5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

Analysis

max time kernel
151s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
Size

1016KB
MD5

53ced6bd06ea5449e02d6cb87da70840
SHA1

40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67
SHA256

5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360
SHA512

9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6
SSDEEP

6144:GIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUB:GIXsgtvm1De5YlOx6lzBH46U

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

yborjrewily.exexhlxvfo.exexhlxvfo.exeyborjrewily.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	yborjrewily.exe

UAC bypass 3 TTPs 13 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

xhlxvfo.exeyborjrewily.exeyborjrewily.exexhlxvfo.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xhlxvfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xhlxvfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xhlxvfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xhlxvfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	xhlxvfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xhlxvfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xhlxvfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	xhlxvfo.exe

Adds policy Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

xhlxvfo.exeyborjrewily.exexhlxvfo.exeyborjrewily.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ktwhen = "zxppbzwukeivsfhzwynld.exe"	xhlxvfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jpp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhwtcxrmzqrbvfetnm.exe"	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ktwhen = "khyxifbyngjvrdevrsgd.exe"	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ktwhen = "zxppbzwukeivsfhzwynld.exe"	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ktwhen = "xtjhrnieskmxsddtoob.exe"	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jpp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxlhpjcwiyyhajhvo.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jpp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtjhrnieskmxsddtoob.exe"	xhlxvfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jpp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khyxifbyngjvrdevrsgd.exe"	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jpp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtjhrnieskmxsddtoob.exe"	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ktwhen = "mhwtcxrmzqrbvfetnm.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jpp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpcxexpitihphpmz.exe"	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jpp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpcxexpitihphpmz.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ktwhen = "wpcxexpitihphpmz.exe"	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ktwhen = "mhwtcxrmzqrbvfetnm.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ktwhen = "khyxifbyngjvrdevrsgd.exe"	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ktwhen = "dxlhpjcwiyyhajhvo.exe"	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ktwhen = "mhwtcxrmzqrbvfetnm.exe"	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ktwhen = "mhwtcxrmzqrbvfetnm.exe"	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jpp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxppbzwukeivsfhzwynld.exe"	xhlxvfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ktwhen = "xtjhrnieskmxsddtoob.exe"	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jpp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxppbzwukeivsfhzwynld.exe"	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jpp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhwtcxrmzqrbvfetnm.exe"	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jpp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpcxexpitihphpmz.exe"	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jpp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxlhpjcwiyyhajhvo.exe"	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jpp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxlhpjcwiyyhajhvo.exe"	xhlxvfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	xhlxvfo.exe

Disables RegEdit via registry modification 6 IoCs

evasion

Processes:

xhlxvfo.exexhlxvfo.exeyborjrewily.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xhlxvfo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xhlxvfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xhlxvfo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yborjrewily.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xhlxvfo.exe

Executes dropped EXE 4 IoCs

Processes:

yborjrewily.exexhlxvfo.exexhlxvfo.exeyborjrewily.exe

pid process

4324 yborjrewily.exe
4736 xhlxvfo.exe
4672 xhlxvfo.exe
1688 yborjrewily.exe

pid	process
4324	yborjrewily.exe
4736	xhlxvfo.exe
4672	xhlxvfo.exe
1688	yborjrewily.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exeyborjrewily.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	yborjrewily.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

xhlxvfo.exexhlxvfo.exeyborjrewily.exeyborjrewily.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxcpozju = "xtjhrnieskmxsddtoob.exe ."	xhlxvfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zhjtp = "wpcxexpitihphpmz.exe ."	xhlxvfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qxyh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khyxifbyngjvrdevrsgd.exe"	xhlxvfo.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dpvjjvgsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khyxifbyngjvrdevrsgd.exe ."	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wjqfgtfsxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxppbzwukeivsfhzwynld.exe"	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxyh = "dxlhpjcwiyyhajhvo.exe"	xhlxvfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qxyh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxppbzwukeivsfhzwynld.exe"	xhlxvfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	yborjrewily.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xhlxvfo = "xtjhrnieskmxsddtoob.exe"	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxyh = "zxppbzwukeivsfhzwynld.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wjqfgtfsxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxlhpjcwiyyhajhvo.exe"	xhlxvfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxcpozju = "mhwtcxrmzqrbvfetnm.exe ."	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zhjtp = "khyxifbyngjvrdevrsgd.exe ."	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dpvjjvgsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxlhpjcwiyyhajhvo.exe ."	xhlxvfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qxyh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpcxexpitihphpmz.exe"	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wjqfgtfsxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khyxifbyngjvrdevrsgd.exe"	xhlxvfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qxyh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtjhrnieskmxsddtoob.exe"	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dpvjjvgsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtjhrnieskmxsddtoob.exe ."	yborjrewily.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	xhlxvfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zhjtp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxlhpjcwiyyhajhvo.exe ."	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxyh = "zxppbzwukeivsfhzwynld.exe"	xhlxvfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zhjtp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxppbzwukeivsfhzwynld.exe ."	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xhlxvfo = "dxlhpjcwiyyhajhvo.exe"	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxyh = "xtjhrnieskmxsddtoob.exe"	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wjqfgtfsxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpcxexpitihphpmz.exe"	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zhjtp = "mhwtcxrmzqrbvfetnm.exe ."	xhlxvfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxcpozju = "wpcxexpitihphpmz.exe ."	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxyh = "mhwtcxrmzqrbvfetnm.exe"	xhlxvfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxcpozju = "xtjhrnieskmxsddtoob.exe ."	xhlxvfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxcpozju = "dxlhpjcwiyyhajhvo.exe ."	xhlxvfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxcpozju = "wpcxexpitihphpmz.exe ."	xhlxvfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xhlxvfo = "zxppbzwukeivsfhzwynld.exe"	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxyh = "wpcxexpitihphpmz.exe"	xhlxvfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxcpozju = "zxppbzwukeivsfhzwynld.exe ."	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dpvjjvgsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhwtcxrmzqrbvfetnm.exe ."	xhlxvfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qxyh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxlhpjcwiyyhajhvo.exe"	xhlxvfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zhjtp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpcxexpitihphpmz.exe ."	xhlxvfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qxyh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpcxexpitihphpmz.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zhjtp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtjhrnieskmxsddtoob.exe ."	xhlxvfo.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wjqfgtfsxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhwtcxrmzqrbvfetnm.exe"	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dpvjjvgsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxppbzwukeivsfhzwynld.exe ."	xhlxvfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zhjtp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhwtcxrmzqrbvfetnm.exe ."	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxyh = "xtjhrnieskmxsddtoob.exe"	xhlxvfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xhlxvfo = "xtjhrnieskmxsddtoob.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wjqfgtfsxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtjhrnieskmxsddtoob.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zhjtp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxlhpjcwiyyhajhvo.exe ."	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dpvjjvgsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhwtcxrmzqrbvfetnm.exe ."	xhlxvfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qxyh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhwtcxrmzqrbvfetnm.exe"	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zhjtp = "xtjhrnieskmxsddtoob.exe ."	xhlxvfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xhlxvfo = "xtjhrnieskmxsddtoob.exe"	xhlxvfo.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qxyh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpcxexpitihphpmz.exe"	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxcpozju = "xtjhrnieskmxsddtoob.exe ."	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zhjtp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxppbzwukeivsfhzwynld.exe ."	xhlxvfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zhjtp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhwtcxrmzqrbvfetnm.exe ."	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dpvjjvgsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khyxifbyngjvrdevrsgd.exe ."	yborjrewily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qxyh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhwtcxrmzqrbvfetnm.exe"	xhlxvfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wjqfgtfsxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxlhpjcwiyyhajhvo.exe"	xhlxvfo.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

yborjrewily.exexhlxvfo.exexhlxvfo.exeyborjrewily.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xhlxvfo.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xhlxvfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xhlxvfo.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xhlxvfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yborjrewily.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yborjrewily.exe

Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

50 whatismyip.everdot.org
23 whatismyip.everdot.org
24 whatismyipaddress.com
41 www.showmyipaddress.com
44 whatismyip.everdot.org

flow	ioc
50	whatismyip.everdot.org
23	whatismyip.everdot.org
24	whatismyipaddress.com
41	www.showmyipaddress.com
44	whatismyip.everdot.org

Drops file in System32 directory 32 IoCs

Processes:

xhlxvfo.exeyborjrewily.exeyborjrewily.exexhlxvfo.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\khyxifbyngjvrdevrsgd.exe	xhlxvfo.exe
File opened for modification	C:\Windows\SysWOW64\wpcxexpitihphpmz.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\xtjhrnieskmxsddtoob.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\khyxifbyngjvrdevrsgd.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\qpijwvtsjejxvjmfdgwvop.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\dxlhpjcwiyyhajhvo.exe	xhlxvfo.exe
File opened for modification	C:\Windows\SysWOW64\mhwtcxrmzqrbvfetnm.exe	xhlxvfo.exe
File opened for modification	C:\Windows\SysWOW64\zxppbzwukeivsfhzwynld.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\qpijwvtsjejxvjmfdgwvop.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\dxlhpjcwiyyhajhvo.exe	xhlxvfo.exe
File opened for modification	C:\Windows\SysWOW64\zxppbzwukeivsfhzwynld.exe	xhlxvfo.exe
File opened for modification	C:\Windows\SysWOW64\mhwtcxrmzqrbvfetnm.exe	xhlxvfo.exe
File opened for modification	C:\Windows\SysWOW64\khyxifbyngjvrdevrsgd.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\xtjhrnieskmxsddtoob.exe	xhlxvfo.exe
File opened for modification	C:\Windows\SysWOW64\xtjhrnieskmxsddtoob.exe	xhlxvfo.exe
File opened for modification	C:\Windows\SysWOW64\qpijwvtsjejxvjmfdgwvop.exe	xhlxvfo.exe
File opened for modification	C:\Windows\SysWOW64\mhwtcxrmzqrbvfetnm.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\dxlhpjcwiyyhajhvo.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\khyxifbyngjvrdevrsgd.exe	xhlxvfo.exe
File opened for modification	C:\Windows\SysWOW64\zxppbzwukeivsfhzwynld.exe	xhlxvfo.exe
File opened for modification	C:\Windows\SysWOW64\odmdgvjyfqlpdhajxqwlulodrgnytxlpir.yet	xhlxvfo.exe
File opened for modification	C:\Windows\SysWOW64\qpijwvtsjejxvjmfdgwvop.exe	xhlxvfo.exe
File created	C:\Windows\SysWOW64\bfdjbfimiislohpnqytxvbt.aea	xhlxvfo.exe
File created	C:\Windows\SysWOW64\odmdgvjyfqlpdhajxqwlulodrgnytxlpir.yet	xhlxvfo.exe
File opened for modification	C:\Windows\SysWOW64\dxlhpjcwiyyhajhvo.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\mhwtcxrmzqrbvfetnm.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\xtjhrnieskmxsddtoob.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\wpcxexpitihphpmz.exe	xhlxvfo.exe
File opened for modification	C:\Windows\SysWOW64\wpcxexpitihphpmz.exe	yborjrewily.exe
File opened for modification	C:\Windows\SysWOW64\wpcxexpitihphpmz.exe	xhlxvfo.exe
File opened for modification	C:\Windows\SysWOW64\bfdjbfimiislohpnqytxvbt.aea	xhlxvfo.exe
File opened for modification	C:\Windows\SysWOW64\zxppbzwukeivsfhzwynld.exe	yborjrewily.exe

Drops file in Program Files directory 4 IoCs

Processes:

xhlxvfo.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\bfdjbfimiislohpnqytxvbt.aea	xhlxvfo.exe
File created	C:\Program Files (x86)\bfdjbfimiislohpnqytxvbt.aea	xhlxvfo.exe
File opened for modification	C:\Program Files (x86)\odmdgvjyfqlpdhajxqwlulodrgnytxlpir.yet	xhlxvfo.exe
File created	C:\Program Files (x86)\odmdgvjyfqlpdhajxqwlulodrgnytxlpir.yet	xhlxvfo.exe

Drops file in Windows directory 32 IoCs

Processes:

xhlxvfo.exexhlxvfo.exeyborjrewily.exeyborjrewily.exe

description	ioc	process
File opened for modification	C:\Windows\mhwtcxrmzqrbvfetnm.exe	xhlxvfo.exe
File opened for modification	C:\Windows\zxppbzwukeivsfhzwynld.exe	xhlxvfo.exe
File opened for modification	C:\Windows\bfdjbfimiislohpnqytxvbt.aea	xhlxvfo.exe
File opened for modification	C:\Windows\xtjhrnieskmxsddtoob.exe	yborjrewily.exe
File opened for modification	C:\Windows\khyxifbyngjvrdevrsgd.exe	yborjrewily.exe
File opened for modification	C:\Windows\xtjhrnieskmxsddtoob.exe	yborjrewily.exe
File opened for modification	C:\Windows\zxppbzwukeivsfhzwynld.exe	xhlxvfo.exe
File opened for modification	C:\Windows\dxlhpjcwiyyhajhvo.exe	xhlxvfo.exe
File opened for modification	C:\Windows\dxlhpjcwiyyhajhvo.exe	yborjrewily.exe
File opened for modification	C:\Windows\mhwtcxrmzqrbvfetnm.exe	yborjrewily.exe
File opened for modification	C:\Windows\khyxifbyngjvrdevrsgd.exe	yborjrewily.exe
File opened for modification	C:\Windows\qpijwvtsjejxvjmfdgwvop.exe	xhlxvfo.exe
File opened for modification	C:\Windows\wpcxexpitihphpmz.exe	xhlxvfo.exe
File opened for modification	C:\Windows\zxppbzwukeivsfhzwynld.exe	yborjrewily.exe
File opened for modification	C:\Windows\mhwtcxrmzqrbvfetnm.exe	xhlxvfo.exe
File opened for modification	C:\Windows\xtjhrnieskmxsddtoob.exe	xhlxvfo.exe
File opened for modification	C:\Windows\khyxifbyngjvrdevrsgd.exe	xhlxvfo.exe
File opened for modification	C:\Windows\dxlhpjcwiyyhajhvo.exe	xhlxvfo.exe
File opened for modification	C:\Windows\dxlhpjcwiyyhajhvo.exe	yborjrewily.exe
File opened for modification	C:\Windows\khyxifbyngjvrdevrsgd.exe	xhlxvfo.exe
File opened for modification	C:\Windows\odmdgvjyfqlpdhajxqwlulodrgnytxlpir.yet	xhlxvfo.exe
File created	C:\Windows\odmdgvjyfqlpdhajxqwlulodrgnytxlpir.yet	xhlxvfo.exe
File opened for modification	C:\Windows\wpcxexpitihphpmz.exe	xhlxvfo.exe
File opened for modification	C:\Windows\xtjhrnieskmxsddtoob.exe	xhlxvfo.exe
File opened for modification	C:\Windows\mhwtcxrmzqrbvfetnm.exe	yborjrewily.exe
File opened for modification	C:\Windows\zxppbzwukeivsfhzwynld.exe	yborjrewily.exe
File created	C:\Windows\bfdjbfimiislohpnqytxvbt.aea	xhlxvfo.exe
File opened for modification	C:\Windows\wpcxexpitihphpmz.exe	yborjrewily.exe
File opened for modification	C:\Windows\qpijwvtsjejxvjmfdgwvop.exe	yborjrewily.exe
File opened for modification	C:\Windows\wpcxexpitihphpmz.exe	yborjrewily.exe
File opened for modification	C:\Windows\qpijwvtsjejxvjmfdgwvop.exe	yborjrewily.exe
File opened for modification	C:\Windows\qpijwvtsjejxvjmfdgwvop.exe	xhlxvfo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exexhlxvfo.exe

pid	process
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
4736	xhlxvfo.exe
4736	xhlxvfo.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
4736	xhlxvfo.exe
4736	xhlxvfo.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

xhlxvfo.exe

description pid process

Token: SeDebugPrivilege 4736 xhlxvfo.exe

description	pid	process
Token: SeDebugPrivilege	4736	xhlxvfo.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exeyborjrewily.exe

description	pid	process	target process
PID 2740 wrote to memory of 4324	2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe	yborjrewily.exe
PID 2740 wrote to memory of 4324	2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe	yborjrewily.exe
PID 2740 wrote to memory of 4324	2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe	yborjrewily.exe
PID 4324 wrote to memory of 4736	4324	yborjrewily.exe	xhlxvfo.exe
PID 4324 wrote to memory of 4736	4324	yborjrewily.exe	xhlxvfo.exe
PID 4324 wrote to memory of 4736	4324	yborjrewily.exe	xhlxvfo.exe
PID 4324 wrote to memory of 4672	4324	yborjrewily.exe	xhlxvfo.exe
PID 4324 wrote to memory of 4672	4324	yborjrewily.exe	xhlxvfo.exe
PID 4324 wrote to memory of 4672	4324	yborjrewily.exe	xhlxvfo.exe
PID 2740 wrote to memory of 1688	2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe	yborjrewily.exe
PID 2740 wrote to memory of 1688	2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe	yborjrewily.exe
PID 2740 wrote to memory of 1688	2740	5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe	yborjrewily.exe

System policy modification 1 TTPs 41 IoCs

evasion

Modify Registry

T1112

Processes:

yborjrewily.exexhlxvfo.exexhlxvfo.exeyborjrewily.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	xhlxvfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	xhlxvfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xhlxvfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xhlxvfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xhlxvfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	xhlxvfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	xhlxvfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xhlxvfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xhlxvfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	xhlxvfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xhlxvfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	xhlxvfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	xhlxvfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	xhlxvfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	yborjrewily.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	yborjrewily.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	xhlxvfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	xhlxvfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	xhlxvfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	xhlxvfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	xhlxvfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xhlxvfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	xhlxvfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	xhlxvfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	xhlxvfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	yborjrewily.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xhlxvfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	xhlxvfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	xhlxvfo.exe

C:\Users\Admin\AppData\Local\Temp\5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe
"C:\Users\Admin\AppData\Local\Temp\5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Users\Admin\AppData\Local\Temp\yborjrewily.exe
  "C:\Users\Admin\AppData\Local\Temp\yborjrewily.exe" "c:\users\admin\appdata\local\temp\5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4324
- - C:\Users\Admin\AppData\Local\Temp\xhlxvfo.exe
    "C:\Users\Admin\AppData\Local\Temp\xhlxvfo.exe" "-C:\Users\Admin\AppData\Local\Temp\wpcxexpitihphpmz.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:4736
- - C:\Users\Admin\AppData\Local\Temp\xhlxvfo.exe
    "C:\Users\Admin\AppData\Local\Temp\xhlxvfo.exe" "-C:\Users\Admin\AppData\Local\Temp\wpcxexpitihphpmz.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4672
- C:\Users\Admin\AppData\Local\Temp\yborjrewily.exe
  "C:\Users\Admin\AppData\Local\Temp\yborjrewily.exe" "c:\users\admin\appdata\local\temp\5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System policy modification
  PID:1688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dxlhpjcwiyyhajhvo.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\dxlhpjcwiyyhajhvo.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\khyxifbyngjvrdevrsgd.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\khyxifbyngjvrdevrsgd.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mhwtcxrmzqrbvfetnm.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mhwtcxrmzqrbvfetnm.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpijwvtsjejxvjmfdgwvop.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpijwvtsjejxvjmfdgwvop.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wpcxexpitihphpmz.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xhlxvfo.exe

Filesize
708KB

MD5
05cedb22cf57615db8ba43fe3ff8cd0e

SHA1
2cfc1de055c154775d9b4a313b2c7e06ce7e23de

SHA256
283655b8a25abcc13ebb2cb147dba1fc6a88d41e69a37a046f67f65633e38822

SHA512
8aa76f4de7ebddaadf88c0de261c80831e3f3bc7aa7ebeb95d3197854aec1b243719a31078dac2c043de01b9ebab9b8ed62270c7105f943cfe0b68c3178cefcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\xhlxvfo.exe

Filesize
708KB

MD5
05cedb22cf57615db8ba43fe3ff8cd0e

SHA1
2cfc1de055c154775d9b4a313b2c7e06ce7e23de

SHA256
283655b8a25abcc13ebb2cb147dba1fc6a88d41e69a37a046f67f65633e38822

SHA512
8aa76f4de7ebddaadf88c0de261c80831e3f3bc7aa7ebeb95d3197854aec1b243719a31078dac2c043de01b9ebab9b8ed62270c7105f943cfe0b68c3178cefcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\xhlxvfo.exe

Filesize
708KB

MD5
05cedb22cf57615db8ba43fe3ff8cd0e

SHA1
2cfc1de055c154775d9b4a313b2c7e06ce7e23de

SHA256
283655b8a25abcc13ebb2cb147dba1fc6a88d41e69a37a046f67f65633e38822

SHA512
8aa76f4de7ebddaadf88c0de261c80831e3f3bc7aa7ebeb95d3197854aec1b243719a31078dac2c043de01b9ebab9b8ed62270c7105f943cfe0b68c3178cefcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\xtjhrnieskmxsddtoob.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xtjhrnieskmxsddtoob.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\yborjrewily.exe

Filesize
320KB

MD5
8dd6c010ffc43120b8acc20517d300cc

SHA1
58f010a548e9bf97968d77421e202de5531faeca

SHA256
8263270bb6b079aa9eb117576f7126104cb5ba3207f414088227ae8efb765ff7

SHA512
f32d8f395ab3012f331079a8c75c325c38d8e0ee38e6dc02862ad1e3d68027d0ab8da29ae4e3d26ed1ba86569b4dfd52a43523b40978d3cbbab2ecd8bb97e88c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yborjrewily.exe

Filesize
320KB

MD5
8dd6c010ffc43120b8acc20517d300cc

SHA1
58f010a548e9bf97968d77421e202de5531faeca

SHA256
8263270bb6b079aa9eb117576f7126104cb5ba3207f414088227ae8efb765ff7

SHA512
f32d8f395ab3012f331079a8c75c325c38d8e0ee38e6dc02862ad1e3d68027d0ab8da29ae4e3d26ed1ba86569b4dfd52a43523b40978d3cbbab2ecd8bb97e88c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yborjrewily.exe

Filesize
320KB

MD5
8dd6c010ffc43120b8acc20517d300cc

SHA1
58f010a548e9bf97968d77421e202de5531faeca

SHA256
8263270bb6b079aa9eb117576f7126104cb5ba3207f414088227ae8efb765ff7

SHA512
f32d8f395ab3012f331079a8c75c325c38d8e0ee38e6dc02862ad1e3d68027d0ab8da29ae4e3d26ed1ba86569b4dfd52a43523b40978d3cbbab2ecd8bb97e88c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxppbzwukeivsfhzwynld.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxppbzwukeivsfhzwynld.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Windows\SysWOW64\dxlhpjcwiyyhajhvo.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Windows\SysWOW64\dxlhpjcwiyyhajhvo.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Windows\SysWOW64\khyxifbyngjvrdevrsgd.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Windows\SysWOW64\khyxifbyngjvrdevrsgd.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Windows\SysWOW64\mhwtcxrmzqrbvfetnm.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Windows\SysWOW64\mhwtcxrmzqrbvfetnm.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Windows\SysWOW64\qpijwvtsjejxvjmfdgwvop.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Windows\SysWOW64\qpijwvtsjejxvjmfdgwvop.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Windows\SysWOW64\wpcxexpitihphpmz.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Windows\SysWOW64\wpcxexpitihphpmz.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Windows\SysWOW64\xtjhrnieskmxsddtoob.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Windows\SysWOW64\xtjhrnieskmxsddtoob.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Windows\SysWOW64\zxppbzwukeivsfhzwynld.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Windows\SysWOW64\zxppbzwukeivsfhzwynld.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Windows\dxlhpjcwiyyhajhvo.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Windows\dxlhpjcwiyyhajhvo.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Windows\dxlhpjcwiyyhajhvo.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Windows\khyxifbyngjvrdevrsgd.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Windows\khyxifbyngjvrdevrsgd.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Windows\khyxifbyngjvrdevrsgd.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Windows\mhwtcxrmzqrbvfetnm.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Windows\mhwtcxrmzqrbvfetnm.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Windows\mhwtcxrmzqrbvfetnm.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Windows\qpijwvtsjejxvjmfdgwvop.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Windows\qpijwvtsjejxvjmfdgwvop.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Windows\qpijwvtsjejxvjmfdgwvop.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Windows\wpcxexpitihphpmz.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Windows\wpcxexpitihphpmz.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Windows\wpcxexpitihphpmz.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Windows\xtjhrnieskmxsddtoob.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Windows\xtjhrnieskmxsddtoob.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Windows\xtjhrnieskmxsddtoob.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Windows\zxppbzwukeivsfhzwynld.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Windows\zxppbzwukeivsfhzwynld.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
C:\Windows\zxppbzwukeivsfhzwynld.exe

Filesize
1016KB

MD5
53ced6bd06ea5449e02d6cb87da70840

SHA1
40c414b0cdb9055cc69cf06a38c9ce7f8c9ace67

SHA256
5cd69610c7228d8c455333d848b80a7b50eadefc7df46d9dd7ad9f94d073b360

SHA512
9692a049d3619ddacc5430a8c6ba60e44d8778f757707150e5688bec57b07e4363d3825d21b2fdeaff127ee61fb563944d2563cff8e4e734c7093c40e7a22da6

Download Submit
memory/1688-181-0x0000000000000000-mapping.dmp

Download
memory/4324-132-0x0000000000000000-mapping.dmp

Download
memory/4672-138-0x0000000000000000-mapping.dmp

Download
memory/4736-135-0x0000000000000000-mapping.dmp

Download