327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6

Analysis

max time kernel
150s
max time network
170s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
Size

612KB
MD5

fa2b2bf45bbd6d6dc2f1afc683bea85c
SHA1

28fdb35377468f84df6aec2eb4e16ca3986b4387
SHA256

327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6
SHA512

bbc1e9aec1da4f8fea99c6d42c7abfbbe61522c55621dae79d81122cc5b7a601b0b085570a5dd936adf6f50024e06e831db058a327fbfd80922723b7645c0d89
SSDEEP

6144:48XXRUw9Oz5+iUU03pej1YpTYzOb0kLXhlJFTaLTGu0yvHcr+JB8aUn/0vQPT20Q:7nRy+ZyYpaCDJFuPyAHcqrUns9v2V+yc

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

ixiyjejjshs.exejowymr.exejowymr.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ixiyjejjshs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jowymr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jowymr.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

jowymr.exejowymr.exeixiyjejjshs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	jowymr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	jowymr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jowymr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jowymr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jowymr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	jowymr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jowymr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	jowymr.exe

Adds policy Run key to start application 2 TTPs 15 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

jowymr.exejowymr.exeixiyjejjshs.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\veqwoxftwh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lcwkkbrnyrbxpmegsz.exe"	jowymr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jowymr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\veqwoxftwh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wojyzrifrlwtmkdgtba.exe"	jowymr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\veqwoxftwh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yspgjdwvjfsrmmhmblmgd.exe"	jowymr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mynwrdoflzevi = "vkcombpjsjrlbwmm.exe"	jowymr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mynwrdoflzevi = "jcyoqjbzmhtrlkeiwffy.exe"	ixiyjejjshs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jowymr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mynwrdoflzevi = "jcyoqjbzmhtrlkeiwffy.exe"	jowymr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mynwrdoflzevi = "yspgjdwvjfsrmmhmblmgd.exe"	jowymr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mynwrdoflzevi = "lcwkkbrnyrbxpmegsz.exe"	jowymr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mynwrdoflzevi = "vkcombpjsjrlbwmm.exe"	jowymr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\veqwoxftwh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vkcombpjsjrlbwmm.exe"	jowymr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ixiyjejjshs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\veqwoxftwh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cslyxncxhziduqhit.exe"	ixiyjejjshs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mynwrdoflzevi = "jcyoqjbzmhtrlkeiwffy.exe"	jowymr.exe

Disables RegEdit via registry modification 6 IoCs

evasion

Processes:

jowymr.exeixiyjejjshs.exejowymr.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jowymr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jowymr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jowymr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jowymr.exe

Executes dropped EXE 3 IoCs

Processes:

ixiyjejjshs.exejowymr.exejowymr.exe

pid process

1972 ixiyjejjshs.exe
856 jowymr.exe
1744 jowymr.exe

pid	process
1972	ixiyjejjshs.exe
856	jowymr.exe
1744	jowymr.exe

Loads dropped DLL 6 IoCs

Processes:

327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exeixiyjejjshs.exe

pid	process
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
1972	ixiyjejjshs.exe
1972	ixiyjejjshs.exe
1972	ixiyjejjshs.exe
1972	ixiyjejjshs.exe

Adds Run key to start application 2 TTPs 59 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

jowymr.exejowymr.exeixiyjejjshs.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qanunxgvzlo = "lcwkkbrnyrbxpmegsz.exe"	jowymr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cslyxncxhziduqhit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vkcombpjsjrlbwmm.exe"	jowymr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qanunxgvzlo = "jcyoqjbzmhtrlkeiwffy.exe"	jowymr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qevgdrexfvcvket = "yspgjdwvjfsrmmhmblmgd.exe ."	ixiyjejjshs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qanunxgvzlo = "wojyzrifrlwtmkdgtba.exe"	jowymr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\naqawjvnujphvo = "cslyxncxhziduqhit.exe"	jowymr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qanunxgvzlo = "lcwkkbrnyrbxpmegsz.exe"	jowymr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ixiyjejjshs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vkcombpjsjrlbwmm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jcyoqjbzmhtrlkeiwffy.exe ."	ixiyjejjshs.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	jowymr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vkcombpjsjrlbwmm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wojyzrifrlwtmkdgtba.exe ."	jowymr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nymuozjzervl = "wojyzrifrlwtmkdgtba.exe ."	jowymr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qevgdrexfvcvket = "wojyzrifrlwtmkdgtba.exe ."	jowymr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nymuozjzervl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lcwkkbrnyrbxpmegsz.exe ."	jowymr.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	ixiyjejjshs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	jowymr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qevgdrexfvcvket = "lcwkkbrnyrbxpmegsz.exe ."	jowymr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vkcombpjsjrlbwmm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yspgjdwvjfsrmmhmblmgd.exe ."	jowymr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nymuozjzervl = "cslyxncxhziduqhit.exe ."	jowymr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nymuozjzervl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vkcombpjsjrlbwmm.exe ."	jowymr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qevgdrexfvcvket = "wojyzrifrlwtmkdgtba.exe ."	jowymr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nymuozjzervl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cslyxncxhziduqhit.exe ."	ixiyjejjshs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qanunxgvzlo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wojyzrifrlwtmkdgtba.exe"	jowymr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cslyxncxhziduqhit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wojyzrifrlwtmkdgtba.exe"	jowymr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nymuozjzervl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wojyzrifrlwtmkdgtba.exe ."	jowymr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qanunxgvzlo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yspgjdwvjfsrmmhmblmgd.exe"	jowymr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qanunxgvzlo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vkcombpjsjrlbwmm.exe"	jowymr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qanunxgvzlo = "vkcombpjsjrlbwmm.exe"	jowymr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nymuozjzervl = "jcyoqjbzmhtrlkeiwffy.exe ."	jowymr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vkcombpjsjrlbwmm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lcwkkbrnyrbxpmegsz.exe ."	jowymr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nymuozjzervl = "wojyzrifrlwtmkdgtba.exe ."	ixiyjejjshs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	jowymr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\naqawjvnujphvo = "wojyzrifrlwtmkdgtba.exe"	jowymr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qevgdrexfvcvket = "cslyxncxhziduqhit.exe ."	jowymr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nymuozjzervl = "jcyoqjbzmhtrlkeiwffy.exe ."	jowymr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qanunxgvzlo = "wojyzrifrlwtmkdgtba.exe"	ixiyjejjshs.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	jowymr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nymuozjzervl = "wojyzrifrlwtmkdgtba.exe ."	jowymr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nymuozjzervl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lcwkkbrnyrbxpmegsz.exe ."	jowymr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qanunxgvzlo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lcwkkbrnyrbxpmegsz.exe"	ixiyjejjshs.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	jowymr.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	ixiyjejjshs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	jowymr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cslyxncxhziduqhit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cslyxncxhziduqhit.exe"	jowymr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vkcombpjsjrlbwmm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jcyoqjbzmhtrlkeiwffy.exe ."	jowymr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cslyxncxhziduqhit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yspgjdwvjfsrmmhmblmgd.exe"	ixiyjejjshs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	jowymr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cslyxncxhziduqhit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yspgjdwvjfsrmmhmblmgd.exe"	jowymr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qevgdrexfvcvket = "yspgjdwvjfsrmmhmblmgd.exe ."	jowymr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\naqawjvnujphvo = "jcyoqjbzmhtrlkeiwffy.exe"	jowymr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vkcombpjsjrlbwmm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cslyxncxhziduqhit.exe ."	jowymr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qevgdrexfvcvket = "cslyxncxhziduqhit.exe ."	jowymr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\naqawjvnujphvo = "jcyoqjbzmhtrlkeiwffy.exe"	ixiyjejjshs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\naqawjvnujphvo = "cslyxncxhziduqhit.exe"	jowymr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qanunxgvzlo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yspgjdwvjfsrmmhmblmgd.exe"	jowymr.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	jowymr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\naqawjvnujphvo = "yspgjdwvjfsrmmhmblmgd.exe"	jowymr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cslyxncxhziduqhit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wojyzrifrlwtmkdgtba.exe"	jowymr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ixiyjejjshs.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

jowymr.exeixiyjejjshs.exejowymr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jowymr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ixiyjejjshs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jowymr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jowymr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jowymr.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 whatismyipaddress.com
4 www.showmyipaddress.com
6 whatismyip.everdot.org

flow	ioc
2	whatismyipaddress.com
4	www.showmyipaddress.com
6	whatismyip.everdot.org

Drops file in System32 directory 46 IoCs

Processes:

ixiyjejjshs.exejowymr.exejowymr.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\vkcombpjsjrlbwmm.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\SysWOW64\cslyxncxhziduqhit.exe	jowymr.exe
File opened for modification	C:\Windows\SysWOW64\yspgjdwvjfsrmmhmblmgd.exe	jowymr.exe
File opened for modification	C:\Windows\SysWOW64\lcwkkbrnyrbxpmegsz.exe	jowymr.exe
File created	C:\Windows\SysWOW64\jcyoqjbzmhtrlkeiwffy.exe	jowymr.exe
File created	C:\Windows\SysWOW64\lcwkkbrnyrbxpmegsz.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\SysWOW64\jcyoqjbzmhtrlkeiwffy.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\SysWOW64\lcwkkbrnyrbxpmegsz.exe	jowymr.exe
File created	C:\Windows\SysWOW64\wojyzrifrlwtmkdgtba.exe	jowymr.exe
File created	C:\Windows\SysWOW64\pkiaezttifttpqmsitvqog.exe	jowymr.exe
File opened for modification	C:\Windows\SysWOW64\vkcombpjsjrlbwmm.exe	jowymr.exe
File opened for modification	C:\Windows\SysWOW64\cslyxncxhziduqhit.exe	jowymr.exe
File created	C:\Windows\SysWOW64\yspgjdwvjfsrmmhmblmgd.exe	jowymr.exe
File created	C:\Windows\SysWOW64\pkiaezttifttpqmsitvqog.exe	jowymr.exe
File opened for modification	C:\Windows\SysWOW64\aadajjinhjchiopavlssvsb.afz	jowymr.exe
File created	C:\Windows\SysWOW64\jcyoqjbzmhtrlkeiwffy.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\SysWOW64\pkiaezttifttpqmsitvqog.exe	ixiyjejjshs.exe
File created	C:\Windows\SysWOW64\vkcombpjsjrlbwmm.exe	jowymr.exe
File opened for modification	C:\Windows\SysWOW64\wojyzrifrlwtmkdgtba.exe	jowymr.exe
File created	C:\Windows\SysWOW64\vkcombpjsjrlbwmm.exe	jowymr.exe
File opened for modification	C:\Windows\SysWOW64\yspgjdwvjfsrmmhmblmgd.exe	jowymr.exe
File opened for modification	C:\Windows\SysWOW64\nymuozjzervlxoawcdvgucwhrhmzdtfwie.ldo	jowymr.exe
File created	C:\Windows\SysWOW64\cslyxncxhziduqhit.exe	jowymr.exe
File created	C:\Windows\SysWOW64\lcwkkbrnyrbxpmegsz.exe	jowymr.exe
File opened for modification	C:\Windows\SysWOW64\wojyzrifrlwtmkdgtba.exe	jowymr.exe
File opened for modification	C:\Windows\SysWOW64\pkiaezttifttpqmsitvqog.exe	jowymr.exe
File created	C:\Windows\SysWOW64\vkcombpjsjrlbwmm.exe	ixiyjejjshs.exe
File created	C:\Windows\SysWOW64\cslyxncxhziduqhit.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\SysWOW64\lcwkkbrnyrbxpmegsz.exe	ixiyjejjshs.exe
File created	C:\Windows\SysWOW64\wojyzrifrlwtmkdgtba.exe	ixiyjejjshs.exe
File created	C:\Windows\SysWOW64\pkiaezttifttpqmsitvqog.exe	ixiyjejjshs.exe
File created	C:\Windows\SysWOW64\lcwkkbrnyrbxpmegsz.exe	jowymr.exe
File opened for modification	C:\Windows\SysWOW64\jcyoqjbzmhtrlkeiwffy.exe	jowymr.exe
File opened for modification	C:\Windows\SysWOW64\wojyzrifrlwtmkdgtba.exe	ixiyjejjshs.exe
File created	C:\Windows\SysWOW64\yspgjdwvjfsrmmhmblmgd.exe	jowymr.exe
File created	C:\Windows\SysWOW64\cslyxncxhziduqhit.exe	jowymr.exe
File created	C:\Windows\SysWOW64\aadajjinhjchiopavlssvsb.afz	jowymr.exe
File created	C:\Windows\SysWOW64\nymuozjzervlxoawcdvgucwhrhmzdtfwie.ldo	jowymr.exe
File created	C:\Windows\SysWOW64\yspgjdwvjfsrmmhmblmgd.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\SysWOW64\vkcombpjsjrlbwmm.exe	jowymr.exe
File opened for modification	C:\Windows\SysWOW64\jcyoqjbzmhtrlkeiwffy.exe	jowymr.exe
File opened for modification	C:\Windows\SysWOW64\pkiaezttifttpqmsitvqog.exe	jowymr.exe
File created	C:\Windows\SysWOW64\wojyzrifrlwtmkdgtba.exe	jowymr.exe
File opened for modification	C:\Windows\SysWOW64\cslyxncxhziduqhit.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\SysWOW64\yspgjdwvjfsrmmhmblmgd.exe	ixiyjejjshs.exe
File created	C:\Windows\SysWOW64\jcyoqjbzmhtrlkeiwffy.exe	jowymr.exe

Drops file in Program Files directory 4 IoCs

Processes:

jowymr.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\aadajjinhjchiopavlssvsb.afz	jowymr.exe
File created	C:\Program Files (x86)\aadajjinhjchiopavlssvsb.afz	jowymr.exe
File opened for modification	C:\Program Files (x86)\nymuozjzervlxoawcdvgucwhrhmzdtfwie.ldo	jowymr.exe
File created	C:\Program Files (x86)\nymuozjzervlxoawcdvgucwhrhmzdtfwie.ldo	jowymr.exe

Drops file in Windows directory 32 IoCs

Processes:

ixiyjejjshs.exejowymr.exejowymr.exe

description	ioc	process
File created	C:\Windows\yspgjdwvjfsrmmhmblmgd.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\pkiaezttifttpqmsitvqog.exe	ixiyjejjshs.exe
File created	C:\Windows\pkiaezttifttpqmsitvqog.exe	ixiyjejjshs.exe
File created	C:\Windows\cslyxncxhziduqhit.exe	ixiyjejjshs.exe
File created	C:\Windows\wojyzrifrlwtmkdgtba.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\jcyoqjbzmhtrlkeiwffy.exe	jowymr.exe
File opened for modification	C:\Windows\yspgjdwvjfsrmmhmblmgd.exe	jowymr.exe
File opened for modification	C:\Windows\pkiaezttifttpqmsitvqog.exe	jowymr.exe
File created	C:\Windows\nymuozjzervlxoawcdvgucwhrhmzdtfwie.ldo	jowymr.exe
File opened for modification	C:\Windows\lcwkkbrnyrbxpmegsz.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\wojyzrifrlwtmkdgtba.exe	ixiyjejjshs.exe
File created	C:\Windows\jcyoqjbzmhtrlkeiwffy.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\pkiaezttifttpqmsitvqog.exe	jowymr.exe
File opened for modification	C:\Windows\nymuozjzervlxoawcdvgucwhrhmzdtfwie.ldo	jowymr.exe
File created	C:\Windows\vkcombpjsjrlbwmm.exe	ixiyjejjshs.exe
File created	C:\Windows\lcwkkbrnyrbxpmegsz.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\vkcombpjsjrlbwmm.exe	jowymr.exe
File opened for modification	C:\Windows\aadajjinhjchiopavlssvsb.afz	jowymr.exe
File opened for modification	C:\Windows\cslyxncxhziduqhit.exe	jowymr.exe
File opened for modification	C:\Windows\jcyoqjbzmhtrlkeiwffy.exe	jowymr.exe
File created	C:\Windows\aadajjinhjchiopavlssvsb.afz	jowymr.exe
File opened for modification	C:\Windows\vkcombpjsjrlbwmm.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\lcwkkbrnyrbxpmegsz.exe	jowymr.exe
File opened for modification	C:\Windows\vkcombpjsjrlbwmm.exe	jowymr.exe
File opened for modification	C:\Windows\wojyzrifrlwtmkdgtba.exe	jowymr.exe
File opened for modification	C:\Windows\lcwkkbrnyrbxpmegsz.exe	jowymr.exe
File opened for modification	C:\Windows\cslyxncxhziduqhit.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\jcyoqjbzmhtrlkeiwffy.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\yspgjdwvjfsrmmhmblmgd.exe	ixiyjejjshs.exe
File opened for modification	C:\Windows\cslyxncxhziduqhit.exe	jowymr.exe
File opened for modification	C:\Windows\wojyzrifrlwtmkdgtba.exe	jowymr.exe
File opened for modification	C:\Windows\yspgjdwvjfsrmmhmblmgd.exe	jowymr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exejowymr.exe

pid	process
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
856	jowymr.exe
856	jowymr.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

jowymr.exe

description pid process

Token: SeDebugPrivilege 856 jowymr.exe

description	pid	process
Token: SeDebugPrivilege	856	jowymr.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exeixiyjejjshs.exe

description	pid	process	target process
PID 872 wrote to memory of 1972	872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe	ixiyjejjshs.exe
PID 872 wrote to memory of 1972	872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe	ixiyjejjshs.exe
PID 872 wrote to memory of 1972	872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe	ixiyjejjshs.exe
PID 872 wrote to memory of 1972	872	327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe	ixiyjejjshs.exe
PID 1972 wrote to memory of 856	1972	ixiyjejjshs.exe	jowymr.exe
PID 1972 wrote to memory of 856	1972	ixiyjejjshs.exe	jowymr.exe
PID 1972 wrote to memory of 856	1972	ixiyjejjshs.exe	jowymr.exe
PID 1972 wrote to memory of 856	1972	ixiyjejjshs.exe	jowymr.exe
PID 1972 wrote to memory of 1744	1972	ixiyjejjshs.exe	jowymr.exe
PID 1972 wrote to memory of 1744	1972	ixiyjejjshs.exe	jowymr.exe
PID 1972 wrote to memory of 1744	1972	ixiyjejjshs.exe	jowymr.exe
PID 1972 wrote to memory of 1744	1972	ixiyjejjshs.exe	jowymr.exe

System policy modification 1 TTPs 37 IoCs

evasion

Modify Registry

T1112

Processes:

jowymr.exeixiyjejjshs.exejowymr.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	jowymr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jowymr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	jowymr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	jowymr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	jowymr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	jowymr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	jowymr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	jowymr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	jowymr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ixiyjejjshs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jowymr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jowymr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jowymr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	jowymr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	jowymr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ixiyjejjshs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jowymr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	jowymr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jowymr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	jowymr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	jowymr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	jowymr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ixiyjejjshs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jowymr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	jowymr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	jowymr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jowymr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	jowymr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	jowymr.exe

C:\Users\Admin\AppData\Local\Temp\327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe
"C:\Users\Admin\AppData\Local\Temp\327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:872

C:\Users\Admin\AppData\Local\Temp\ixiyjejjshs.exe
"C:\Users\Admin\AppData\Local\Temp\ixiyjejjshs.exe" "c:\users\admin\appdata\local\temp\327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe*"
2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1972

C:\Users\Admin\AppData\Local\Temp\jowymr.exe
"C:\Users\Admin\AppData\Local\Temp\jowymr.exe" "-c:\users\admin\appdata\local\temp\327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe"
3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:856

C:\Users\Admin\AppData\Local\Temp\jowymr.exe
"C:\Users\Admin\AppData\Local\Temp\jowymr.exe" "-c:\users\admin\appdata\local\temp\327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6.exe"
3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cslyxncxhziduqhit.exe
Filesize
612KB

MD5
fa2b2bf45bbd6d6dc2f1afc683bea85c

SHA1
28fdb35377468f84df6aec2eb4e16ca3986b4387

SHA256
327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6

SHA512
bbc1e9aec1da4f8fea99c6d42c7abfbbe61522c55621dae79d81122cc5b7a601b0b085570a5dd936adf6f50024e06e831db058a327fbfd80922723b7645c0d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\cslyxncxhziduqhit.exe
Filesize
612KB

MD5
fa2b2bf45bbd6d6dc2f1afc683bea85c

SHA1
28fdb35377468f84df6aec2eb4e16ca3986b4387

SHA256
327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6

SHA512
bbc1e9aec1da4f8fea99c6d42c7abfbbe61522c55621dae79d81122cc5b7a601b0b085570a5dd936adf6f50024e06e831db058a327fbfd80922723b7645c0d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixiyjejjshs.exe
Filesize
308KB

MD5
85cb856b920e7b0b7b75115336fc2af2

SHA1
1d1a207efec2f5187583b652c35aef74ee4c473f

SHA256
6fff20aabe8265b6e811c9dbcb987f9c15cf07d1d8b80ced7b287d96900f5c62

SHA512
120ff9c77c19216e5691b6ba812f09f7db7b46685a391027fff56e5b73200f4211b6bac2c2d28cdfe461d1fbf10f1a3204adeedbd0a34a034a862c6278d901e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixiyjejjshs.exe
Filesize
308KB

MD5
85cb856b920e7b0b7b75115336fc2af2

SHA1
1d1a207efec2f5187583b652c35aef74ee4c473f

SHA256
6fff20aabe8265b6e811c9dbcb987f9c15cf07d1d8b80ced7b287d96900f5c62

SHA512
120ff9c77c19216e5691b6ba812f09f7db7b46685a391027fff56e5b73200f4211b6bac2c2d28cdfe461d1fbf10f1a3204adeedbd0a34a034a862c6278d901e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcyoqjbzmhtrlkeiwffy.exe
Filesize
612KB

MD5
fa2b2bf45bbd6d6dc2f1afc683bea85c

SHA1
28fdb35377468f84df6aec2eb4e16ca3986b4387

SHA256
327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6

SHA512
bbc1e9aec1da4f8fea99c6d42c7abfbbe61522c55621dae79d81122cc5b7a601b0b085570a5dd936adf6f50024e06e831db058a327fbfd80922723b7645c0d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcyoqjbzmhtrlkeiwffy.exe
Filesize
612KB

MD5
fa2b2bf45bbd6d6dc2f1afc683bea85c

SHA1
28fdb35377468f84df6aec2eb4e16ca3986b4387

SHA256
327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6

SHA512
bbc1e9aec1da4f8fea99c6d42c7abfbbe61522c55621dae79d81122cc5b7a601b0b085570a5dd936adf6f50024e06e831db058a327fbfd80922723b7645c0d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\jowymr.exe
Filesize
684KB

MD5
b5f0e7fea4d96ec97849b3db7e46cb28

SHA1
cd91dc09d0ce81e6ba5ba3dc619f8a1f92278b7d

SHA256
545e275a891d51d0760c26e42c14053d51625d50d4529effd4ba0e326f1920ce

SHA512
795477237122a17fdb9501ca3f217438e432a7b5dc2a4cf66c369e81c6f0b2985f14e725bc748d1184fb1f970af110c652f5dd2444094a6dc60fb897ec4b5715

Download Submit
C:\Users\Admin\AppData\Local\Temp\jowymr.exe
Filesize
684KB

MD5
b5f0e7fea4d96ec97849b3db7e46cb28

SHA1
cd91dc09d0ce81e6ba5ba3dc619f8a1f92278b7d

SHA256
545e275a891d51d0760c26e42c14053d51625d50d4529effd4ba0e326f1920ce

SHA512
795477237122a17fdb9501ca3f217438e432a7b5dc2a4cf66c369e81c6f0b2985f14e725bc748d1184fb1f970af110c652f5dd2444094a6dc60fb897ec4b5715

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcwkkbrnyrbxpmegsz.exe
Filesize
612KB

MD5
fa2b2bf45bbd6d6dc2f1afc683bea85c

SHA1
28fdb35377468f84df6aec2eb4e16ca3986b4387

SHA256
327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6

SHA512
bbc1e9aec1da4f8fea99c6d42c7abfbbe61522c55621dae79d81122cc5b7a601b0b085570a5dd936adf6f50024e06e831db058a327fbfd80922723b7645c0d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcwkkbrnyrbxpmegsz.exe
Filesize
612KB

MD5
fa2b2bf45bbd6d6dc2f1afc683bea85c

SHA1
28fdb35377468f84df6aec2eb4e16ca3986b4387

SHA256
327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6

SHA512
bbc1e9aec1da4f8fea99c6d42c7abfbbe61522c55621dae79d81122cc5b7a601b0b085570a5dd936adf6f50024e06e831db058a327fbfd80922723b7645c0d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkiaezttifttpqmsitvqog.exe
Filesize
612KB

MD5
fa2b2bf45bbd6d6dc2f1afc683bea85c

SHA1
28fdb35377468f84df6aec2eb4e16ca3986b4387

SHA256
327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6

SHA512
bbc1e9aec1da4f8fea99c6d42c7abfbbe61522c55621dae79d81122cc5b7a601b0b085570a5dd936adf6f50024e06e831db058a327fbfd80922723b7645c0d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkiaezttifttpqmsitvqog.exe
Filesize
612KB

MD5
fa2b2bf45bbd6d6dc2f1afc683bea85c

SHA1
28fdb35377468f84df6aec2eb4e16ca3986b4387

SHA256
327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6

SHA512
bbc1e9aec1da4f8fea99c6d42c7abfbbe61522c55621dae79d81122cc5b7a601b0b085570a5dd936adf6f50024e06e831db058a327fbfd80922723b7645c0d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\vkcombpjsjrlbwmm.exe
Filesize
612KB

MD5
fa2b2bf45bbd6d6dc2f1afc683bea85c

SHA1
28fdb35377468f84df6aec2eb4e16ca3986b4387

SHA256
327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6

SHA512
bbc1e9aec1da4f8fea99c6d42c7abfbbe61522c55621dae79d81122cc5b7a601b0b085570a5dd936adf6f50024e06e831db058a327fbfd80922723b7645c0d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\vkcombpjsjrlbwmm.exe
Filesize
612KB

MD5
fa2b2bf45bbd6d6dc2f1afc683bea85c

SHA1
28fdb35377468f84df6aec2eb4e16ca3986b4387

SHA256
327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6

SHA512
bbc1e9aec1da4f8fea99c6d42c7abfbbe61522c55621dae79d81122cc5b7a601b0b085570a5dd936adf6f50024e06e831db058a327fbfd80922723b7645c0d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\wojyzrifrlwtmkdgtba.exe
Filesize
612KB

MD5
fa2b2bf45bbd6d6dc2f1afc683bea85c

SHA1
28fdb35377468f84df6aec2eb4e16ca3986b4387

SHA256
327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6

SHA512
bbc1e9aec1da4f8fea99c6d42c7abfbbe61522c55621dae79d81122cc5b7a601b0b085570a5dd936adf6f50024e06e831db058a327fbfd80922723b7645c0d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\wojyzrifrlwtmkdgtba.exe
Filesize
612KB

MD5
fa2b2bf45bbd6d6dc2f1afc683bea85c

SHA1
28fdb35377468f84df6aec2eb4e16ca3986b4387

SHA256
327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6

SHA512
bbc1e9aec1da4f8fea99c6d42c7abfbbe61522c55621dae79d81122cc5b7a601b0b085570a5dd936adf6f50024e06e831db058a327fbfd80922723b7645c0d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\yspgjdwvjfsrmmhmblmgd.exe
Filesize
612KB

MD5
fa2b2bf45bbd6d6dc2f1afc683bea85c

SHA1
28fdb35377468f84df6aec2eb4e16ca3986b4387

SHA256
327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6

SHA512
bbc1e9aec1da4f8fea99c6d42c7abfbbe61522c55621dae79d81122cc5b7a601b0b085570a5dd936adf6f50024e06e831db058a327fbfd80922723b7645c0d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\yspgjdwvjfsrmmhmblmgd.exe
Filesize
612KB

MD5
fa2b2bf45bbd6d6dc2f1afc683bea85c

SHA1
28fdb35377468f84df6aec2eb4e16ca3986b4387

SHA256
327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6

SHA512
bbc1e9aec1da4f8fea99c6d42c7abfbbe61522c55621dae79d81122cc5b7a601b0b085570a5dd936adf6f50024e06e831db058a327fbfd80922723b7645c0d89

Download Submit
C:\Windows\SysWOW64\cslyxncxhziduqhit.exe
Filesize
612KB

MD5
fa2b2bf45bbd6d6dc2f1afc683bea85c

SHA1
28fdb35377468f84df6aec2eb4e16ca3986b4387

SHA256
327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6

SHA512
bbc1e9aec1da4f8fea99c6d42c7abfbbe61522c55621dae79d81122cc5b7a601b0b085570a5dd936adf6f50024e06e831db058a327fbfd80922723b7645c0d89

Download Submit
C:\Windows\SysWOW64\jcyoqjbzmhtrlkeiwffy.exe
Filesize
612KB

MD5
fa2b2bf45bbd6d6dc2f1afc683bea85c

SHA1
28fdb35377468f84df6aec2eb4e16ca3986b4387

SHA256
327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6

SHA512
bbc1e9aec1da4f8fea99c6d42c7abfbbe61522c55621dae79d81122cc5b7a601b0b085570a5dd936adf6f50024e06e831db058a327fbfd80922723b7645c0d89

Download Submit
C:\Windows\SysWOW64\lcwkkbrnyrbxpmegsz.exe
Filesize
612KB

MD5
fa2b2bf45bbd6d6dc2f1afc683bea85c

SHA1
28fdb35377468f84df6aec2eb4e16ca3986b4387

SHA256
327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6

SHA512
bbc1e9aec1da4f8fea99c6d42c7abfbbe61522c55621dae79d81122cc5b7a601b0b085570a5dd936adf6f50024e06e831db058a327fbfd80922723b7645c0d89

Download Submit
C:\Windows\SysWOW64\pkiaezttifttpqmsitvqog.exe
Filesize
612KB

MD5
fa2b2bf45bbd6d6dc2f1afc683bea85c

SHA1
28fdb35377468f84df6aec2eb4e16ca3986b4387

SHA256
327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6

SHA512
bbc1e9aec1da4f8fea99c6d42c7abfbbe61522c55621dae79d81122cc5b7a601b0b085570a5dd936adf6f50024e06e831db058a327fbfd80922723b7645c0d89

Download Submit
C:\Windows\SysWOW64\vkcombpjsjrlbwmm.exe
Filesize
612KB

MD5
fa2b2bf45bbd6d6dc2f1afc683bea85c

SHA1
28fdb35377468f84df6aec2eb4e16ca3986b4387

SHA256
327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6

SHA512
bbc1e9aec1da4f8fea99c6d42c7abfbbe61522c55621dae79d81122cc5b7a601b0b085570a5dd936adf6f50024e06e831db058a327fbfd80922723b7645c0d89

Download Submit
C:\Windows\SysWOW64\wojyzrifrlwtmkdgtba.exe
Filesize
612KB

MD5
fa2b2bf45bbd6d6dc2f1afc683bea85c

SHA1
28fdb35377468f84df6aec2eb4e16ca3986b4387

SHA256
327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6

SHA512
bbc1e9aec1da4f8fea99c6d42c7abfbbe61522c55621dae79d81122cc5b7a601b0b085570a5dd936adf6f50024e06e831db058a327fbfd80922723b7645c0d89

Download Submit
C:\Windows\SysWOW64\yspgjdwvjfsrmmhmblmgd.exe
Filesize
612KB

MD5
fa2b2bf45bbd6d6dc2f1afc683bea85c

SHA1
28fdb35377468f84df6aec2eb4e16ca3986b4387

SHA256
327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6

SHA512
bbc1e9aec1da4f8fea99c6d42c7abfbbe61522c55621dae79d81122cc5b7a601b0b085570a5dd936adf6f50024e06e831db058a327fbfd80922723b7645c0d89

Download Submit
C:\Windows\cslyxncxhziduqhit.exe
Filesize
612KB

MD5
fa2b2bf45bbd6d6dc2f1afc683bea85c

SHA1
28fdb35377468f84df6aec2eb4e16ca3986b4387

SHA256
327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6

SHA512
bbc1e9aec1da4f8fea99c6d42c7abfbbe61522c55621dae79d81122cc5b7a601b0b085570a5dd936adf6f50024e06e831db058a327fbfd80922723b7645c0d89

Download Submit
C:\Windows\cslyxncxhziduqhit.exe
Filesize
192KB

MD5
341d7773536f5a902c5821010ba3877e

SHA1
cd3076bea6f8348eb644655da5f47fc2168801bc

SHA256
fffcfb5ae774562593ac9600577391c94fc143d2e014dbda37fb192cc24ed8b5

SHA512
082cf6bbec1caca01e82e3bba083c1e6d9bb47e68311e1eb74a47e71f531f610e4b409a7ce8f33a487e1e8912cd4dcf81174ad733cb33af91956dcdefdf7e0b8

Download Submit
C:\Windows\jcyoqjbzmhtrlkeiwffy.exe
Filesize
612KB

MD5
fa2b2bf45bbd6d6dc2f1afc683bea85c

SHA1
28fdb35377468f84df6aec2eb4e16ca3986b4387

SHA256
327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6

SHA512
bbc1e9aec1da4f8fea99c6d42c7abfbbe61522c55621dae79d81122cc5b7a601b0b085570a5dd936adf6f50024e06e831db058a327fbfd80922723b7645c0d89

Download Submit
C:\Windows\jcyoqjbzmhtrlkeiwffy.exe
Filesize
612KB

MD5
cc5a3a5e513101129792890f5282a064

SHA1
bacfbd1d5184874823c9b86f4c49f05ffc927001

SHA256
42243a0ead6c78f298559f6f235bd2bf0e58efd9000ab94c77cffa3561813438

SHA512
1205fd015701dd3a8f0498f030a215444f51019dcf656acf5cf570f859ce25595c5ab0a1cbec40d69275d8c2de381b5b93f49dff70730f41a689efc2fdc98011

Download Submit
C:\Windows\lcwkkbrnyrbxpmegsz.exe
Filesize
612KB

MD5
fa2b2bf45bbd6d6dc2f1afc683bea85c

SHA1
28fdb35377468f84df6aec2eb4e16ca3986b4387

SHA256
327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6

SHA512
bbc1e9aec1da4f8fea99c6d42c7abfbbe61522c55621dae79d81122cc5b7a601b0b085570a5dd936adf6f50024e06e831db058a327fbfd80922723b7645c0d89

Download Submit
C:\Windows\lcwkkbrnyrbxpmegsz.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\pkiaezttifttpqmsitvqog.exe
Filesize
612KB

MD5
fa2b2bf45bbd6d6dc2f1afc683bea85c

SHA1
28fdb35377468f84df6aec2eb4e16ca3986b4387

SHA256
327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6

SHA512
bbc1e9aec1da4f8fea99c6d42c7abfbbe61522c55621dae79d81122cc5b7a601b0b085570a5dd936adf6f50024e06e831db058a327fbfd80922723b7645c0d89

Download Submit
C:\Windows\pkiaezttifttpqmsitvqog.exe
Filesize
612KB

MD5
cc5a3a5e513101129792890f5282a064

SHA1
bacfbd1d5184874823c9b86f4c49f05ffc927001

SHA256
42243a0ead6c78f298559f6f235bd2bf0e58efd9000ab94c77cffa3561813438

SHA512
1205fd015701dd3a8f0498f030a215444f51019dcf656acf5cf570f859ce25595c5ab0a1cbec40d69275d8c2de381b5b93f49dff70730f41a689efc2fdc98011

Download Submit
C:\Windows\vkcombpjsjrlbwmm.exe
Filesize
612KB

MD5
fa2b2bf45bbd6d6dc2f1afc683bea85c

SHA1
28fdb35377468f84df6aec2eb4e16ca3986b4387

SHA256
327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6

SHA512
bbc1e9aec1da4f8fea99c6d42c7abfbbe61522c55621dae79d81122cc5b7a601b0b085570a5dd936adf6f50024e06e831db058a327fbfd80922723b7645c0d89

Download Submit
C:\Windows\vkcombpjsjrlbwmm.exe
Filesize
612KB

MD5
fa2b2bf45bbd6d6dc2f1afc683bea85c

SHA1
28fdb35377468f84df6aec2eb4e16ca3986b4387

SHA256
327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6

SHA512
bbc1e9aec1da4f8fea99c6d42c7abfbbe61522c55621dae79d81122cc5b7a601b0b085570a5dd936adf6f50024e06e831db058a327fbfd80922723b7645c0d89

Download Submit
C:\Windows\wojyzrifrlwtmkdgtba.exe
Filesize
612KB

MD5
fa2b2bf45bbd6d6dc2f1afc683bea85c

SHA1
28fdb35377468f84df6aec2eb4e16ca3986b4387

SHA256
327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6

SHA512
bbc1e9aec1da4f8fea99c6d42c7abfbbe61522c55621dae79d81122cc5b7a601b0b085570a5dd936adf6f50024e06e831db058a327fbfd80922723b7645c0d89

Download Submit
C:\Windows\wojyzrifrlwtmkdgtba.exe
Filesize
612KB

MD5
cc5a3a5e513101129792890f5282a064

SHA1
bacfbd1d5184874823c9b86f4c49f05ffc927001

SHA256
42243a0ead6c78f298559f6f235bd2bf0e58efd9000ab94c77cffa3561813438

SHA512
1205fd015701dd3a8f0498f030a215444f51019dcf656acf5cf570f859ce25595c5ab0a1cbec40d69275d8c2de381b5b93f49dff70730f41a689efc2fdc98011

Download Submit
C:\Windows\yspgjdwvjfsrmmhmblmgd.exe
Filesize
612KB

MD5
fa2b2bf45bbd6d6dc2f1afc683bea85c

SHA1
28fdb35377468f84df6aec2eb4e16ca3986b4387

SHA256
327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6

SHA512
bbc1e9aec1da4f8fea99c6d42c7abfbbe61522c55621dae79d81122cc5b7a601b0b085570a5dd936adf6f50024e06e831db058a327fbfd80922723b7645c0d89

Download Submit
C:\Windows\yspgjdwvjfsrmmhmblmgd.exe
Filesize
612KB

MD5
fa2b2bf45bbd6d6dc2f1afc683bea85c

SHA1
28fdb35377468f84df6aec2eb4e16ca3986b4387

SHA256
327f3735753722cce7efc978fc5fd0d9be59c5013499e4c177a3636c22e02dd6

SHA512
bbc1e9aec1da4f8fea99c6d42c7abfbbe61522c55621dae79d81122cc5b7a601b0b085570a5dd936adf6f50024e06e831db058a327fbfd80922723b7645c0d89

Download Submit
\Users\Admin\AppData\Local\Temp\ixiyjejjshs.exe
Filesize
308KB

MD5
85cb856b920e7b0b7b75115336fc2af2

SHA1
1d1a207efec2f5187583b652c35aef74ee4c473f

SHA256
6fff20aabe8265b6e811c9dbcb987f9c15cf07d1d8b80ced7b287d96900f5c62

SHA512
120ff9c77c19216e5691b6ba812f09f7db7b46685a391027fff56e5b73200f4211b6bac2c2d28cdfe461d1fbf10f1a3204adeedbd0a34a034a862c6278d901e8

Download Submit
\Users\Admin\AppData\Local\Temp\ixiyjejjshs.exe
Filesize
308KB

MD5
85cb856b920e7b0b7b75115336fc2af2

SHA1
1d1a207efec2f5187583b652c35aef74ee4c473f

SHA256
6fff20aabe8265b6e811c9dbcb987f9c15cf07d1d8b80ced7b287d96900f5c62

SHA512
120ff9c77c19216e5691b6ba812f09f7db7b46685a391027fff56e5b73200f4211b6bac2c2d28cdfe461d1fbf10f1a3204adeedbd0a34a034a862c6278d901e8

Download Submit
\Users\Admin\AppData\Local\Temp\jowymr.exe
Filesize
684KB

MD5
b5f0e7fea4d96ec97849b3db7e46cb28

SHA1
cd91dc09d0ce81e6ba5ba3dc619f8a1f92278b7d

SHA256
545e275a891d51d0760c26e42c14053d51625d50d4529effd4ba0e326f1920ce

SHA512
795477237122a17fdb9501ca3f217438e432a7b5dc2a4cf66c369e81c6f0b2985f14e725bc748d1184fb1f970af110c652f5dd2444094a6dc60fb897ec4b5715

Download Submit
\Users\Admin\AppData\Local\Temp\jowymr.exe
Filesize
684KB

MD5
b5f0e7fea4d96ec97849b3db7e46cb28

SHA1
cd91dc09d0ce81e6ba5ba3dc619f8a1f92278b7d

SHA256
545e275a891d51d0760c26e42c14053d51625d50d4529effd4ba0e326f1920ce

SHA512
795477237122a17fdb9501ca3f217438e432a7b5dc2a4cf66c369e81c6f0b2985f14e725bc748d1184fb1f970af110c652f5dd2444094a6dc60fb897ec4b5715

Download Submit
\Users\Admin\AppData\Local\Temp\jowymr.exe
Filesize
684KB

MD5
b5f0e7fea4d96ec97849b3db7e46cb28

SHA1
cd91dc09d0ce81e6ba5ba3dc619f8a1f92278b7d

SHA256
545e275a891d51d0760c26e42c14053d51625d50d4529effd4ba0e326f1920ce

SHA512
795477237122a17fdb9501ca3f217438e432a7b5dc2a4cf66c369e81c6f0b2985f14e725bc748d1184fb1f970af110c652f5dd2444094a6dc60fb897ec4b5715

Download Submit
\Users\Admin\AppData\Local\Temp\jowymr.exe
Filesize
684KB

MD5
b5f0e7fea4d96ec97849b3db7e46cb28

SHA1
cd91dc09d0ce81e6ba5ba3dc619f8a1f92278b7d

SHA256
545e275a891d51d0760c26e42c14053d51625d50d4529effd4ba0e326f1920ce

SHA512
795477237122a17fdb9501ca3f217438e432a7b5dc2a4cf66c369e81c6f0b2985f14e725bc748d1184fb1f970af110c652f5dd2444094a6dc60fb897ec4b5715

Download Submit
memory/856-63-0x0000000000000000-mapping.dmp

Download
memory/872-54-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/1744-68-0x0000000000000000-mapping.dmp

Download
memory/1972-57-0x0000000000000000-mapping.dmp

Download