modification	C:\Windows\SysWOW64\biaokdogrrzrzwjb.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\raukidqkxzjdnmbvul.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\iqjyvpbughqjsqexv.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\vigacbsqhnbznqjhkfsqkm.exe	cajobln.exe
File opened for modification	C:\Windows\SysWOW64\wctgbtduedkbieqhdrxobwoypzyfwdzlcymsj.rjt	cajobln.exe
File opened for modification	C:\Windows\SysWOW64\eqnghfvsinaxkmebdxjgz.exe	cajobln.exe
File created	C:\Windows\SysWOW64\wctgbtduedkbieqhdrxobwoypzyfwdzlcymsj.rjt	cajobln.exe
File opened for modification	C:\Windows\SysWOW64\cmhyxthcqtezkkavvnx.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\iqjyvpbughqjsqexv.exe	cajobln.exe
File opened for modification	C:\Windows\SysWOW64\raukidqkxzjdnmbvul.exe	cajobln.exe
File opened for modification	C:\Windows\SysWOW64\biaokdogrrzrzwjb.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\pawoolawlpbxjkbxyrcy.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\eqnghfvsinaxkmebdxjgz.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\vigacbsqhnbznqjhkfsqkm.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\biaokdogrrzrzwjb.exe	cajobln.exe
File opened for modification	C:\Windows\SysWOW64\cmhyxthcqtezkkavvnx.exe	cajobln.exe
File opened for modification	C:\Windows\SysWOW64\cmhyxthcqtezkkavvnx.exe	cajobln.exe
File opened for modification	C:\Windows\SysWOW64\raukidqkxzjdnmbvul.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\cmhyxthcqtezkkavvnx.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\vigacbsqhnbznqjhkfsqkm.exe	cajobln.exe
File opened for modification	C:\Windows\SysWOW64\iqjyvpbughqjsqexv.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\pawoolawlpbxjkbxyrcy.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\iqjyvpbughqjsqexv.exe	cajobln.exe
File opened for modification	C:\Windows\SysWOW64\raukidqkxzjdnmbvul.exe	cajobln.exe
File opened for modification	C:\Windows\SysWOW64\pawoolawlpbxjkbxyrcy.exe	cajobln.exe
File opened for modification	C:\Windows\SysWOW64\eqnghfvsinaxkmebdxjgz.exe	cajobln.exe
File created	C:\Windows\SysWOW64\vqwyipouthdjfqrxilgmoyfekj.tzv	cajobln.exe
File opened for modification	C:\Windows\SysWOW64\vigacbsqhnbznqjhkfsqkm.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\biaokdogrrzrzwjb.exe	cajobln.exe
File opened for modification	C:\Windows\SysWOW64\vqwyipouthdjfqrxilgmoyfekj.tzv	cajobln.exe
File opened for modification	C:\Windows\SysWOW64\eqnghfvsinaxkmebdxjgz.exe	yborjrewily.exe

Drops file in Program Files directory 4 IoCs

Processes:

cajobln.exe

description	ioc	process
File created	C:\Program Files (x86)\vqwyipouthdjfqrxilgmoyfekj.tzv	cajobln.exe
File opened for modification	C:\Program Files (x86)\wctgbtduedkbieqhdrxobwoypzyfwdzlcymsj.rjt	cajobln.exe
File created	C:\Program Files (x86)\wctgbtduedkbieqhdrxobwoypzyfwdzlcymsj.rjt	cajobln.exe
File opened for modification	C:\Program Files (x86)\vqwyipouthdjfqrxilgmoyfekj.tzv	cajobln.exe

Drops file in Windows directory 32 IoCs

Processes:

cajobln.execajobln.exeyborjrewily.exeyborjrewily.exe

description	ioc	process
File opened for modification	C:\Windows\eqnghfvsinaxkmebdxjgz.exe	cajobln.exe
File opened for modification	C:\Windows\wctgbtduedkbieqhdrxobwoypzyfwdzlcymsj.rjt	cajobln.exe
File opened for modification	C:\Windows\pawoolawlpbxjkbxyrcy.exe	yborjrewily.exe
File opened for modification	C:\Windows\pawoolawlpbxjkbxyrcy.exe	yborjrewily.exe
File opened for modification	C:\Windows\pawoolawlpbxjkbxyrcy.exe	cajobln.exe
File opened for modification	C:\Windows\biaokdogrrzrzwjb.exe	yborjrewily.exe
File opened for modification	C:\Windows\raukidqkxzjdnmbvul.exe	yborjrewily.exe
File opened for modification	C:\Windows\biaokdogrrzrzwjb.exe	yborjrewily.exe
File opened for modification	C:\Windows\iqjyvpbughqjsqexv.exe	yborjrewily.exe
File opened for modification	C:\Windows\raukidqkxzjdnmbvul.exe	cajobln.exe
File opened for modification	C:\Windows\cmhyxthcqtezkkavvnx.exe	cajobln.exe
File opened for modification	C:\Windows\biaokdogrrzrzwjb.exe	cajobln.exe
File opened for modification	C:\Windows\iqjyvpbughqjsqexv.exe	cajobln.exe
File opened for modification	C:\Windows\pawoolawlpbxjkbxyrcy.exe	cajobln.exe
File opened for modification	C:\Windows\vqwyipouthdjfqrxilgmoyfekj.tzv	cajobln.exe
File opened for modification	C:\Windows\biaokdogrrzrzwjb.exe	cajobln.exe
File opened for modification	C:\Windows\raukidqkxzjdnmbvul.exe	cajobln.exe
File created	C:\Windows\vqwyipouthdjfqrxilgmoyfekj.tzv	cajobln.exe
File opened for modification	C:\Windows\cmhyxthcqtezkkavvnx.exe	cajobln.exe
File opened for modification	C:\Windows\vigacbsqhnbznqjhkfsqkm.exe	cajobln.exe
File opened for modification	C:\Windows\vigacbsqhnbznqjhkfsqkm.exe	yborjrewily.exe
File opened for modification	C:\Windows\iqjyvpbughqjsqexv.exe	cajobln.exe
File created	C:\Windows\wctgbtduedkbieqhdrxobwoypzyfwdzlcymsj.rjt	cajobln.exe
File opened for modification	C:\Windows\cmhyxthcqtezkkavvnx.exe	yborjrewily.exe
File opened for modification	C:\Windows\eqnghfvsinaxkmebdxjgz.exe	yborjrewily.exe
File opened for modification	C:\Windows\vigacbsqhnbznqjhkfsqkm.exe	yborjrewily.exe
File opened for modification	C:\Windows\raukidqkxzjdnmbvul.exe	yborjrewily.exe
File opened for modification	C:\Windows\cmhyxthcqtezkkavvnx.exe	yborjrewily.exe
File opened for modification	C:\Windows\vigacbsqhnbznqjhkfsqkm.exe	cajobln.exe
File opened for modification	C:\Windows\iqjyvpbughqjsqexv.exe	yborjrewily.exe
File opened for modification	C:\Windows\eqnghfvsinaxkmebdxjgz.exe	yborjrewily.exe
File opened for modification	C:\Windows\eqnghfvsinaxkmebdxjgz.exe	cajobln.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.execajobln.exe

pid	process
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4508	cajobln.exe
4508	cajobln.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4508	cajobln.exe
4508	cajobln.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

cajobln.exe

description pid process

Token: SeDebugPrivilege 4508 cajobln.exe

description	pid	process
Token: SeDebugPrivilege	4508	cajobln.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exeyborjrewily.exe

description	pid	process	target process
PID 4932 wrote to memory of 3972	4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe	yborjrewily.exe
PID 4932 wrote to memory of 3972	4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe	yborjrewily.exe
PID 4932 wrote to memory of 3972	4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe	yborjrewily.exe
PID 3972 wrote to memory of 4508	3972	yborjrewily.exe	cajobln.exe
PID 3972 wrote to memory of 4508	3972	yborjrewily.exe	cajobln.exe
PID 3972 wrote to memory of 4508	3972	yborjrewily.exe	cajobln.exe
PID 3972 wrote to memory of 1524	3972	yborjrewily.exe	cajobln.exe
PID 3972 wrote to memory of 1524	3972	yborjrewily.exe	cajobln.exe
PID 3972 wrote to memory of 1524	3972	yborjrewily.exe	cajobln.exe
PID 4932 wrote to memory of 1984	4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe	yborjrewily.exe
PID 4932 wrote to memory of 1984	4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe	yborjrewily.exe
PID 4932 wrote to memory of 1984	4932	227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe	yborjrewily.exe

System policy modification 1 TTPs 41 IoCs

evasion

Modify Registry

T1112

Processes:

yborjrewily.execajobln.execajobln.exeyborjrewily.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cajobln.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cajobln.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	cajobln.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	cajobln.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cajobln.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	cajobln.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	cajobln.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	cajobln.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	yborjrewily.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cajobln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	cajobln.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	yborjrewily.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cajobln.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cajobln.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	cajobln.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yborjrewily.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	yborjrewily.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cajobln.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	cajobln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	cajobln.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cajobln.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	cajobln.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cajobln.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cajobln.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	cajobln.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	cajobln.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	cajobln.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	yborjrewily.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cajobln.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	cajobln.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cajobln.exe

C:\Users\Admin\AppData\Local\Temp\227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe
"C:\Users\Admin\AppData\Local\Temp\227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Users\Admin\AppData\Local\Temp\yborjrewily.exe
  "C:\Users\Admin\AppData\Local\Temp\yborjrewily.exe" "c:\users\admin\appdata\local\temp\227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3972
- - C:\Users\Admin\AppData\Local\Temp\cajobln.exe
    "C:\Users\Admin\AppData\Local\Temp\cajobln.exe" "-C:\Users\Admin\AppData\Local\Temp\biaokdogrrzrzwjb.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:4508
- - C:\Users\Admin\AppData\Local\Temp\cajobln.exe
    "C:\Users\Admin\AppData\Local\Temp\cajobln.exe" "-C:\Users\Admin\AppData\Local\Temp\biaokdogrrzrzwjb.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1524
- C:\Users\Admin\AppData\Local\Temp\yborjrewily.exe
  "C:\Users\Admin\AppData\Local\Temp\yborjrewily.exe" "c:\users\admin\appdata\local\temp\227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System policy modification
  PID:1984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biaokdogrrzrzwjb.exe

Filesize
1016KB

MD5
5b6e8a6f541a736a36677974605efe20

SHA1
5ae664a82587fe992e1b1a21eb535f8fd89e8ae6

SHA256
227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0

SHA512
bf9f8dae5674c4d13aa3e8b7c6b7addb79d02550c1d342fce02a47fe15856e3f0cf5883f4e51a12fb2a0bcc8a7bffa262fb7e1910049bcb09633157b1909853c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cajobln.exe

Filesize
692KB

MD5
e38946a5bf316effcb3045a864b55b79

SHA1
070b4e3f13ec0e8f5d2e4f7d4123a1ebc3d53dd7

SHA256
dc5b1e8b960ec87657aebe0aabe163852db95c870af49d504c5f991d464e49ab

SHA512
0ef6af78a46931712954f487f79df6789cb2a8c1d5aeee5578d6971a2caa5c550b18cc5f71d5f3c0dbd9cc64c2fd0b59c4dbbeecb86c49977123c1c9cceae50a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cajobln.exe

Filesize
692KB

MD5
e38946a5bf316effcb3045a864b55b79

SHA1
070b4e3f13ec0e8f5d2e4f7d4123a1ebc3d53dd7

SHA256
dc5b1e8b960ec87657aebe0aabe163852db95c870af49d504c5f991d464e49ab

SHA512
0ef6af78a46931712954f487f79df6789cb2a8c1d5aeee5578d6971a2caa5c550b18cc5f71d5f3c0dbd9cc64c2fd0b59c4dbbeecb86c49977123c1c9cceae50a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cajobln.exe

Filesize
692KB

MD5
e38946a5bf316effcb3045a864b55b79

SHA1
070b4e3f13ec0e8f5d2e4f7d4123a1ebc3d53dd7

SHA256
dc5b1e8b960ec87657aebe0aabe163852db95c870af49d504c5f991d464e49ab

SHA512
0ef6af78a46931712954f487f79df6789cb2a8c1d5aeee5578d6971a2caa5c550b18cc5f71d5f3c0dbd9cc64c2fd0b59c4dbbeecb86c49977123c1c9cceae50a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmhyxthcqtezkkavvnx.exe

Filesize
1016KB

MD5
5b6e8a6f541a736a36677974605efe20

SHA1
5ae664a82587fe992e1b1a21eb535f8fd89e8ae6

SHA256
227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0

SHA512
bf9f8dae5674c4d13aa3e8b7c6b7addb79d02550c1d342fce02a47fe15856e3f0cf5883f4e51a12fb2a0bcc8a7bffa262fb7e1910049bcb09633157b1909853c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eqnghfvsinaxkmebdxjgz.exe

Filesize
1016KB

MD5
5b6e8a6f541a736a36677974605efe20

SHA1
5ae664a82587fe992e1b1a21eb535f8fd89e8ae6

SHA256
227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0

SHA512
bf9f8dae5674c4d13aa3e8b7c6b7addb79d02550c1d342fce02a47fe15856e3f0cf5883f4e51a12fb2a0bcc8a7bffa262fb7e1910049bcb09633157b1909853c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqjyvpbughqjsqexv.exe

Filesize
1016KB

MD5
5b6e8a6f541a736a36677974605efe20

SHA1
5ae664a82587fe992e1b1a21eb535f8fd89e8ae6

SHA256
227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0

SHA512
bf9f8dae5674c4d13aa3e8b7c6b7addb79d02550c1d342fce02a47fe15856e3f0cf5883f4e51a12fb2a0bcc8a7bffa262fb7e1910049bcb09633157b1909853c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pawoolawlpbxjkbxyrcy.exe

Filesize
1016KB

MD5
5b6e8a6f541a736a36677974605efe20

SHA1
5ae664a82587fe992e1b1a21eb535f8fd89e8ae6

SHA256
227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0

SHA512
bf9f8dae5674c4d13aa3e8b7c6b7addb79d02550c1d342fce02a47fe15856e3f0cf5883f4e51a12fb2a0bcc8a7bffa262fb7e1910049bcb09633157b1909853c

Download Submit
C:\Users\Admin\AppData\Local\Temp\raukidqkxzjdnmbvul.exe

Filesize
1016KB

MD5
5b6e8a6f541a736a36677974605efe20

SHA1
5ae664a82587fe992e1b1a21eb535f8fd89e8ae6

SHA256
227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0

SHA512
bf9f8dae5674c4d13aa3e8b7c6b7addb79d02550c1d342fce02a47fe15856e3f0cf5883f4e51a12fb2a0bcc8a7bffa262fb7e1910049bcb09633157b1909853c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vigacbsqhnbznqjhkfsqkm.exe

Filesize
1016KB

MD5
5b6e8a6f541a736a36677974605efe20

SHA1
5ae664a82587fe992e1b1a21eb535f8fd89e8ae6

SHA256
227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0

SHA512
bf9f8dae5674c4d13aa3e8b7c6b7addb79d02550c1d342fce02a47fe15856e3f0cf5883f4e51a12fb2a0bcc8a7bffa262fb7e1910049bcb09633157b1909853c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yborjrewily.exe

Filesize
320KB

MD5
c34c64c499e9b3c5c4d99f23ee723472

SHA1
5a5575cb7f215b6fda5984d415a16116cd7d11b9

SHA256
767e6513488cc9434d76502735a75b08cbc94634b2422b85e9496f4fa51ffad6

SHA512
00a397383e5b52a1bf51e2dd2fb80b0ff81c9347e8869ef2d535ee7e6b9a919b9d3310347b97eaba31ae98ea39f6e43bb8586be82043be915c8301b8f148836f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yborjrewily.exe

Filesize
320KB

MD5
c34c64c499e9b3c5c4d99f23ee723472

SHA1
5a5575cb7f215b6fda5984d415a16116cd7d11b9

SHA256
767e6513488cc9434d76502735a75b08cbc94634b2422b85e9496f4fa51ffad6

SHA512
00a397383e5b52a1bf51e2dd2fb80b0ff81c9347e8869ef2d535ee7e6b9a919b9d3310347b97eaba31ae98ea39f6e43bb8586be82043be915c8301b8f148836f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yborjrewily.exe

Filesize
320KB

MD5
c34c64c499e9b3c5c4d99f23ee723472

SHA1
5a5575cb7f215b6fda5984d415a16116cd7d11b9

SHA256
767e6513488cc9434d76502735a75b08cbc94634b2422b85e9496f4fa51ffad6

SHA512
00a397383e5b52a1bf51e2dd2fb80b0ff81c9347e8869ef2d535ee7e6b9a919b9d3310347b97eaba31ae98ea39f6e43bb8586be82043be915c8301b8f148836f

Download Submit
C:\Windows\SysWOW64\biaokdogrrzrzwjb.exe

Filesize
1016KB

MD5
5b6e8a6f541a736a36677974605efe20

SHA1
5ae664a82587fe992e1b1a21eb535f8fd89e8ae6

SHA256
227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0

SHA512
bf9f8dae5674c4d13aa3e8b7c6b7addb79d02550c1d342fce02a47fe15856e3f0cf5883f4e51a12fb2a0bcc8a7bffa262fb7e1910049bcb09633157b1909853c

Download Submit
C:\Windows\SysWOW64\cmhyxthcqtezkkavvnx.exe

Filesize
1016KB

MD5
5b6e8a6f541a736a36677974605efe20

SHA1
5ae664a82587fe992e1b1a21eb535f8fd89e8ae6

SHA256
227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0

SHA512
bf9f8dae5674c4d13aa3e8b7c6b7addb79d02550c1d342fce02a47fe15856e3f0cf5883f4e51a12fb2a0bcc8a7bffa262fb7e1910049bcb09633157b1909853c

Download Submit
C:\Windows\SysWOW64\eqnghfvsinaxkmebdxjgz.exe

Filesize
1016KB

MD5
5b6e8a6f541a736a36677974605efe20

SHA1
5ae664a82587fe992e1b1a21eb535f8fd89e8ae6

SHA256
227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0

SHA512
bf9f8dae5674c4d13aa3e8b7c6b7addb79d02550c1d342fce02a47fe15856e3f0cf5883f4e51a12fb2a0bcc8a7bffa262fb7e1910049bcb09633157b1909853c

Download Submit
C:\Windows\SysWOW64\iqjyvpbughqjsqexv.exe

Filesize
1016KB

MD5
5b6e8a6f541a736a36677974605efe20

SHA1
5ae664a82587fe992e1b1a21eb535f8fd89e8ae6

SHA256
227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0

SHA512
bf9f8dae5674c4d13aa3e8b7c6b7addb79d02550c1d342fce02a47fe15856e3f0cf5883f4e51a12fb2a0bcc8a7bffa262fb7e1910049bcb09633157b1909853c

Download Submit
C:\Windows\SysWOW64\pawoolawlpbxjkbxyrcy.exe

Filesize
1016KB

MD5
5b6e8a6f541a736a36677974605efe20

SHA1
5ae664a82587fe992e1b1a21eb535f8fd89e8ae6

SHA256
227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0

SHA512
bf9f8dae5674c4d13aa3e8b7c6b7addb79d02550c1d342fce02a47fe15856e3f0cf5883f4e51a12fb2a0bcc8a7bffa262fb7e1910049bcb09633157b1909853c

Download Submit
C:\Windows\SysWOW64\raukidqkxzjdnmbvul.exe

Filesize
1016KB

MD5
5b6e8a6f541a736a36677974605efe20

SHA1
5ae664a82587fe992e1b1a21eb535f8fd89e8ae6

SHA256
227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0

SHA512
bf9f8dae5674c4d13aa3e8b7c6b7addb79d02550c1d342fce02a47fe15856e3f0cf5883f4e51a12fb2a0bcc8a7bffa262fb7e1910049bcb09633157b1909853c

Download Submit
C:\Windows\SysWOW64\vigacbsqhnbznqjhkfsqkm.exe

Filesize
1016KB

MD5
5b6e8a6f541a736a36677974605efe20

SHA1
5ae664a82587fe992e1b1a21eb535f8fd89e8ae6

SHA256
227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0

SHA512
bf9f8dae5674c4d13aa3e8b7c6b7addb79d02550c1d342fce02a47fe15856e3f0cf5883f4e51a12fb2a0bcc8a7bffa262fb7e1910049bcb09633157b1909853c

Download Submit
C:\Windows\biaokdogrrzrzwjb.exe

Filesize
1016KB

MD5
5b6e8a6f541a736a36677974605efe20

SHA1
5ae664a82587fe992e1b1a21eb535f8fd89e8ae6

SHA256
227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0

SHA512
bf9f8dae5674c4d13aa3e8b7c6b7addb79d02550c1d342fce02a47fe15856e3f0cf5883f4e51a12fb2a0bcc8a7bffa262fb7e1910049bcb09633157b1909853c

Download Submit
C:\Windows\biaokdogrrzrzwjb.exe

Filesize
1016KB

MD5
5b6e8a6f541a736a36677974605efe20

SHA1
5ae664a82587fe992e1b1a21eb535f8fd89e8ae6

SHA256
227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0

SHA512
bf9f8dae5674c4d13aa3e8b7c6b7addb79d02550c1d342fce02a47fe15856e3f0cf5883f4e51a12fb2a0bcc8a7bffa262fb7e1910049bcb09633157b1909853c

Download Submit
C:\Windows\biaokdogrrzrzwjb.exe

Filesize
1016KB

MD5
5b6e8a6f541a736a36677974605efe20

SHA1
5ae664a82587fe992e1b1a21eb535f8fd89e8ae6

SHA256
227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0

SHA512
bf9f8dae5674c4d13aa3e8b7c6b7addb79d02550c1d342fce02a47fe15856e3f0cf5883f4e51a12fb2a0bcc8a7bffa262fb7e1910049bcb09633157b1909853c

Download Submit
C:\Windows\cmhyxthcqtezkkavvnx.exe

Filesize
1016KB

MD5
5b6e8a6f541a736a36677974605efe20

SHA1
5ae664a82587fe992e1b1a21eb535f8fd89e8ae6

SHA256
227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0

SHA512
bf9f8dae5674c4d13aa3e8b7c6b7addb79d02550c1d342fce02a47fe15856e3f0cf5883f4e51a12fb2a0bcc8a7bffa262fb7e1910049bcb09633157b1909853c

Download Submit
C:\Windows\cmhyxthcqtezkkavvnx.exe

Filesize
1016KB

MD5
5b6e8a6f541a736a36677974605efe20

SHA1
5ae664a82587fe992e1b1a21eb535f8fd89e8ae6

SHA256
227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0

SHA512
bf9f8dae5674c4d13aa3e8b7c6b7addb79d02550c1d342fce02a47fe15856e3f0cf5883f4e51a12fb2a0bcc8a7bffa262fb7e1910049bcb09633157b1909853c

Download Submit
C:\Windows\cmhyxthcqtezkkavvnx.exe

Filesize
1016KB

MD5
5b6e8a6f541a736a36677974605efe20

SHA1
5ae664a82587fe992e1b1a21eb535f8fd89e8ae6

SHA256
227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0

SHA512
bf9f8dae5674c4d13aa3e8b7c6b7addb79d02550c1d342fce02a47fe15856e3f0cf5883f4e51a12fb2a0bcc8a7bffa262fb7e1910049bcb09633157b1909853c

Download Submit
C:\Windows\eqnghfvsinaxkmebdxjgz.exe

Filesize
1016KB

MD5
5b6e8a6f541a736a36677974605efe20

SHA1
5ae664a82587fe992e1b1a21eb535f8fd89e8ae6

SHA256
227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0

SHA512
bf9f8dae5674c4d13aa3e8b7c6b7addb79d02550c1d342fce02a47fe15856e3f0cf5883f4e51a12fb2a0bcc8a7bffa262fb7e1910049bcb09633157b1909853c

Download Submit
C:\Windows\eqnghfvsinaxkmebdxjgz.exe

Filesize
1016KB

MD5
5b6e8a6f541a736a36677974605efe20

SHA1
5ae664a82587fe992e1b1a21eb535f8fd89e8ae6

SHA256
227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0

SHA512
bf9f8dae5674c4d13aa3e8b7c6b7addb79d02550c1d342fce02a47fe15856e3f0cf5883f4e51a12fb2a0bcc8a7bffa262fb7e1910049bcb09633157b1909853c

Download Submit
C:\Windows\eqnghfvsinaxkmebdxjgz.exe

Filesize
1016KB

MD5
5b6e8a6f541a736a36677974605efe20

SHA1
5ae664a82587fe992e1b1a21eb535f8fd89e8ae6

SHA256
227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0

SHA512
bf9f8dae5674c4d13aa3e8b7c6b7addb79d02550c1d342fce02a47fe15856e3f0cf5883f4e51a12fb2a0bcc8a7bffa262fb7e1910049bcb09633157b1909853c

Download Submit
C:\Windows\iqjyvpbughqjsqexv.exe

Filesize
1016KB

MD5
5b6e8a6f541a736a36677974605efe20

SHA1
5ae664a82587fe992e1b1a21eb535f8fd89e8ae6

SHA256
227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0

SHA512
bf9f8dae5674c4d13aa3e8b7c6b7addb79d02550c1d342fce02a47fe15856e3f0cf5883f4e51a12fb2a0bcc8a7bffa262fb7e1910049bcb09633157b1909853c

Download Submit
C:\Windows\iqjyvpbughqjsqexv.exe

Filesize
1016KB

MD5
5b6e8a6f541a736a36677974605efe20

SHA1
5ae664a82587fe992e1b1a21eb535f8fd89e8ae6

SHA256
227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0

SHA512
bf9f8dae5674c4d13aa3e8b7c6b7addb79d02550c1d342fce02a47fe15856e3f0cf5883f4e51a12fb2a0bcc8a7bffa262fb7e1910049bcb09633157b1909853c

Download Submit
C:\Windows\iqjyvpbughqjsqexv.exe

Filesize
1016KB

MD5
5b6e8a6f541a736a36677974605efe20

SHA1
5ae664a82587fe992e1b1a21eb535f8fd89e8ae6

SHA256
227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0

SHA512
bf9f8dae5674c4d13aa3e8b7c6b7addb79d02550c1d342fce02a47fe15856e3f0cf5883f4e51a12fb2a0bcc8a7bffa262fb7e1910049bcb09633157b1909853c

Download Submit
C:\Windows\pawoolawlpbxjkbxyrcy.exe

Filesize
1016KB

MD5
5b6e8a6f541a736a36677974605efe20

SHA1
5ae664a82587fe992e1b1a21eb535f8fd89e8ae6

SHA256
227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0

SHA512
bf9f8dae5674c4d13aa3e8b7c6b7addb79d02550c1d342fce02a47fe15856e3f0cf5883f4e51a12fb2a0bcc8a7bffa262fb7e1910049bcb09633157b1909853c

Download Submit
C:\Windows\pawoolawlpbxjkbxyrcy.exe

Filesize
1016KB

MD5
5b6e8a6f541a736a36677974605efe20

SHA1
5ae664a82587fe992e1b1a21eb535f8fd89e8ae6

SHA256
227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0

SHA512
bf9f8dae5674c4d13aa3e8b7c6b7addb79d02550c1d342fce02a47fe15856e3f0cf5883f4e51a12fb2a0bcc8a7bffa262fb7e1910049bcb09633157b1909853c

Download Submit
C:\Windows\pawoolawlpbxjkbxyrcy.exe

Filesize
1016KB

MD5
5b6e8a6f541a736a36677974605efe20

SHA1
5ae664a82587fe992e1b1a21eb535f8fd89e8ae6

SHA256
227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0

SHA512
bf9f8dae5674c4d13aa3e8b7c6b7addb79d02550c1d342fce02a47fe15856e3f0cf5883f4e51a12fb2a0bcc8a7bffa262fb7e1910049bcb09633157b1909853c

Download Submit
C:\Windows\raukidqkxzjdnmbvul.exe

Filesize
1016KB

MD5
5b6e8a6f541a736a36677974605efe20

SHA1
5ae664a82587fe992e1b1a21eb535f8fd89e8ae6

SHA256
227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0

SHA512
bf9f8dae5674c4d13aa3e8b7c6b7addb79d02550c1d342fce02a47fe15856e3f0cf5883f4e51a12fb2a0bcc8a7bffa262fb7e1910049bcb09633157b1909853c

Download Submit
C:\Windows\raukidqkxzjdnmbvul.exe

Filesize
1016KB

MD5
5b6e8a6f541a736a36677974605efe20

SHA1
5ae664a82587fe992e1b1a21eb535f8fd89e8ae6

SHA256
227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0

SHA512
bf9f8dae5674c4d13aa3e8b7c6b7addb79d02550c1d342fce02a47fe15856e3f0cf5883f4e51a12fb2a0bcc8a7bffa262fb7e1910049bcb09633157b1909853c

Download Submit
C:\Windows\raukidqkxzjdnmbvul.exe

Filesize
1016KB

MD5
5b6e8a6f541a736a36677974605efe20

SHA1
5ae664a82587fe992e1b1a21eb535f8fd89e8ae6

SHA256
227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0

SHA512
bf9f8dae5674c4d13aa3e8b7c6b7addb79d02550c1d342fce02a47fe15856e3f0cf5883f4e51a12fb2a0bcc8a7bffa262fb7e1910049bcb09633157b1909853c

Download Submit
C:\Windows\vigacbsqhnbznqjhkfsqkm.exe

Filesize
1016KB

MD5
5b6e8a6f541a736a36677974605efe20

SHA1
5ae664a82587fe992e1b1a21eb535f8fd89e8ae6

SHA256
227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0

SHA512
bf9f8dae5674c4d13aa3e8b7c6b7addb79d02550c1d342fce02a47fe15856e3f0cf5883f4e51a12fb2a0bcc8a7bffa262fb7e1910049bcb09633157b1909853c

Download Submit
C:\Windows\vigacbsqhnbznqjhkfsqkm.exe

Filesize
1016KB

MD5
5b6e8a6f541a736a36677974605efe20

SHA1
5ae664a82587fe992e1b1a21eb535f8fd89e8ae6

SHA256
227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0

SHA512
bf9f8dae5674c4d13aa3e8b7c6b7addb79d02550c1d342fce02a47fe15856e3f0cf5883f4e51a12fb2a0bcc8a7bffa262fb7e1910049bcb09633157b1909853c

Download Submit
C:\Windows\vigacbsqhnbznqjhkfsqkm.exe

Filesize
1016KB

MD5
5b6e8a6f541a736a36677974605efe20

SHA1
5ae664a82587fe992e1b1a21eb535f8fd89e8ae6

SHA256
227788914ecdc9b1e5b54aa8cd6ff57e04b79e5deb8c4a1951f3be5be0ae7bc0

SHA512
bf9f8dae5674c4d13aa3e8b7c6b7addb79d02550c1d342fce02a47fe15856e3f0cf5883f4e51a12fb2a0bcc8a7bffa262fb7e1910049bcb09633157b1909853c

Download Submit
memory/1524-138-0x0000000000000000-mapping.dmp

Download
memory/1984-168-0x0000000000000000-mapping.dmp

Download
memory/3972-132-0x0000000000000000-mapping.dmp

Download
memory/4508-135-0x0000000000000000-mapping.dmp

Download