851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39

Analysis

max time kernel
46s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
14/11/2023, 18:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Size

7.3MB
MD5

82cf1c1a6e7f52327e4a01651cb22a8d
SHA1

2a57061f724bb650bd961d63cf3e93f60c158eb5
SHA256

851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39
SHA512

89e422babe9e310e10da8c15dd8a33dbc994585b93d0265bce7e14d17cf2b7bb8f5dd5ac072cbd4d69ff0ce3ab2b3a9ec3d3ed024b70b51c1f08cb0e5605d8c4
SSDEEP

12288:2XgvmzFHi0mo5aH0qMzd58c7FcquPJQPDHvd:2XgvOHi0mGaH0qSdDFcT4V

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	yijou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	yijou.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	yijou.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	yijou.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	yijou.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yijou.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yijou.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	yijou.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	yijou.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	yijou.exe

Adds policy Run key to start application 2 TTPs 19 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cqveosdqx = "jiysncywogzgjxwlnpfe.exe"	yijou.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cqveosdqx = "wujcwkfctkcikxvjkla.exe"	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\juwcjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jiysncywogzgjxwlnpfe.exe"	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cqveosdqx = "vqcsjumguixazjep.exe"	yijou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cqveosdqx = "cylcugzujyossdzlk.exe"	yijou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cqveosdqx = "wujcwkfctkcikxvjkla.exe"	yijou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\juwcjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\liwohuokaqhmnzwjjj.exe"	yijou.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	yijou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\juwcjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cylcugzujyossdzlk.exe"	yijou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\juwcjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wujcwkfctkcikxvjkla.exe"	yijou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\juwcjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wujcwkfctkcikxvjkla.exe"	yijou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\juwcjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jiysncywogzgjxwlnpfe.exe"	yijou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\juwcjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jiysncywogzgjxwlnpfe.exe"	yijou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\juwcjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yypkgwtsleygkzzpsvmmd.exe"	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	yijou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cqveosdqx = "wujcwkfctkcikxvjkla.exe"	yijou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\juwcjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cylcugzujyossdzlk.exe"	yijou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cqveosdqx = "yypkgwtsleygkzzpsvmmd.exe"	yijou.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yijou.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yijou.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yijou.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yijou.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe

Executes dropped EXE 2 IoCs

pid	Process
1172	yijou.exe
1268	yijou.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\menaowlcnykkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wujcwkfctkcikxvjkla.exe"	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qgnykqdsbku = "yypkgwtsleygkzzpsvmmd.exe ."	yijou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vkqalqcqyg = "cylcugzujyossdzlk.exe"	yijou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wilsacl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqcsjumguixazjep.exe"	yijou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lycktwgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cylcugzujyossdzlk.exe ."	yijou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\menaowlcnykkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cylcugzujyossdzlk.exe"	yijou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wilsacl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jiysncywogzgjxwlnpfe.exe"	yijou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\menaowlcnykkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wujcwkfctkcikxvjkla.exe"	yijou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qgnykqdsbku = "cylcugzujyossdzlk.exe ."	yijou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lycktwgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cylcugzujyossdzlk.exe ."	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wilsacl = "vqcsjumguixazjep.exe"	yijou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qgnykqdsbku = "vqcsjumguixazjep.exe ."	yijou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lycktwgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yypkgwtsleygkzzpsvmmd.exe ."	yijou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lycktwgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\liwohuokaqhmnzwjjj.exe ."	yijou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vkqalqcqyg = "cylcugzujyossdzlk.exe"	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nemylsgwgqba = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jiysncywogzgjxwlnpfe.exe ."	yijou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\menaowlcnykkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jiysncywogzgjxwlnpfe.exe"	yijou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nemylsgwgqba = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yypkgwtsleygkzzpsvmmd.exe ."	yijou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wilsacl = "jiysncywogzgjxwlnpfe.exe"	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qgnykqdsbku = "wujcwkfctkcikxvjkla.exe ."	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lycktwgs = "wujcwkfctkcikxvjkla.exe ."	yijou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\menaowlcnykkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wujcwkfctkcikxvjkla.exe"	yijou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wilsacl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jiysncywogzgjxwlnpfe.exe"	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vkqalqcqyg = "yypkgwtsleygkzzpsvmmd.exe"	yijou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lycktwgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wujcwkfctkcikxvjkla.exe ."	yijou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wilsacl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wujcwkfctkcikxvjkla.exe"	yijou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lycktwgs = "vqcsjumguixazjep.exe ."	yijou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lycktwgs = "yypkgwtsleygkzzpsvmmd.exe ."	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vkqalqcqyg = "wujcwkfctkcikxvjkla.exe"	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nemylsgwgqba = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqcsjumguixazjep.exe ."	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lycktwgs = "liwohuokaqhmnzwjjj.exe ."	yijou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nemylsgwgqba = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqcsjumguixazjep.exe ."	yijou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wilsacl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqcsjumguixazjep.exe"	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wilsacl = "liwohuokaqhmnzwjjj.exe"	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lycktwgs = "wujcwkfctkcikxvjkla.exe ."	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wilsacl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wujcwkfctkcikxvjkla.exe"	yijou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nemylsgwgqba = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jiysncywogzgjxwlnpfe.exe ."	yijou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nemylsgwgqba = "C:\\Users\\Admin\\AppData\\Local\\Temp\\liwohuokaqhmnzwjjj.exe ."	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vkqalqcqyg = "liwohuokaqhmnzwjjj.exe"	yijou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lycktwgs = "yypkgwtsleygkzzpsvmmd.exe ."	yijou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qgnykqdsbku = "jiysncywogzgjxwlnpfe.exe ."	yijou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nemylsgwgqba = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cylcugzujyossdzlk.exe ."	yijou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lycktwgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\liwohuokaqhmnzwjjj.exe ."	yijou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wilsacl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jiysncywogzgjxwlnpfe.exe"	yijou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\menaowlcnykkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yypkgwtsleygkzzpsvmmd.exe"	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lycktwgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqcsjumguixazjep.exe ."	yijou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wilsacl = "jiysncywogzgjxwlnpfe.exe"	yijou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lycktwgs = "jiysncywogzgjxwlnpfe.exe ."	yijou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wilsacl = "vqcsjumguixazjep.exe"	yijou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\menaowlcnykkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqcsjumguixazjep.exe"	yijou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wilsacl = "jiysncywogzgjxwlnpfe.exe"	yijou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lycktwgs = "cylcugzujyossdzlk.exe ."	yijou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wilsacl = "liwohuokaqhmnzwjjj.exe"	yijou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wilsacl = "cylcugzujyossdzlk.exe"	yijou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lycktwgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yypkgwtsleygkzzpsvmmd.exe ."	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vkqalqcqyg = "vqcsjumguixazjep.exe"	yijou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vkqalqcqyg = "wujcwkfctkcikxvjkla.exe"	yijou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qgnykqdsbku = "yypkgwtsleygkzzpsvmmd.exe ."	yijou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wilsacl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\liwohuokaqhmnzwjjj.exe"	yijou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vkqalqcqyg = "jiysncywogzgjxwlnpfe.exe"	yijou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qgnykqdsbku = "vqcsjumguixazjep.exe ."	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nemylsgwgqba = "C:\\Users\\Admin\\AppData\\Local\\Temp\\liwohuokaqhmnzwjjj.exe ."	yijou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wilsacl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yypkgwtsleygkzzpsvmmd.exe"	yijou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\menaowlcnykkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yypkgwtsleygkzzpsvmmd.exe"	yijou.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yijou.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	yijou.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yijou.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	yijou.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
35	www.showmyipaddress.com
40	whatismyipaddress.com
44	whatismyip.everdot.org
78	whatismyip.everdot.org

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\yijouubknqumazjjwjkuvaggnwz.gym	yijou.exe
File created	C:\Windows\SysWOW64\yijouubknqumazjjwjkuvaggnwz.gym	yijou.exe
File opened for modification	C:\Windows\SysWOW64\vqcsjumguixazjepnlxseulwoiwkzcblgrpnzu.wny	yijou.exe
File created	C:\Windows\SysWOW64\vqcsjumguixazjepnlxseulwoiwkzcblgrpnzu.wny	yijou.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\yijouubknqumazjjwjkuvaggnwz.gym	yijou.exe
File opened for modification	C:\Program Files (x86)\vqcsjumguixazjepnlxseulwoiwkzcblgrpnzu.wny	yijou.exe
File created	C:\Program Files (x86)\vqcsjumguixazjepnlxseulwoiwkzcblgrpnzu.wny	yijou.exe
File opened for modification	C:\Program Files (x86)\yijouubknqumazjjwjkuvaggnwz.gym	yijou.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\yijouubknqumazjjwjkuvaggnwz.gym	yijou.exe
File created	C:\Windows\yijouubknqumazjjwjkuvaggnwz.gym	yijou.exe
File opened for modification	C:\Windows\vqcsjumguixazjepnlxseulwoiwkzcblgrpnzu.wny	yijou.exe
File created	C:\Windows\vqcsjumguixazjepnlxseulwoiwkzcblgrpnzu.wny	yijou.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings	yijou.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings	yijou.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1172	yijou.exe
1172	yijou.exe
1172	yijou.exe
1172	yijou.exe
1172	yijou.exe
1172	yijou.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1172	yijou.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 1172	1276	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe	93
PID 1276 wrote to memory of 1172	1276	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe	93
PID 1276 wrote to memory of 1172	1276	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe	93
PID 1276 wrote to memory of 1268	1276	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe	94
PID 1276 wrote to memory of 1268	1276	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe	94
PID 1276 wrote to memory of 1268	1276	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe	94

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	yijou.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	yijou.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	yijou.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	yijou.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	yijou.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yijou.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	yijou.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	yijou.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	yijou.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	yijou.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	yijou.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	yijou.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	yijou.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	yijou.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	yijou.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	yijou.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	yijou.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	yijou.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	yijou.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yijou.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yijou.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yijou.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	yijou.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	yijou.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	yijou.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	yijou.exe

C:\Users\Admin\AppData\Local\Temp\851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
"C:\Users\Admin\AppData\Local\Temp\851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1276
- C:\Users\Admin\AppData\Local\Temp\yijou.exe
  "C:\Users\Admin\AppData\Local\Temp\yijou.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:1172
- C:\Users\Admin\AppData\Local\Temp\yijou.exe
  "C:\Users\Admin\AppData\Local\Temp\yijou.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Modifies registry class
  - System policy modification
  PID:1268

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\yijouubknqumazjjwjkuvaggnwz.gym

Filesize
280B

MD5
02edeadfbbf3dc7096f516dcd27d4b27

SHA1
10bb31ed9d04459b1f39bcb45da51dc0f377462d

SHA256
61d7a44d0eee33da2406b625921adc87055c399e05e4bf274c4a5248d1dba015

SHA512
726431fb6a43edea8ce6d12149ff6bd574df3059b068ec0d28aa85383b7d20184d76e5f7ac53bb7b0a01e45b899401cde5ab715ed75510a8008ceaf85dac1699

Download Submit
C:\Program Files (x86)\yijouubknqumazjjwjkuvaggnwz.gym

Filesize
280B

MD5
ad323d6d816ad3bcb3d2468ad91a37bc

SHA1
df1da4695b910150b89c69ecbfe2ab0b33340c63

SHA256
2e3e7e1dbb243953a83fccb34337982fce0ffeac603eccf1b39626dfa75ffdf4

SHA512
ababa4ca95d47a78e9c93c068f1ac6a4113627a066b7b5eb38418772de6d5db3e49e3814a4e1c4e8cb2de8b261e48a2fc7eed384f0340bc99b9c400c22426322

Download Submit
C:\Users\Admin\AppData\Local\Temp\yijou.exe

Filesize
9.2MB

MD5
04d4556646eb26b6a66a3fc32fa7d59e

SHA1
dadaf321d880a759f3e6deb5fb31793e336a0354

SHA256
9a3b1f8947407a06f314a069ef9d5501a684f973aafc810fd03f619e9b3f5170

SHA512
c40155b2319d5da44b2e8f227fed930459bcc7c2799e7260747b5b3607ee2c24fd6948bb3b0a25b2055cfc42a3e835786e49abed34980828984b0565d18d2e42

Download Submit
C:\Users\Admin\AppData\Local\Temp\yijou.exe

Filesize
9.2MB

MD5
04d4556646eb26b6a66a3fc32fa7d59e

SHA1
dadaf321d880a759f3e6deb5fb31793e336a0354

SHA256
9a3b1f8947407a06f314a069ef9d5501a684f973aafc810fd03f619e9b3f5170

SHA512
c40155b2319d5da44b2e8f227fed930459bcc7c2799e7260747b5b3607ee2c24fd6948bb3b0a25b2055cfc42a3e835786e49abed34980828984b0565d18d2e42

Download Submit
C:\Users\Admin\AppData\Local\Temp\yijou.exe

Filesize
9.2MB

MD5
04d4556646eb26b6a66a3fc32fa7d59e

SHA1
dadaf321d880a759f3e6deb5fb31793e336a0354

SHA256
9a3b1f8947407a06f314a069ef9d5501a684f973aafc810fd03f619e9b3f5170

SHA512
c40155b2319d5da44b2e8f227fed930459bcc7c2799e7260747b5b3607ee2c24fd6948bb3b0a25b2055cfc42a3e835786e49abed34980828984b0565d18d2e42

Download Submit
C:\Users\Admin\AppData\Local\Temp\yijou.exe

Filesize
9.2MB

MD5
04d4556646eb26b6a66a3fc32fa7d59e

SHA1
dadaf321d880a759f3e6deb5fb31793e336a0354

SHA256
9a3b1f8947407a06f314a069ef9d5501a684f973aafc810fd03f619e9b3f5170

SHA512
c40155b2319d5da44b2e8f227fed930459bcc7c2799e7260747b5b3607ee2c24fd6948bb3b0a25b2055cfc42a3e835786e49abed34980828984b0565d18d2e42

Download Submit
C:\Users\Admin\AppData\Local\vqcsjumguixazjepnlxseulwoiwkzcblgrpnzu.wny

Filesize
4KB

MD5
759dc7e23d881cb13e735ed13a204084

SHA1
9f486b7eabeb95e55d2eddd1740b8ba053285d08

SHA256
1702c6cefba6bcb87ae5e481afa6b01c04fc29da17dbc9afc2c288b6a5dcd6a9

SHA512
11330b13b4fb62b2b892024589883fe4a1551f3e0bc4d8e8c3bb9d50db36cb58c66ad94e0fd3d2fd121c208e937adbd18c1600ccdb5efa4ad1d6bf8f96cd99a6

Download Submit
C:\Users\Admin\AppData\Local\yijouubknqumazjjwjkuvaggnwz.gym

Filesize
280B

MD5
0292c230a66b9b90bced91065370cead

SHA1
37ffa1c6ac14452cc718e9ba5ad5820446ba13cb

SHA256
f755e281094672def7cd14c4345ed79590c1fe0ca4a6beb04d24a9d83557b50d

SHA512
fe293b13fed21b56ed456ad3ae8f3d7bd555584bf9086f8c65115bf9adce3ca4476fd57642306ae2f98700e7e29e6a05a728fbc392031cbb9248e8d9135fdbb8

Download Submit