d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 03:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
Size

1016KB
MD5

4a37a82d1c16c4186b9ed15cca7ed630
SHA1

62716dbbaa28696fcd3546532002d8dcd382bb24
SHA256

d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f
SHA512

ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094
SSDEEP

6144:6IXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHU:6IXsgtvm1De5YlOx6lzBH46U

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	pwyrqtqlzgi.exe

UAC bypass 3 TTPs 13 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vdjpbjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vdjpbjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vdjpbjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vdjpbjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vdjpbjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vdjpbjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vdjpbjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vdjpbjl.exe

Adds policy Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdjpbjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdulibomcriwfflvzb.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdjpbjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btjzvnzwlzpckjoxa.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ufoxmxcsah = "xtnhhdtunfzqcfobinlhb.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdjpbjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtnhhdtunfzqcfobinlhb.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdjpbjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\idwpojyyqhaqbdlxdhez.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdjpbjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtnhhdtunfzqcfobinlhb.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdjpbjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ulapkbmiwjykrptb.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ufoxmxcsah = "ulapkbmiwjykrptb.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdjpbjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdulibomcriwfflvzb.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ufoxmxcsah = "ulapkbmiwjykrptb.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ufoxmxcsah = "ulapkbmiwjykrptb.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ufoxmxcsah = "btjzvnzwlzpckjoxa.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdjpbjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ulapkbmiwjykrptb.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdjpbjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vphzxrfevldscdkvadz.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdjpbjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vphzxrfevldscdkvadz.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ufoxmxcsah = "kdulibomcriwfflvzb.exe"	vdjpbjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ufoxmxcsah = "idwpojyyqhaqbdlxdhez.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ufoxmxcsah = "xtnhhdtunfzqcfobinlhb.exe"	vdjpbjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ufoxmxcsah = "ulapkbmiwjykrptb.exe"	pwyrqtqlzgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vdjpbjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ufoxmxcsah = "btjzvnzwlzpckjoxa.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdjpbjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtnhhdtunfzqcfobinlhb.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ufoxmxcsah = "idwpojyyqhaqbdlxdhez.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdjpbjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btjzvnzwlzpckjoxa.exe"	vdjpbjl.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vdjpbjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vdjpbjl.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vdjpbjl.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vdjpbjl.exe

Executes dropped EXE 4 IoCs

pid	Process
1404	pwyrqtqlzgi.exe
4412	vdjpbjl.exe
1988	vdjpbjl.exe
1952	pwyrqtqlzgi.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	pwyrqtqlzgi.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ktahudgu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdulibomcriwfflvzb.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ktahudgu = "idwpojyyqhaqbdlxdhez.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lzlxpdlepzluy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtnhhdtunfzqcfobinlhb.exe ."	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mbobujsmyjwglh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vphzxrfevldscdkvadz.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ktahudgu = "btjzvnzwlzpckjoxa.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lzlxpdlepzluy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btjzvnzwlzpckjoxa.exe ."	vdjpbjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lzlxpdlepzluy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\idwpojyyqhaqbdlxdhez.exe ."	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ktahudgu = "ulapkbmiwjykrptb.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mzkvmzgyirck = "xtnhhdtunfzqcfobinlhb.exe ."	vdjpbjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ktahudgu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ulapkbmiwjykrptb.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lzlxpdlepzluy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btjzvnzwlzpckjoxa.exe ."	vdjpbjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bltbpzdsz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vphzxrfevldscdkvadz.exe ."	vdjpbjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ktahudgu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtnhhdtunfzqcfobinlhb.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bltbpzdsz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ulapkbmiwjykrptb.exe ."	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mbobujsmyjwglh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ulapkbmiwjykrptb.exe"	vdjpbjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	pwyrqtqlzgi.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mzkvmzgyirck = "idwpojyyqhaqbdlxdhez.exe ."	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mbobujsmyjwglh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdulibomcriwfflvzb.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pblvlxdudlv = "btjzvnzwlzpckjoxa.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mzkvmzgyirck = "idwpojyyqhaqbdlxdhez.exe ."	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ktahudgu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btjzvnzwlzpckjoxa.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mzkvmzgyirck = "kdulibomcriwfflvzb.exe ."	vdjpbjl.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bltbpzdsz = "vphzxrfevldscdkvadz.exe ."	vdjpbjl.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	vdjpbjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bltbpzdsz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtnhhdtunfzqcfobinlhb.exe ."	vdjpbjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bltbpzdsz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtnhhdtunfzqcfobinlhb.exe ."	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mbobujsmyjwglh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vphzxrfevldscdkvadz.exe"	pwyrqtqlzgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	vdjpbjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mzkvmzgyirck = "kdulibomcriwfflvzb.exe ."	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mbobujsmyjwglh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\idwpojyyqhaqbdlxdhez.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ktahudgu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ulapkbmiwjykrptb.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ktahudgu = "xtnhhdtunfzqcfobinlhb.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bltbpzdsz = "ulapkbmiwjykrptb.exe ."	vdjpbjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mzkvmzgyirck = "idwpojyyqhaqbdlxdhez.exe ."	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lzlxpdlepzluy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ulapkbmiwjykrptb.exe ."	vdjpbjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mzkvmzgyirck = "vphzxrfevldscdkvadz.exe ."	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lzlxpdlepzluy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtnhhdtunfzqcfobinlhb.exe ."	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mbobujsmyjwglh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\idwpojyyqhaqbdlxdhez.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lzlxpdlepzluy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ulapkbmiwjykrptb.exe ."	vdjpbjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pblvlxdudlv = "idwpojyyqhaqbdlxdhez.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bltbpzdsz = "btjzvnzwlzpckjoxa.exe ."	vdjpbjl.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ktahudgu = "kdulibomcriwfflvzb.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pblvlxdudlv = "ulapkbmiwjykrptb.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mbobujsmyjwglh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btjzvnzwlzpckjoxa.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pblvlxdudlv = "ulapkbmiwjykrptb.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pblvlxdudlv = "btjzvnzwlzpckjoxa.exe"	vdjpbjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ktahudgu = "kdulibomcriwfflvzb.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lzlxpdlepzluy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vphzxrfevldscdkvadz.exe ."	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mbobujsmyjwglh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtnhhdtunfzqcfobinlhb.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ktahudgu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vphzxrfevldscdkvadz.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ktahudgu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\idwpojyyqhaqbdlxdhez.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pblvlxdudlv = "idwpojyyqhaqbdlxdhez.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mbobujsmyjwglh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vphzxrfevldscdkvadz.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mbobujsmyjwglh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtnhhdtunfzqcfobinlhb.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ktahudgu = "vphzxrfevldscdkvadz.exe"	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lzlxpdlepzluy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdulibomcriwfflvzb.exe ."	vdjpbjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ktahudgu = "vphzxrfevldscdkvadz.exe"	pwyrqtqlzgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bltbpzdsz = "kdulibomcriwfflvzb.exe ."	vdjpbjl.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pwyrqtqlzgi.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pwyrqtqlzgi.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vdjpbjl.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vdjpbjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vdjpbjl.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vdjpbjl.exe

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	whatismyipaddress.com
15	www.showmyipaddress.com
20	whatismyip.everdot.org
34	whatismyip.everdot.org
45	whatismyip.everdot.org

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	vdjpbjl.exe
File opened for modification	C:\autorun.inf	vdjpbjl.exe

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ulapkbmiwjykrptb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\kdulibomcriwfflvzb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\kdulibomcriwfflvzb.exe	vdjpbjl.exe
File opened for modification	C:\Windows\SysWOW64\xtnhhdtunfzqcfobinlhb.exe	vdjpbjl.exe
File opened for modification	C:\Windows\SysWOW64\pblvlxdudlvcexwzwrfrblbntktblsunm.mhv	vdjpbjl.exe
File opened for modification	C:\Windows\SysWOW64\yzyxcdyeczyulthzlvyzyx.dye	vdjpbjl.exe
File opened for modification	C:\Windows\SysWOW64\vphzxrfevldscdkvadz.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\olgbczqsmfasfjthpvurmh.exe	vdjpbjl.exe
File opened for modification	C:\Windows\SysWOW64\ulapkbmiwjykrptb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\ulapkbmiwjykrptb.exe	vdjpbjl.exe
File opened for modification	C:\Windows\SysWOW64\btjzvnzwlzpckjoxa.exe	vdjpbjl.exe
File opened for modification	C:\Windows\SysWOW64\vphzxrfevldscdkvadz.exe	vdjpbjl.exe
File opened for modification	C:\Windows\SysWOW64\idwpojyyqhaqbdlxdhez.exe	vdjpbjl.exe
File opened for modification	C:\Windows\SysWOW64\btjzvnzwlzpckjoxa.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\vphzxrfevldscdkvadz.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\idwpojyyqhaqbdlxdhez.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\xtnhhdtunfzqcfobinlhb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\vphzxrfevldscdkvadz.exe	vdjpbjl.exe
File opened for modification	C:\Windows\SysWOW64\xtnhhdtunfzqcfobinlhb.exe	vdjpbjl.exe
File opened for modification	C:\Windows\SysWOW64\ulapkbmiwjykrptb.exe	vdjpbjl.exe
File opened for modification	C:\Windows\SysWOW64\kdulibomcriwfflvzb.exe	vdjpbjl.exe
File created	C:\Windows\SysWOW64\pblvlxdudlvcexwzwrfrblbntktblsunm.mhv	vdjpbjl.exe
File opened for modification	C:\Windows\SysWOW64\idwpojyyqhaqbdlxdhez.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\xtnhhdtunfzqcfobinlhb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\btjzvnzwlzpckjoxa.exe	vdjpbjl.exe
File opened for modification	C:\Windows\SysWOW64\idwpojyyqhaqbdlxdhez.exe	vdjpbjl.exe
File opened for modification	C:\Windows\SysWOW64\kdulibomcriwfflvzb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\btjzvnzwlzpckjoxa.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\olgbczqsmfasfjthpvurmh.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\SysWOW64\olgbczqsmfasfjthpvurmh.exe	vdjpbjl.exe
File created	C:\Windows\SysWOW64\yzyxcdyeczyulthzlvyzyx.dye	vdjpbjl.exe
File opened for modification	C:\Windows\SysWOW64\olgbczqsmfasfjthpvurmh.exe	pwyrqtqlzgi.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\pblvlxdudlvcexwzwrfrblbntktblsunm.mhv	vdjpbjl.exe
File opened for modification	C:\Program Files (x86)\yzyxcdyeczyulthzlvyzyx.dye	vdjpbjl.exe
File created	C:\Program Files (x86)\yzyxcdyeczyulthzlvyzyx.dye	vdjpbjl.exe
File opened for modification	C:\Program Files (x86)\pblvlxdudlvcexwzwrfrblbntktblsunm.mhv	vdjpbjl.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ulapkbmiwjykrptb.exe	vdjpbjl.exe
File opened for modification	C:\Windows\ulapkbmiwjykrptb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\kdulibomcriwfflvzb.exe	vdjpbjl.exe
File opened for modification	C:\Windows\pblvlxdudlvcexwzwrfrblbntktblsunm.mhv	vdjpbjl.exe
File created	C:\Windows\pblvlxdudlvcexwzwrfrblbntktblsunm.mhv	vdjpbjl.exe
File opened for modification	C:\Windows\ulapkbmiwjykrptb.exe	vdjpbjl.exe
File opened for modification	C:\Windows\olgbczqsmfasfjthpvurmh.exe	vdjpbjl.exe
File opened for modification	C:\Windows\olgbczqsmfasfjthpvurmh.exe	vdjpbjl.exe
File opened for modification	C:\Windows\ulapkbmiwjykrptb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\btjzvnzwlzpckjoxa.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\xtnhhdtunfzqcfobinlhb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\olgbczqsmfasfjthpvurmh.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\xtnhhdtunfzqcfobinlhb.exe	vdjpbjl.exe
File created	C:\Windows\yzyxcdyeczyulthzlvyzyx.dye	vdjpbjl.exe
File opened for modification	C:\Windows\idwpojyyqhaqbdlxdhez.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\kdulibomcriwfflvzb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\idwpojyyqhaqbdlxdhez.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\btjzvnzwlzpckjoxa.exe	vdjpbjl.exe
File opened for modification	C:\Windows\vphzxrfevldscdkvadz.exe	vdjpbjl.exe
File opened for modification	C:\Windows\idwpojyyqhaqbdlxdhez.exe	vdjpbjl.exe
File opened for modification	C:\Windows\xtnhhdtunfzqcfobinlhb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\vphzxrfevldscdkvadz.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\olgbczqsmfasfjthpvurmh.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\kdulibomcriwfflvzb.exe	vdjpbjl.exe
File opened for modification	C:\Windows\btjzvnzwlzpckjoxa.exe	vdjpbjl.exe
File opened for modification	C:\Windows\vphzxrfevldscdkvadz.exe	vdjpbjl.exe
File opened for modification	C:\Windows\idwpojyyqhaqbdlxdhez.exe	vdjpbjl.exe
File opened for modification	C:\Windows\xtnhhdtunfzqcfobinlhb.exe	vdjpbjl.exe
File opened for modification	C:\Windows\kdulibomcriwfflvzb.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\btjzvnzwlzpckjoxa.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\vphzxrfevldscdkvadz.exe	pwyrqtqlzgi.exe
File opened for modification	C:\Windows\yzyxcdyeczyulthzlvyzyx.dye	vdjpbjl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
4412	vdjpbjl.exe
4412	vdjpbjl.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
4412	vdjpbjl.exe
4412	vdjpbjl.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4412	vdjpbjl.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 1404	1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe	84
PID 1496 wrote to memory of 1404	1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe	84
PID 1496 wrote to memory of 1404	1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe	84
PID 1404 wrote to memory of 4412	1404	pwyrqtqlzgi.exe	85
PID 1404 wrote to memory of 4412	1404	pwyrqtqlzgi.exe	85
PID 1404 wrote to memory of 4412	1404	pwyrqtqlzgi.exe	85
PID 1404 wrote to memory of 1988	1404	pwyrqtqlzgi.exe	86
PID 1404 wrote to memory of 1988	1404	pwyrqtqlzgi.exe	86
PID 1404 wrote to memory of 1988	1404	pwyrqtqlzgi.exe	86
PID 1496 wrote to memory of 1952	1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe	95
PID 1496 wrote to memory of 1952	1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe	95
PID 1496 wrote to memory of 1952	1496	d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe	95

System policy modification 1 TTPs 41 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vdjpbjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vdjpbjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	vdjpbjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	vdjpbjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vdjpbjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	vdjpbjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	vdjpbjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vdjpbjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	vdjpbjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vdjpbjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	vdjpbjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pwyrqtqlzgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vdjpbjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vdjpbjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vdjpbjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	vdjpbjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	vdjpbjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	vdjpbjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	vdjpbjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	vdjpbjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	vdjpbjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vdjpbjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vdjpbjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vdjpbjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vdjpbjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	vdjpbjl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	vdjpbjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	pwyrqtqlzgi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	pwyrqtqlzgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	pwyrqtqlzgi.exe

C:\Users\Admin\AppData\Local\Temp\d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe
"C:\Users\Admin\AppData\Local\Temp\d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe
  "C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe" "c:\users\admin\appdata\local\temp\d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1404
- - C:\Users\Admin\AppData\Local\Temp\vdjpbjl.exe
    "C:\Users\Admin\AppData\Local\Temp\vdjpbjl.exe" "-C:\Users\Admin\AppData\Local\Temp\ulapkbmiwjykrptb.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:4412
- - C:\Users\Admin\AppData\Local\Temp\vdjpbjl.exe
    "C:\Users\Admin\AppData\Local\Temp\vdjpbjl.exe" "-C:\Users\Admin\AppData\Local\Temp\ulapkbmiwjykrptb.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1988
- C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe
  "C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe" "c:\users\admin\appdata\local\temp\d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System policy modification
  PID:1952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\btjzvnzwlzpckjoxa.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Users\Admin\AppData\Local\Temp\btjzvnzwlzpckjoxa.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Users\Admin\AppData\Local\Temp\idwpojyyqhaqbdlxdhez.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Users\Admin\AppData\Local\Temp\idwpojyyqhaqbdlxdhez.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdulibomcriwfflvzb.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdulibomcriwfflvzb.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Users\Admin\AppData\Local\Temp\olgbczqsmfasfjthpvurmh.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Users\Admin\AppData\Local\Temp\olgbczqsmfasfjthpvurmh.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe

Filesize
320KB

MD5
a02ecf7401b752d1682da17296e3997f

SHA1
90ecc6dc2e4bf0bfa67f6b32f16648fbf84b77e1

SHA256
e26a6084fc5704e2b9943308ce5d408b2fc4d5f669d19584f4e0bec8be0cd106

SHA512
940f443706176b92c32a36b2e906ea6433830cf78cc52c5f9ed5fc0419adaf8058290f23ace60209d73e847a0ee4dd53da1246e2536fd4c54c09e8a05cad8c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe

Filesize
320KB

MD5
a02ecf7401b752d1682da17296e3997f

SHA1
90ecc6dc2e4bf0bfa67f6b32f16648fbf84b77e1

SHA256
e26a6084fc5704e2b9943308ce5d408b2fc4d5f669d19584f4e0bec8be0cd106

SHA512
940f443706176b92c32a36b2e906ea6433830cf78cc52c5f9ed5fc0419adaf8058290f23ace60209d73e847a0ee4dd53da1246e2536fd4c54c09e8a05cad8c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwyrqtqlzgi.exe

Filesize
320KB

MD5
a02ecf7401b752d1682da17296e3997f

SHA1
90ecc6dc2e4bf0bfa67f6b32f16648fbf84b77e1

SHA256
e26a6084fc5704e2b9943308ce5d408b2fc4d5f669d19584f4e0bec8be0cd106

SHA512
940f443706176b92c32a36b2e906ea6433830cf78cc52c5f9ed5fc0419adaf8058290f23ace60209d73e847a0ee4dd53da1246e2536fd4c54c09e8a05cad8c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ulapkbmiwjykrptb.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Users\Admin\AppData\Local\Temp\vdjpbjl.exe

Filesize
720KB

MD5
a75aae45c9a912f3fd672dda3384ba29

SHA1
419e89b11531034bcf2230b80d279b7b206f5981

SHA256
4bc8346d4ae731545d4a7c445012c899764528287cb225df3890087ad3f80eab

SHA512
a76127622bb0750c30201287eaa09862752bfd513ca1861c2a9de5b5a1831f82a3e15c51bb262713fa0f47675ed7a984b742a63fb336dfbfafdcffac4ca4fa45

Download Submit
C:\Users\Admin\AppData\Local\Temp\vdjpbjl.exe

Filesize
720KB

MD5
a75aae45c9a912f3fd672dda3384ba29

SHA1
419e89b11531034bcf2230b80d279b7b206f5981

SHA256
4bc8346d4ae731545d4a7c445012c899764528287cb225df3890087ad3f80eab

SHA512
a76127622bb0750c30201287eaa09862752bfd513ca1861c2a9de5b5a1831f82a3e15c51bb262713fa0f47675ed7a984b742a63fb336dfbfafdcffac4ca4fa45

Download Submit
C:\Users\Admin\AppData\Local\Temp\vdjpbjl.exe

Filesize
720KB

MD5
a75aae45c9a912f3fd672dda3384ba29

SHA1
419e89b11531034bcf2230b80d279b7b206f5981

SHA256
4bc8346d4ae731545d4a7c445012c899764528287cb225df3890087ad3f80eab

SHA512
a76127622bb0750c30201287eaa09862752bfd513ca1861c2a9de5b5a1831f82a3e15c51bb262713fa0f47675ed7a984b742a63fb336dfbfafdcffac4ca4fa45

Download Submit
C:\Users\Admin\AppData\Local\Temp\vphzxrfevldscdkvadz.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Users\Admin\AppData\Local\Temp\vphzxrfevldscdkvadz.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Users\Admin\AppData\Local\Temp\xtnhhdtunfzqcfobinlhb.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Users\Admin\AppData\Local\Temp\xtnhhdtunfzqcfobinlhb.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Windows\SysWOW64\btjzvnzwlzpckjoxa.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Windows\SysWOW64\btjzvnzwlzpckjoxa.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Windows\SysWOW64\idwpojyyqhaqbdlxdhez.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Windows\SysWOW64\idwpojyyqhaqbdlxdhez.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Windows\SysWOW64\kdulibomcriwfflvzb.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Windows\SysWOW64\kdulibomcriwfflvzb.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Windows\SysWOW64\olgbczqsmfasfjthpvurmh.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Windows\SysWOW64\olgbczqsmfasfjthpvurmh.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Windows\SysWOW64\ulapkbmiwjykrptb.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Windows\SysWOW64\ulapkbmiwjykrptb.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Windows\SysWOW64\vphzxrfevldscdkvadz.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Windows\SysWOW64\vphzxrfevldscdkvadz.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Windows\SysWOW64\xtnhhdtunfzqcfobinlhb.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Windows\SysWOW64\xtnhhdtunfzqcfobinlhb.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Windows\btjzvnzwlzpckjoxa.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Windows\btjzvnzwlzpckjoxa.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Windows\btjzvnzwlzpckjoxa.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Windows\idwpojyyqhaqbdlxdhez.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Windows\idwpojyyqhaqbdlxdhez.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Windows\idwpojyyqhaqbdlxdhez.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Windows\kdulibomcriwfflvzb.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Windows\kdulibomcriwfflvzb.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Windows\kdulibomcriwfflvzb.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Windows\olgbczqsmfasfjthpvurmh.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Windows\olgbczqsmfasfjthpvurmh.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Windows\olgbczqsmfasfjthpvurmh.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Windows\ulapkbmiwjykrptb.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Windows\ulapkbmiwjykrptb.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Windows\ulapkbmiwjykrptb.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Windows\vphzxrfevldscdkvadz.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Windows\vphzxrfevldscdkvadz.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Windows\vphzxrfevldscdkvadz.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Windows\xtnhhdtunfzqcfobinlhb.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Windows\xtnhhdtunfzqcfobinlhb.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit
C:\Windows\xtnhhdtunfzqcfobinlhb.exe

Filesize
1016KB

MD5
4a37a82d1c16c4186b9ed15cca7ed630

SHA1
62716dbbaa28696fcd3546532002d8dcd382bb24

SHA256
d83c9d198bd99f941974f151359c4997ad6e69c8e5872799f0066ea01e232e3f

SHA512
ab4c22b24959d539ab3f158d01118dc53de4871d6b4ba9e7168799e25e57c048ac2131f607f04fd4427c3440c7bf5fc9e53e4afedfb46d5780d147c29eda3094

Download Submit