a808c713279d64fe10987ae5b3efc6deb468226c1cdff032d06a2cf0c02d6071

Analysis

max time kernel
124s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17a074f5e5b2f7984bf1a2bf5dc7d703.exe
Size

652KB
MD5

17a074f5e5b2f7984bf1a2bf5dc7d703
SHA1

3bd75ae7711be9b54e98f9f233880b2b6ec290db
SHA256

a808c713279d64fe10987ae5b3efc6deb468226c1cdff032d06a2cf0c02d6071
SHA512

d1071720cad6dda7916cb9acaf25fd38bb252559e9331ceea60084d56f555a214431fb8f072e136847443ff12551f09e0222d337e59218b73fcb772907867a1c
SSDEEP

12288:BQMFG+2gef5x/xQTB2OfDKC7WgcBj3hdUU54Knq:BQj+29VgfDnKFDwp

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	kbyvejnduli.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	kbyvejnduli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	tcipcjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	tcipcjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	kbyvejnduli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	tcipcjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	tcipcjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	kbyvejnduli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	kbyvejnduli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	tcipcjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	tcipcjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	tcipcjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	tcipcjl.exe

Adds policy Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcglw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ictljbokfljnrhtebc.exe"	kbyvejnduli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iszhvdgs = "skzplbmgzdzbdrbk.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iszhvdgs = "vsmhidtsqzahohwkkolfa.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iszhvdgs = "togzyrfcyfejofsecez.exe"	kbyvejnduli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iszhvdgs = "vsmhidtsqzahohwkkolfa.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcglw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\skzplbmgzdzbdrbk.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iszhvdgs = "zsizwnzuotqtwlwgc.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iszhvdgs = "togzyrfcyfejofsecez.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iszhvdgs = "togzyrfcyfejofsecez.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iszhvdgs = "gcvppjywtbbhnftgfiex.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iszhvdgs = "zsizwnzuotqtwlwgc.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcglw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsmhidtsqzahohwkkolfa.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iszhvdgs = "skzplbmgzdzbdrbk.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iszhvdgs = "ictljbokfljnrhtebc.exe"	tcipcjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcglw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\togzyrfcyfejofsecez.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcglw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\skzplbmgzdzbdrbk.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcglw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ictljbokfljnrhtebc.exe"	tcipcjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	kbyvejnduli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcglw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsizwnzuotqtwlwgc.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcglw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsmhidtsqzahohwkkolfa.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcglw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gcvppjywtbbhnftgfiex.exe"	tcipcjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcglw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\togzyrfcyfejofsecez.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iszhvdgs = "ictljbokfljnrhtebc.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcglw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsizwnzuotqtwlwgc.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcglw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gcvppjywtbbhnftgfiex.exe"	tcipcjl.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	kbyvejnduli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	kbyvejnduli.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	tcipcjl.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	tcipcjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	tcipcjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	tcipcjl.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	kbyvejnduli.exe

Executes dropped EXE 3 IoCs

pid	Process
4936	kbyvejnduli.exe
836	tcipcjl.exe
2452	tcipcjl.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcipcjl = "togzyrfcyfejofsecez.exe ."	tcipcjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tcipcjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ictljbokfljnrhtebc.exe ."	tcipcjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zksbqzdqc = "skzplbmgzdzbdrbk.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tcipcjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\skzplbmgzdzbdrbk.exe ."	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gotzlr = "togzyrfcyfejofsecez.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcipcjl = "zsizwnzuotqtwlwgc.exe ."	tcipcjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tcipcjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsmhidtsqzahohwkkolfa.exe ."	tcipcjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\senxnxcqdb = "togzyrfcyfejofsecez.exe ."	kbyvejnduli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gotzlr = "zsizwnzuotqtwlwgc.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kyjvnzgwlldb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsmhidtsqzahohwkkolfa.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tcipcjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\togzyrfcyfejofsecez.exe ."	tcipcjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tcipcjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\togzyrfcyfejofsecez.exe ."	tcipcjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gotzlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gcvppjywtbbhnftgfiex.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tcipcjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gcvppjywtbbhnftgfiex.exe ."	tcipcjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tcipcjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gcvppjywtbbhnftgfiex.exe ."	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kyjvnzgwlldb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ictljbokfljnrhtebc.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zksbqzdqc = "skzplbmgzdzbdrbk.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zksbqzdqc = "zsizwnzuotqtwlwgc.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tcipcjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\skzplbmgzdzbdrbk.exe ."	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcipcjl = "gcvppjywtbbhnftgfiex.exe ."	tcipcjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\senxnxcqdb = "skzplbmgzdzbdrbk.exe ."	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kyjvnzgwlldb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsizwnzuotqtwlwgc.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nakvmxdsgfw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gcvppjywtbbhnftgfiex.exe ."	kbyvejnduli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gotzlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ictljbokfljnrhtebc.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gotzlr = "skzplbmgzdzbdrbk.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kyjvnzgwlldb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gcvppjywtbbhnftgfiex.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gotzlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\skzplbmgzdzbdrbk.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nakvmxdsgfw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsizwnzuotqtwlwgc.exe ."	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gotzlr = "togzyrfcyfejofsecez.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\senxnxcqdb = "ictljbokfljnrhtebc.exe ."	tcipcjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gotzlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\skzplbmgzdzbdrbk.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tcipcjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ictljbokfljnrhtebc.exe ."	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kyjvnzgwlldb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\skzplbmgzdzbdrbk.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nakvmxdsgfw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ictljbokfljnrhtebc.exe ."	tcipcjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zksbqzdqc = "zsizwnzuotqtwlwgc.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nakvmxdsgfw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsizwnzuotqtwlwgc.exe ."	tcipcjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gotzlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\togzyrfcyfejofsecez.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcipcjl = "zsizwnzuotqtwlwgc.exe ."	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nakvmxdsgfw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\skzplbmgzdzbdrbk.exe ."	tcipcjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zksbqzdqc = "vsmhidtsqzahohwkkolfa.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\senxnxcqdb = "skzplbmgzdzbdrbk.exe ."	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gotzlr = "vsmhidtsqzahohwkkolfa.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gotzlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsmhidtsqzahohwkkolfa.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kyjvnzgwlldb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ictljbokfljnrhtebc.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zksbqzdqc = "zsizwnzuotqtwlwgc.exe"	kbyvejnduli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tcipcjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ictljbokfljnrhtebc.exe ."	kbyvejnduli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gotzlr = "gcvppjywtbbhnftgfiex.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\senxnxcqdb = "ictljbokfljnrhtebc.exe ."	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nakvmxdsgfw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsmhidtsqzahohwkkolfa.exe ."	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nakvmxdsgfw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ictljbokfljnrhtebc.exe ."	tcipcjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gotzlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gcvppjywtbbhnftgfiex.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcipcjl = "togzyrfcyfejofsecez.exe ."	kbyvejnduli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zksbqzdqc = "togzyrfcyfejofsecez.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gotzlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsizwnzuotqtwlwgc.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gotzlr = "ictljbokfljnrhtebc.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zksbqzdqc = "vsmhidtsqzahohwkkolfa.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nakvmxdsgfw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\togzyrfcyfejofsecez.exe ."	tcipcjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\senxnxcqdb = "zsizwnzuotqtwlwgc.exe ."	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kyjvnzgwlldb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\skzplbmgzdzbdrbk.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\senxnxcqdb = "togzyrfcyfejofsecez.exe ."	tcipcjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\senxnxcqdb = "gcvppjywtbbhnftgfiex.exe ."	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kyjvnzgwlldb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\togzyrfcyfejofsecez.exe"	tcipcjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcipcjl = "vsmhidtsqzahohwkkolfa.exe ."	tcipcjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zksbqzdqc = "ictljbokfljnrhtebc.exe"	tcipcjl.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tcipcjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	kbyvejnduli.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	kbyvejnduli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	tcipcjl.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tcipcjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	tcipcjl.exe

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
36	www.showmyipaddress.com
49	whatismyip.everdot.org
26	whatismyip.everdot.org
31	whatismyipaddress.com
35	whatismyip.everdot.org

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	F:\autorun.inf	tcipcjl.exe
File opened for modification	C:\autorun.inf	tcipcjl.exe
File created	C:\autorun.inf	tcipcjl.exe
File opened for modification	F:\autorun.inf	tcipcjl.exe

Drops file in System32 directory 46 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\togzyrfcyfejofsecez.exe	kbyvejnduli.exe
File opened for modification	C:\Windows\SysWOW64\gcvppjywtbbhnftgfiex.exe	kbyvejnduli.exe
File opened for modification	C:\Windows\SysWOW64\mkfbdzqqpzbjrlbqrwupln.exe	kbyvejnduli.exe
File opened for modification	C:\Windows\SysWOW64\skzplbmgzdzbdrbk.exe	tcipcjl.exe
File created	C:\Windows\SysWOW64\skzplbmgzdzbdrbk.exe	tcipcjl.exe
File opened for modification	C:\Windows\SysWOW64\gcvppjywtbbhnftgfiex.exe	tcipcjl.exe
File opened for modification	C:\Windows\SysWOW64\togzyrfcyfejofsecez.exe	tcipcjl.exe
File created	C:\Windows\SysWOW64\zsizwnzuotqtwlwgc.exe	kbyvejnduli.exe
File opened for modification	C:\Windows\SysWOW64\mkfbdzqqpzbjrlbqrwupln.exe	tcipcjl.exe
File created	C:\Windows\SysWOW64\mkfbdzqqpzbjrlbqrwupln.exe	tcipcjl.exe
File opened for modification	C:\Windows\SysWOW64\mkfbdzqqpzbjrlbqrwupln.exe	tcipcjl.exe
File created	C:\Windows\SysWOW64\ictljbokfljnrhtebc.exe	kbyvejnduli.exe
File created	C:\Windows\SysWOW64\vsmhidtsqzahohwkkolfa.exe	tcipcjl.exe
File opened for modification	C:\Windows\SysWOW64\vsmhidtsqzahohwkkolfa.exe	tcipcjl.exe
File opened for modification	C:\Windows\SysWOW64\zsizwnzuotqtwlwgc.exe	kbyvejnduli.exe
File opened for modification	C:\Windows\SysWOW64\vsmhidtsqzahohwkkolfa.exe	kbyvejnduli.exe
File opened for modification	C:\Windows\SysWOW64\zsizwnzuotqtwlwgc.exe	tcipcjl.exe
File created	C:\Windows\SysWOW64\zsizwnzuotqtwlwgc.exe	tcipcjl.exe
File created	C:\Windows\SysWOW64\ictljbokfljnrhtebc.exe	tcipcjl.exe
File created	C:\Windows\SysWOW64\skzplbmgzdzbdrbk.exe	kbyvejnduli.exe
File created	C:\Windows\SysWOW64\skzplbmgzdzbdrbk.exe	tcipcjl.exe
File created	C:\Windows\SysWOW64\togzyrfcyfejofsecez.exe	tcipcjl.exe
File opened for modification	C:\Windows\SysWOW64\ictljbokfljnrhtebc.exe	kbyvejnduli.exe
File opened for modification	C:\Windows\SysWOW64\togzyrfcyfejofsecez.exe	tcipcjl.exe
File created	C:\Windows\SysWOW64\mkfbdzqqpzbjrlbqrwupln.exe	tcipcjl.exe
File created	C:\Windows\SysWOW64\gcvppjywtbbhnftgfiex.exe	tcipcjl.exe
File created	C:\Windows\SysWOW64\nakvmxdsgfwtqzeiysfparcixlkbyvejn.xku	tcipcjl.exe
File opened for modification	C:\Windows\SysWOW64\zsizwnzuotqtwlwgc.exe	tcipcjl.exe
File created	C:\Windows\SysWOW64\mkfbdzqqpzbjrlbqrwupln.exe	kbyvejnduli.exe
File created	C:\Windows\SysWOW64\ictljbokfljnrhtebc.exe	tcipcjl.exe
File opened for modification	C:\Windows\SysWOW64\skzplbmgzdzbdrbk.exe	tcipcjl.exe
File opened for modification	C:\Windows\SysWOW64\ictljbokfljnrhtebc.exe	tcipcjl.exe
File opened for modification	C:\Windows\SysWOW64\gcvppjywtbbhnftgfiex.exe	tcipcjl.exe
File created	C:\Windows\SysWOW64\gcvppjywtbbhnftgfiex.exe	kbyvejnduli.exe
File created	C:\Windows\SysWOW64\zsizwnzuotqtwlwgc.exe	tcipcjl.exe
File created	C:\Windows\SysWOW64\gcvppjywtbbhnftgfiex.exe	tcipcjl.exe
File created	C:\Windows\SysWOW64\vsmhidtsqzahohwkkolfa.exe	tcipcjl.exe
File opened for modification	C:\Windows\SysWOW64\wyxxddycftzlxvpinwyxxd.ycf	tcipcjl.exe
File created	C:\Windows\SysWOW64\vsmhidtsqzahohwkkolfa.exe	kbyvejnduli.exe
File created	C:\Windows\SysWOW64\togzyrfcyfejofsecez.exe	kbyvejnduli.exe
File opened for modification	C:\Windows\SysWOW64\ictljbokfljnrhtebc.exe	tcipcjl.exe
File opened for modification	C:\Windows\SysWOW64\vsmhidtsqzahohwkkolfa.exe	tcipcjl.exe
File created	C:\Windows\SysWOW64\togzyrfcyfejofsecez.exe	tcipcjl.exe
File created	C:\Windows\SysWOW64\wyxxddycftzlxvpinwyxxd.ycf	tcipcjl.exe
File opened for modification	C:\Windows\SysWOW64\nakvmxdsgfwtqzeiysfparcixlkbyvejn.xku	tcipcjl.exe
File opened for modification	C:\Windows\SysWOW64\skzplbmgzdzbdrbk.exe	kbyvejnduli.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\nakvmxdsgfwtqzeiysfparcixlkbyvejn.xku	tcipcjl.exe
File created	C:\Program Files (x86)\nakvmxdsgfwtqzeiysfparcixlkbyvejn.xku	tcipcjl.exe
File opened for modification	C:\Program Files (x86)\wyxxddycftzlxvpinwyxxd.ycf	tcipcjl.exe
File created	C:\Program Files (x86)\wyxxddycftzlxvpinwyxxd.ycf	tcipcjl.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File created	C:\Windows\togzyrfcyfejofsecez.exe	kbyvejnduli.exe
File created	C:\Windows\mkfbdzqqpzbjrlbqrwupln.exe	kbyvejnduli.exe
File created	C:\Windows\wyxxddycftzlxvpinwyxxd.ycf	tcipcjl.exe
File opened for modification	C:\Windows\nakvmxdsgfwtqzeiysfparcixlkbyvejn.xku	tcipcjl.exe
File created	C:\Windows\nakvmxdsgfwtqzeiysfparcixlkbyvejn.xku	tcipcjl.exe
File opened for modification	C:\Windows\gcvppjywtbbhnftgfiex.exe	kbyvejnduli.exe
File opened for modification	C:\Windows\vsmhidtsqzahohwkkolfa.exe	kbyvejnduli.exe
File created	C:\Windows\vsmhidtsqzahohwkkolfa.exe	kbyvejnduli.exe
File opened for modification	C:\Windows\skzplbmgzdzbdrbk.exe	tcipcjl.exe
File opened for modification	C:\Windows\ictljbokfljnrhtebc.exe	tcipcjl.exe
File opened for modification	C:\Windows\skzplbmgzdzbdrbk.exe	kbyvejnduli.exe
File created	C:\Windows\gcvppjywtbbhnftgfiex.exe	kbyvejnduli.exe
File opened for modification	C:\Windows\vsmhidtsqzahohwkkolfa.exe	tcipcjl.exe
File opened for modification	C:\Windows\gcvppjywtbbhnftgfiex.exe	tcipcjl.exe
File opened for modification	C:\Windows\zsizwnzuotqtwlwgc.exe	kbyvejnduli.exe
File opened for modification	C:\Windows\zsizwnzuotqtwlwgc.exe	tcipcjl.exe
File opened for modification	C:\Windows\mkfbdzqqpzbjrlbqrwupln.exe	tcipcjl.exe
File opened for modification	C:\Windows\mkfbdzqqpzbjrlbqrwupln.exe	tcipcjl.exe
File created	C:\Windows\ictljbokfljnrhtebc.exe	kbyvejnduli.exe
File opened for modification	C:\Windows\togzyrfcyfejofsecez.exe	kbyvejnduli.exe
File opened for modification	C:\Windows\togzyrfcyfejofsecez.exe	tcipcjl.exe
File created	C:\Windows\skzplbmgzdzbdrbk.exe	kbyvejnduli.exe
File created	C:\Windows\zsizwnzuotqtwlwgc.exe	kbyvejnduli.exe
File opened for modification	C:\Windows\mkfbdzqqpzbjrlbqrwupln.exe	kbyvejnduli.exe
File opened for modification	C:\Windows\skzplbmgzdzbdrbk.exe	tcipcjl.exe
File opened for modification	C:\Windows\zsizwnzuotqtwlwgc.exe	tcipcjl.exe
File opened for modification	C:\Windows\ictljbokfljnrhtebc.exe	kbyvejnduli.exe
File opened for modification	C:\Windows\ictljbokfljnrhtebc.exe	tcipcjl.exe
File opened for modification	C:\Windows\togzyrfcyfejofsecez.exe	tcipcjl.exe
File opened for modification	C:\Windows\wyxxddycftzlxvpinwyxxd.ycf	tcipcjl.exe
File opened for modification	C:\Windows\gcvppjywtbbhnftgfiex.exe	tcipcjl.exe
File opened for modification	C:\Windows\vsmhidtsqzahohwkkolfa.exe	tcipcjl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
836	tcipcjl.exe
836	tcipcjl.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
836	tcipcjl.exe
836	tcipcjl.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe
2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	836	tcipcjl.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 4936	2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe	93
PID 2016 wrote to memory of 4936	2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe	93
PID 2016 wrote to memory of 4936	2016	17a074f5e5b2f7984bf1a2bf5dc7d703.exe	93
PID 4936 wrote to memory of 836	4936	kbyvejnduli.exe	95
PID 4936 wrote to memory of 836	4936	kbyvejnduli.exe	95
PID 4936 wrote to memory of 836	4936	kbyvejnduli.exe	95
PID 4936 wrote to memory of 2452	4936	kbyvejnduli.exe	94
PID 4936 wrote to memory of 2452	4936	kbyvejnduli.exe	94
PID 4936 wrote to memory of 2452	4936	kbyvejnduli.exe	94

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	tcipcjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	tcipcjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	kbyvejnduli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	tcipcjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	tcipcjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	tcipcjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	tcipcjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	tcipcjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	kbyvejnduli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	kbyvejnduli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	tcipcjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	tcipcjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	kbyvejnduli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	tcipcjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	tcipcjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	tcipcjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	kbyvejnduli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	kbyvejnduli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	kbyvejnduli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	tcipcjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	tcipcjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	kbyvejnduli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	tcipcjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	tcipcjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	tcipcjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	tcipcjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	kbyvejnduli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	kbyvejnduli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	tcipcjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	kbyvejnduli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	tcipcjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	kbyvejnduli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	tcipcjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	kbyvejnduli.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	tcipcjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	tcipcjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	tcipcjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	tcipcjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	tcipcjl.exe

C:\Users\Admin\AppData\Local\Temp\17a074f5e5b2f7984bf1a2bf5dc7d703.exe
"C:\Users\Admin\AppData\Local\Temp\17a074f5e5b2f7984bf1a2bf5dc7d703.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\kbyvejnduli.exe
  "C:\Users\Admin\AppData\Local\Temp\kbyvejnduli.exe" "c:\users\admin\appdata\local\temp\17a074f5e5b2f7984bf1a2bf5dc7d703.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4936
- - C:\Users\Admin\AppData\Local\Temp\tcipcjl.exe
    "C:\Users\Admin\AppData\Local\Temp\tcipcjl.exe" "-c:\users\admin\appdata\local\temp\17a074f5e5b2f7984bf1a2bf5dc7d703.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2452
- - C:\Users\Admin\AppData\Local\Temp\tcipcjl.exe
    "C:\Users\Admin\AppData\Local\Temp\tcipcjl.exe" "-c:\users\admin\appdata\local\temp\17a074f5e5b2f7984bf1a2bf5dc7d703.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:836
- C:\Users\Admin\AppData\Local\Temp\kbyvejnduli.exe
  "C:\Users\Admin\AppData\Local\Temp\kbyvejnduli.exe" "c:\users\admin\appdata\local\temp\17a074f5e5b2f7984bf1a2bf5dc7d703.exe"
  2⤵
  PID:4296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\wyxxddycftzlxvpinwyxxd.ycf

Filesize
260B

MD5
fac1674dd6518408c2e8d472bbbc6d6e

SHA1
79c8254a39665f3942db55b70ee89ae7c82a2cff

SHA256
469bb1eb34519a9bccea4df1b67383d0b985bdd84820040254c817ecd4f65c49

SHA512
c4d1be000ccd39a84f3a7fa9b3a4031e763b5823959f300b17fd45e57779add5e82dc3dc802c535b0c776a2ed35c97bf3440b795966ae88ff5d3a9cd11110bd8

Download Submit
C:\Program Files (x86)\wyxxddycftzlxvpinwyxxd.ycf

Filesize
260B

MD5
d746bfe01e9d67ed9e081d81a007bfbd

SHA1
1af2e08dea3e3c40ea7e10b9e3a4554b6044a07f

SHA256
e9c659187b8748b9ab62f4610c1f551829a16b0c96a3191149da80514c4208b5

SHA512
ca18d87ea2a18049b6c83dc909be3f9895feabe82f2621e19baa2b6ab8e19af73ebeb4e2db9cb80b67d3e77b458283b00f31bb70e80f5aab92590289a42d7500

Download Submit
C:\Program Files (x86)\wyxxddycftzlxvpinwyxxd.ycf

Filesize
260B

MD5
a2c144dc0f75ab439bc3a1daf4760cae

SHA1
76dd8e7168c1b5f06916e6904c3addb2244843da

SHA256
4c0f5ce94a2adccfa3963f900cbea80c68b62e8ad8d88a072b16188b92672a3c

SHA512
bab62ed095411b26af78e7d594dda740b0d90f9c67168c736d77954c65db20813d3bde060fd4a3ef88568a35f8540f7a605802666e1a974a3d7de5e8be065de3

Download Submit
C:\Program Files (x86)\wyxxddycftzlxvpinwyxxd.ycf

Filesize
260B

MD5
89768224bd357176b82146494d03dbcc

SHA1
ae6dc3144611058e924874f5cfaa82baee8d6853

SHA256
11fb280c3069db90919996930c54e707c31f6837b6741edf11b2b13c89b5cbf3

SHA512
2f6a4957745402817b252434eabcfca036524ab476a2a7d88c73f2f59b7e0d31892cda3f81c30e7a1da45aa9f34e2828dc8b28f770ac1e3783ffe3e7daaf45ff

Download Submit
C:\Program Files (x86)\wyxxddycftzlxvpinwyxxd.ycf

Filesize
260B

MD5
f59278af01fe076ff0793c4e9ebe92ea

SHA1
cb3c20f0c45bea8330215d803ea94db7252b636d

SHA256
70e5d8a94acc66f8a0c7264c39f0c4324afa04b455447e66ef335ddef02c5f64

SHA512
08da6155d4e062161cf92ac974c4158f378ba2a9555be6abb73bab95d84a6f9ff875bf87447387346e59f05a12a451cf923a1e368e97174f76fdf8321560ee0e

Download Submit
C:\Program Files (x86)\wyxxddycftzlxvpinwyxxd.ycf

Filesize
260B

MD5
720618b0e35c2a4f31788accb3fc6aa5

SHA1
49a012f3c4b8c2afb0068266442ad241beac5583

SHA256
bdaa3c70040f98901f5369c892e3a25ac9a92804648df6512b3c53a3b91fe634

SHA512
6c334ea1b1138062fad99274bdcef7207e6082fffcbb0b41242e985e777c76a179c1795e384c78cc2ab949fed3ba4ec6d2832dcb3cb90033680d47179e0f16ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcvppjywtbbhnftgfiex.exe

Filesize
85KB

MD5
6f56b513a284be3b5d0260e2a6d95ac1

SHA1
248643d192494e3941df5e2db0f43c2c05806e93

SHA256
fd0b741651da76d252eac06728faa91d4ecbb41f9ba438c698950bdba25e2a52

SHA512
611eb9258ff1f5cd3d44cf8455b72540b6272fa1c583ed2dead1865f0607d606b55a7044f1b7f074926fcea26b58569bb4737c64ccd75a8fec732b303e35d5f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ictljbokfljnrhtebc.exe

Filesize
73KB

MD5
6cc9e38e6267ce805b933930d5f0d195

SHA1
77eaedad578351645d071324491a22261212b0ee

SHA256
dae90f71d9ef7dc5acd6b62e9476009f83b3f30b87f3d80c0c739bf39ab9d6c4

SHA512
f6de87b9e1d41cb30147410e80dd9d637e703813c5de91d7e22c66c95a0461d0a08f4b889e52bbbfdec4d6643bfd4bd52d4978b845e27df926b79b4a3fb8c224

Download Submit
C:\Users\Admin\AppData\Local\Temp\kbyvejnduli.exe

Filesize
99KB

MD5
725411e0829c2a012a24338a62146f75

SHA1
82ed10a79689e4b908a0deba0134fd31fa7cc738

SHA256
51d98d4cc3d7fbc67a3a70513fe885f5dd3ddd53c8bdaf41637f0a07fe595ab3

SHA512
8d3b3bbaf043d25fa2d0054a1fc482b978946fd2bed99901648b0a7b873790e13a387d0f05d55fc5456353ee74e72046d57560d4c524818de9a5ec01952feb64

Download Submit
C:\Users\Admin\AppData\Local\Temp\kbyvejnduli.exe

Filesize
320KB

MD5
304415df6ad55a90301aa8158e5e3582

SHA1
cc20ee7d5e8607f4fa0633093083ec0a68dcf3cd

SHA256
34a5f9e2b494b086abad2721019be271fa43350c9146f000e50fe554f170743d

SHA512
4ef2a9a8a3b36ba8c40a0bda9de415c76f985da34475f9110f7fe7b70a8e235d66ec6e15f76b45c5f75f5594fe05051d8112745e5031a18c817bd5d86212c687

Download Submit
C:\Users\Admin\AppData\Local\Temp\kbyvejnduli.exe

Filesize
316KB

MD5
2c44fadba48bfbab18f411baa65d2cfb

SHA1
1486a9f99451c4cf51a1342f8385a82dceb5c3d6

SHA256
b9d7af1bf8126ccd301f874791e4669fac5327a4fb0ee8a4f5c72a0718396285

SHA512
b6f2ea7fb223123cd13e5a4d6cb518d67576df1098074dec327ee6a9df976864c641985f8f82a85496b9973c7ea70bb2f93c2dda371f0b10632f49fb81968d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkfbdzqqpzbjrlbqrwupln.exe

Filesize
56KB

MD5
915f297c9512f4a68ecbd0032a7f747a

SHA1
df79152ad3f83f4c7cc6a070f984b945f338b688

SHA256
d6f09e49143855bf4212aa138c1db6d281920013ed7ea7c3c99834d0ce9d75cc

SHA512
00de5a727d87f20b32a69d8b1ac2e69cc7952091301199bfae273e95135f74493d4fc5ac1bcf8cfcf8193df6fdac4f5e4d3adc22034de78e9fe522999e93f8a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\skzplbmgzdzbdrbk.exe

Filesize
75KB

MD5
6371e777c1223ab432dd7de3f5bd71ff

SHA1
5d0c7763f7798509ba70b56195952b96de226ac6

SHA256
a1ebb38fc000cda363d8f6e4aaab8f6c109af3da158fda40b829186250bb731a

SHA512
040e1ec36e9d733a64df333dfe2e372752f93da7f04366c9c52b4e92647c6fe2e0ce6cf5967f520702e285f08c62fbfec97272ee08bf0ca201518be2499f1cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tcipcjl.exe

Filesize
177KB

MD5
bbf9b2072142bdb35d80874a2f722ef8

SHA1
c9dd5d466242def88b7b88528817104cad3c4cb1

SHA256
f6a91d6f8d347eb0badc6cb99336e2776985f3bedd3ee4be9a376ef32c21503f

SHA512
0c4a3cd598e4c57e9885facab329b042088b12c450ad294723cf4c2a2e71d1b084208b14757ddf29cf169a8cc676018a57f1da0409db1cd63594c093376f764d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tcipcjl.exe

Filesize
116KB

MD5
4e2042721a12a5d707a455b96ec8ad3a

SHA1
5dc93fd2ba0ed831d3afb6fa69cd6a5df9db47ad

SHA256
8cac609cf6c84bd505a593a9ae89e6c3c94591a31ef7af700aab4df6eaeeeda4

SHA512
109d51586c2089d7d12fff678ea6a51cefe2d2e39747f847b69c15e209a8971fb5d6da4307be5b0a820670cf3834f770dfaf6059bf99add9ae74c281e68ee9e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tcipcjl.exe

Filesize
191KB

MD5
d59ed019e1f52d7c2010d47571c14bad

SHA1
b32f64a2ddf0690ee0c0886dd1400ff44c1af2ad

SHA256
713c8dec38f79cd2faccb781f5a5243bf70e24fd391955e3d09f9241ea03876f

SHA512
74e9e217b8c5a14c7762c606b5f8a4423168a9c7a39a1d9a3581f0560c6d2febcb2618cbd5bda95fa5efd4dc1b6c95dc95cfe53d62a6972c97a8fba1b30f453f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tcipcjl.exe

Filesize
138KB

MD5
b32fb3975ba513b0b327633039909bb1

SHA1
5e36d97026d5f1baaaeaa9a912a1af2077123c19

SHA256
4d1710e614dd0e4c55b20c9e6b33c1427ca6a35190277cd990728cf0818189be

SHA512
edafee44938dd37d1da3df37a43b1bbd4367319a0daafab767693be8a826571641a6094a5200ca1e7bfb67fff6d5824a0c108ff8be7a392fa15bcbe47647414f

Download Submit
C:\Users\Admin\AppData\Local\Temp\togzyrfcyfejofsecez.exe

Filesize
120KB

MD5
b5cf578f8a5bd632d613bc9de768185a

SHA1
80c8b997c6b52ebc64404812b6b697d9964366c6

SHA256
995d96402a386d8f768ee59ccc50c7196b580aadb4da54434155aedbd043334c

SHA512
255a2c9f7430b53823972844ef4735beae1e6dca434034791f5b2d159af193298842bd894b7ec20f17e4e6514bee5b9373c7604402706a59fdbfaecec55cca45

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsmhidtsqzahohwkkolfa.exe

Filesize
62KB

MD5
8c5bf894761e691773c51f93167a82a3

SHA1
204dfd92dde2872671a1852bb7c3193268dee4a7

SHA256
f5664f3f8e3e0f28e2fff3287122ed03ea45459e26a100488d5b218f00df2455

SHA512
a4c0f177f57302f40d718e321f1643b7143fb5c1b2cb9b97927551837227a022d36ff0b132b45172f863c06675e62aea6e2d84561aaaba130eebace25998ba33

Download Submit
C:\Users\Admin\AppData\Local\Temp\zsizwnzuotqtwlwgc.exe

Filesize
63KB

MD5
d67da81ded66f185f536fdba2c7a69a2

SHA1
983c0e6b4c4501bbf6651e3a72d23980e2b359b0

SHA256
2aff94d495f3b37f102453effcfeafa5aa2b61bb7f7bdcff5553a5a9f2f09edf

SHA512
031f08329d0adf325b319cff4f66d2121f3ebf5c6d0abf32f8837aaa4d9309fe5fe2f61a77f3b8ac037dae4fc0ccf4dcae90d19102bfa6f2a898a03d7a67c99b

Download Submit
C:\Users\Admin\AppData\Local\nakvmxdsgfwtqzeiysfparcixlkbyvejn.xku

Filesize
3KB

MD5
ae3ed88ee77d0ce5a9047b5a38d2cc40

SHA1
e679fbeb30d0d8615b39f03eccc20ca1cce1090d

SHA256
a0f2850a99d046a8deff4d745bd4a0a78d590a9041d6968398e67102af59d118

SHA512
95dd459a27b611ec1ab008bec72d3b430a51c0a78ce9169f4f27b4780d2e6c24946feb65bdd79598a610eb412053ace2cf59da97dcd9cea8fd2cc452ac61c097

Download Submit
C:\Users\Admin\AppData\Local\wyxxddycftzlxvpinwyxxd.ycf

Filesize
260B

MD5
02e5ff67dbeb0e6f852b19cfc3207cef

SHA1
8ed622bbb4d80ee8e6497734a935e846a6103f75

SHA256
c279857cb15515cd4b60dcd0fe6d0ed42be66fa125eb288cdc5f8483512e6a2e

SHA512
faa1cb85bf7635e1ff8c82a569bcddc07f05b4571eb87fe0721761ba45864ecf1bfc5da552bd1c1e76bf68dbca3fe50666657c58fa8063606aff52bb99e28ed0

Download Submit
C:\Users\Admin\AppData\Local\wyxxddycftzlxvpinwyxxd.ycf

Filesize
260B

MD5
2fa8f35f8f4a8aa51909ef590e8f8db3

SHA1
bfb3a34e473b0779a9c855ffef12cb050ebf882e

SHA256
4e2509a27af5b524fbd1e7bc2501de9b85198b42b2f3b8d5ba2ad3c621f297bf

SHA512
c9072fc45ba4d775c7cdba49df6003a0c3b35a35ae302083c46adca2173d4a27e2221b049a594bb373e0ba44eb354f621f42ca08fa24fc7324dfeed76b39adcf

Download Submit
C:\Windows\SysWOW64\gcvppjywtbbhnftgfiex.exe

Filesize
131KB

MD5
11f3b80612ef2e8fb9666cc1b6beb346

SHA1
2a3037d7dee87ecf423980936eb2d908312b8f95

SHA256
c8a6019b352b5469e660344871745e75c72369cac6591c9d0602c93d86dd175e

SHA512
24200946562924f93c13bc4407198f7d1a7ec4d69e6af7e9ad1b066fd688eb5612c8dec00dbb57fd9204f98ef68e9a5fda4db03950a6297e761a1bce9aa656f6

Download Submit
C:\Windows\SysWOW64\ictljbokfljnrhtebc.exe

Filesize
402KB

MD5
90ef1204173e4475e23eb46ee4900105

SHA1
a773509d2957c5770f24300709036264acb0fb5b

SHA256
55ba00a1c0ec040de365f6f11f17eea3718328fa213ef7a427275000b0bb1313

SHA512
2c477de818d3eadc476e1803136677f9f1bb13307cc06139ab5ba1b56476c6b964c86f8e44761156cd5e534a5a2ff7fdeab9f072a30d32a5895ed7a3dde325ec

Download Submit
C:\Windows\SysWOW64\ictljbokfljnrhtebc.exe

Filesize
177KB

MD5
f3abe728a053dd0786240f7b33d526e0

SHA1
bad10765c59cea48c06585699372181c214273d2

SHA256
770f7c4f61d113c1a10f6cab7f3ed72572703e17491d14c80321b7d8aeb7203e

SHA512
e6b730ddb6c2fe49029da45444f11326db950b9e879ac41ccd085d133fa8546bf6651b4c8d6a898a50495ac70c7c76aee9896ab500d366b3c96a98552e7285dc

Download Submit
C:\Windows\SysWOW64\mkfbdzqqpzbjrlbqrwupln.exe

Filesize
125KB

MD5
6b2080d5a286b7da938f2ef85474dc48

SHA1
fd6916bcb0a5ac99b0237f99559d829d5213d2a9

SHA256
6e9bbecd6aeb262fd9762123756ab2b9ed3232b389e8a00ef313988d45ae06a0

SHA512
be0fa55059898fad0aa4849068612e9533a9b11eaa913ed5491e9afb3ddb5593e245ce888f5d912c8d839ee4d3d0fed60bc918c4cca65a4eff17890ee342d40e

Download Submit
C:\Windows\SysWOW64\skzplbmgzdzbdrbk.exe

Filesize
140KB

MD5
0c26158e6974bc6762d22b6709c0392b

SHA1
3c160e33df0180752943183d9195ab2f590d8fdd

SHA256
252d4fc8df6839f1e9459a5ca11df6517019a5278e7199f3b93b2dc51dfce403

SHA512
bf1b4ccda42725dbe2ba1cf211f0d61211b7babacf87859177c2b2a5309830151a760c74518f472917c79065af51e4da383e8ebc739b8dcaf8eade85d1edbee8

Download Submit
C:\Windows\SysWOW64\togzyrfcyfejofsecez.exe

Filesize
137KB

MD5
2d5d4d9125327b6c5690ef9abea4c3c3

SHA1
918123f41f06c4165ac9d014ed24c91cacd8fab4

SHA256
b2d61788e7aa044dbd3b35dca16061ba7aa76c304036f4092c6edf748917e4f8

SHA512
3db341effdfa11b2859863e06969fb7c9f26a258a8413c629ae25780d250d7f0d1975120dbc0dba95f370321bd9f0ec44188535a246810220c99f70bd5403361

Download Submit
C:\Windows\SysWOW64\vsmhidtsqzahohwkkolfa.exe

Filesize
48KB

MD5
93e8f2dab07b704f65e8942dc6a10325

SHA1
f41499c0233e1aa3e719bfc024c5398fc2549429

SHA256
2a987ec5173b5d8f6e09cd321a643e2e735f03ddb36884e3cfab43e462093911

SHA512
baee34272fb4c4ddde542ea476740f548407cec9739a9e06747681131f709bc2eca929e2e64a02eb4ce9620a104b0c04da6bb78b20b3764d6cb1666a0a3bfdd3

Download Submit
C:\Windows\SysWOW64\zsizwnzuotqtwlwgc.exe

Filesize
106KB

MD5
ab7f4eaa850068a4f9f33409ff940a87

SHA1
5a2fb3f662128dd3febc2fa8ff8fb02a00dd92ba

SHA256
e5b324c6fd0f3394786262da01e7db8a9f34bf17b052439f2d11da412aef21f7

SHA512
ec7dffbd2b87af928462e8950e7ae9f3a9df57d1d608f417b0096f6386477081aa09d13595ee8d4cdcfc7ed5131b70e0dce04f0c23aa05a3eae4f7dc4c8305a3

Download Submit
C:\Windows\gcvppjywtbbhnftgfiex.exe

Filesize
55KB

MD5
5b2ec4ba2757be63f70f454314eaa8d2

SHA1
ace28c9f83da598a894789148da14adbc49c7a63

SHA256
c2d84114b8aaa7ac32f9b4c3b280505f53c11ac84a199efd21ad293464fd34a7

SHA512
691ef2a646f6850e1d90ade87c374d679d53f2b812acd8fb1d993fc61ad33b2b974d3628684b87be60d4ea8bc1cbafc096b2326dbf19f688804f179295329862

Download Submit
C:\Windows\gcvppjywtbbhnftgfiex.exe

Filesize
118KB

MD5
1560ac2280409959e85d6e76c9f5f1c2

SHA1
194335080fcc36a5eefa822ab657c3bdf2a298f8

SHA256
b973453225195543506d28048ce6354ed3d0b50b60fbc36553db73fb32650af8

SHA512
3c8f829c7e3c0048af4e4ad0d88c94664e5458efc40d42283b2629137fd892d105a8b5c270422b8c7189b86188bf49fe6f4c936e2d7d6fead1dedb677982e5e3

Download Submit
C:\Windows\gcvppjywtbbhnftgfiex.exe

Filesize
37KB

MD5
a236b4bc5bad495daaa100e8faa14466

SHA1
30570f53eacc5d03e66743b657e2478e30b1412f

SHA256
fd01aead2bcff6fc7260f22b9bc8372482866d8403a5695ce45dcec88ee6944c

SHA512
e66017e1974031de96672e5b36eacc3e4b92d243206dc15a3eb1811ca34cf32ea71a4c238e629fead2666257db819e760c8cc4e816a34013e7f534f141f35f79

Download Submit
C:\Windows\ictljbokfljnrhtebc.exe

Filesize
98KB

MD5
2c86237db06810b2ad8247e41581f65a

SHA1
21d6ea211fca6889670c8560d4cca7fc4ce2f5dc

SHA256
fe135dd8a9d2a0bff76cd545f40b564e872ec8a0cbdbde1ce6aa47b605b818b3

SHA512
4833676771538bc82739ccf89b3a60449715837a5d6227ebdfb2d1de7ba1ae3130d66ae85136fe5240018b33016ab7dfc0291ef489fcfd72d9693d0aebec7a95

Download Submit
C:\Windows\ictljbokfljnrhtebc.exe

Filesize
95KB

MD5
1bc84f9f3536da19ae3fae82be91ff5e

SHA1
e961a0ca0e3b7986471d0f64447b726a98274d47

SHA256
417c4ef3e2ab9278a64d670f2740513649e631229caaafc2f490982ae98b0fac

SHA512
84a7fd8c7843883caa1433d0b7ef0d62560f5b536b616029f45f0ada1448504258e8a10f36afee69e089ba50c103721001cef6b8eef8537ffebd09253cbb15ef

Download Submit
C:\Windows\ictljbokfljnrhtebc.exe

Filesize
34KB

MD5
ae03b2d070ded4763acc85b629376eee

SHA1
51564b8d957213e81fe73bef32f7ae91a383ecc7

SHA256
0a97daba9b955118d9b4834d1b680162e39951e0204eaa94b2bff0a887e41b83

SHA512
4ca8f4d242ba8ac8814b51070068378a5989719cbad87d67025228f4e9b869eece686fa25f17ac5af329f508e9d375a7b268ef45c14b72acf999d13e035ebd83

Download Submit
C:\Windows\mkfbdzqqpzbjrlbqrwupln.exe

Filesize
102KB

MD5
43550d05e946022500adbeeb7fe3adbb

SHA1
8ca1fcd6fabbd76b7efc5a51fdd089274045bafa

SHA256
9e5185e66cb3a16b60497df3373ee942e3a191795751133c8cd91af3a59fe225

SHA512
96c1e7a9b97e297e0113a38f6c54088893b082223d5195a0e4d3941760c030c3d3b7d40fb3b0ea96b8407b2452d972aa2c5c813699b818c70578ab879e1cb7b9

Download Submit
C:\Windows\mkfbdzqqpzbjrlbqrwupln.exe

Filesize
105KB

MD5
59a9c8600637d98b723e3fca76d4cabb

SHA1
afd2f3255a4de3edcc4389edbbfe222647fa0e6e

SHA256
ccb0a0a2df0be5cacfe0d0d6cef611041617701ab860259be9705b688da2d55d

SHA512
208a098476238cc391dc15e93ea30230ca3e8345b2ecfb069629d3441e364cd61226e1f7d8ee3c2dc38c0ba416cb68b4e9c6db62ae53b7dba967fc5dd20bfe45

Download Submit
C:\Windows\mkfbdzqqpzbjrlbqrwupln.exe

Filesize
57KB

MD5
58977097274b3f9fa86ea683cb931206

SHA1
d6a09640ce50770d7cc83421db6227e716e19708

SHA256
db55fb641f4ba0da4cda51cb4bf118a30f88f24e35b2439887cb6796a6473864

SHA512
dd9fc24a202b1b6a282f145114db8ef44b3c8085b9000c5aca91456a08e01e158b2ea74bd95e40ed30acd8e395bd5e616da3449116aa5d61daf848e519c38287

Download Submit
C:\Windows\skzplbmgzdzbdrbk.exe

Filesize
171KB

MD5
944c9aef53b70868f33d0fffb0a64afb

SHA1
a60ba15abd534ca85414a3c9301932137b1ec442

SHA256
716fe504c24664001c0e960fb6cae18ef5ed20f7f8ac80ed0b973b51e5a51bf3

SHA512
3b2f2a4421e4c5716fef50e49cda9e2b4abc4ca904498db40012cc5bb1aeca47f80344c7fcd42d6a4fa08128608fbcc9f3f9cd3fd8b6f3b0cde54d0103da6bae

Download Submit
C:\Windows\skzplbmgzdzbdrbk.exe

Filesize
27KB

MD5
3cec40e340a607623851928cbd425c22

SHA1
f75a69c49036b8af6bfc2f7db61009bd1ac0ba93

SHA256
28dd63ca637ab7df3f00d7985ab9ce13f33e5bf50da5f0a80dabe7b018574fa6

SHA512
9073ac4019de9d946217d34a192a1bd518224ba4a6163a28c7fa7ea212a06aee31fba3f7a32e68802d18fd09345687305aef5307342f1c0c70afbb7575dcff7a

Download Submit
C:\Windows\skzplbmgzdzbdrbk.exe

Filesize
66KB

MD5
1b3ea18c9b3a75b7c8fffd7ca35d26a7

SHA1
78b34cf6e2d4ba32e77c093708bd1c3ad919402f

SHA256
8e0514ed0486da671f0c52bec42c5bf9bb65ee770342560bc1d2f6eb907ae97e

SHA512
f32bb43384483835d7181eec75895a459b40d37e62a916a68c098c445777f01bb4b0890c5b2cf01e52cf3905121fbe5765c8fe052640bb454e0998b1d515f3f1

Download Submit
C:\Windows\togzyrfcyfejofsecez.exe

Filesize
91KB

MD5
e5d5c8404ccdc37f46f4d6cf5e40f76c

SHA1
aebe7a0e4a2b664898a3004007c4974f7e33417c

SHA256
d570f0c5484aadebde08580c810bf6a48da0caafbab60345a9eaf43fabc6b643

SHA512
5804cc43aefd602c352c4113919eec06bc4b4870985fc6f0c2d4c5bbe815e109d90933a2f8fbbafcf70fd9f8f6d19b61b5a8167c99a8552975770e8946a10377

Download Submit
C:\Windows\togzyrfcyfejofsecez.exe

Filesize
53KB

MD5
e1692768cdaa939e31023ebc34f28699

SHA1
c888bbc3853367e91d227560d7690e1ab2a4633d

SHA256
8febad2904c9803c43c9e569bd3b60568633a2f294a95349131f7ba966b52ef3

SHA512
b426e7e1cf4d70392700b791d76ec1481b1999f9eb278891af39bf7fd132dace07526b016706a7ebcf0d123f945fe02f36f01b06526572e6b92801409e6f373b

Download Submit
C:\Windows\togzyrfcyfejofsecez.exe

Filesize
36KB

MD5
3671f3036188662866e7be8848c35345

SHA1
5bf9b2e80636ec35b69de94fca4673e39d5749a5

SHA256
e9d0ffd60226004c9d99b563f1fcf4c21633933d0c73eefa98b8e3976d82b95e

SHA512
4e159036ff23cf7027908a597f22bad884083f30a8525e43aa906252e9bc471840fedfe274bba67a0eb1ba4f43dc5b8dc0d1e6d4a2052cf39ebb89cfa866c660

Download Submit
C:\Windows\vsmhidtsqzahohwkkolfa.exe

Filesize
189KB

MD5
37e349907df83311a08c5e375e4b6fd1

SHA1
ef778a4a9216d896ffe4a1b0c292a2c0ec1d3aff

SHA256
8240e0e6e0478aead4e3a2b9370e9c84d6e437b178688a3e70775d79d133978d

SHA512
7dd2bd561c48c96fc0855ebdd6f6ef913909724e88364f0f86760031e5580b1c817a83dba52442fef4936c1cb728a783459839db60cb2983c33dc3b9d606d37b

Download Submit
C:\Windows\vsmhidtsqzahohwkkolfa.exe

Filesize
90KB

MD5
fe01770f79c78386eb92aaf8bdf4a994

SHA1
7ef34af0ee85d2ac6ecd08d1992ade39581a9422

SHA256
b21cf3b6db9d280411b0d984481cef7cde3011807365541a08fc698bc185eae3

SHA512
16b354c88be9d233dff3261b293b3a8990532cc7a0423e0cabd40959a5d8d51c86de15a820b54e550c1c117b4cc20f7462688aa1714880f618e60aaf1e7d9803

Download Submit
C:\Windows\vsmhidtsqzahohwkkolfa.exe

Filesize
56KB

MD5
381c196032684f95f6daa514e804c494

SHA1
aab2710ee2456d3693d8a7a667feb194281cc24d

SHA256
2d33b4108b53452f65f0b38fab592ab3c9ad7e4dd69c7a98a6bcd18f8bd0ea2e

SHA512
e218252cacdbdcc8afbf4834b44af4620bce290463139073d63332542fdaa47c008234a7bead485e7ef09bde2d181a4b5b45326204dc253d50a408ee78d6f4d2

Download Submit
C:\Windows\zsizwnzuotqtwlwgc.exe

Filesize
65KB

MD5
490dbf4f28526d84ed295acbbf8373c5

SHA1
54c17993cab569de330ca4113f5d752019a64caa

SHA256
c3795cd95bc279a6bc4ba6dc8d9664896d769534e7d8f6e645423588176484f3

SHA512
97bc3ad14590fb9cd7917132e22332dc24d91565bf1c62dc153f462bfe900a03338388b3390d3b1abf2732a74a5da00567e78af300fd76354ca2de4abe7a2ab9

Download Submit
C:\Windows\zsizwnzuotqtwlwgc.exe

Filesize
104KB

MD5
8acb21990b6843435fceec8c76f566c7

SHA1
6f17a3937339e163c8003ea84d8e77a45f713264

SHA256
f83b77a331171d6dc0cd17e4acd761620ace172f52e25c71cd50aa6c6b9b0857

SHA512
cb6ab7afe7bccf0f38c144c516f0ffcdd43e7133ee8d20ebb5dbfdd6034baa0f325868a903d9a35ef0cc254e14b95a0276a070e5e5921d5bff58927c39811587

Download Submit
C:\zksbqzdqc.bat

Filesize
544KB

MD5
f20fe90586b80cdb47fa321d080b751f

SHA1
8cf3eeb421d2b77c5721b162149313fbc40d5be2

SHA256
d0dc7d6c5bcf816e419093050a3828bc720a71ac3ae6b87e0634cd810f49b0e6

SHA512
ffe66525fcd24e576af4a60a4edcdfe1d5afa7d816b3dca372b717cfa9875773c4895163438ce1c7d7305da927a52a99546fafe321d37dd5553513ce1479baca

Download Submit