98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

Analysis

max time kernel
152s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
Size

1016KB
MD5

83012038f33c82a4209126b7df31ea40
SHA1

710e4df1969abe00951616113e486ce5223cd2e3
SHA256

98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53
SHA512

f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9
SSDEEP

6144:OIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHU:OIXsgtvm1De5YlOx6lzBH46U

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	grrfdxtjqbb.exe

UAC bypass 3 TTPs 13 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vbotadk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vbotadk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vbotadk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vbotadk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vbotadk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vbotadk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vbotadk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vbotadk.exe

Adds policy Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnmdwlebslunvrxzdbz.exe"	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inzdjl = "ibbtndxvnhrlurybgfex.exe"	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbzphvnjzrzrytyzcz.exe"	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inzdjl = "ibbtndxvnhrlurybgfex.exe"	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inzdjl = "kbzphvnjzrzrytyzcz.exe"	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\broduhytizgxdxbbd.exe"	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inzdjl = "ujftjvlftjpfkdgf.exe"	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujftjvlftjpfkdgf.exe"	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inzdjl = "broduhytizgxdxbbd.exe"	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inzdjl = "kbzphvnjzrzrytyzcz.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnmdwlebslunvrxzdbz.exe"	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbotadk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inzdjl = "broduhytizgxdxbbd.exe"	vbotadk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inzdjl = "xrslgxsrkfqlvtbflllfg.exe"	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujftjvlftjpfkdgf.exe"	vbotadk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibbtndxvnhrlurybgfex.exe"	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inzdjl = "vnmdwlebslunvrxzdbz.exe"	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inzdjl = "vnmdwlebslunvrxzdbz.exe"	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrslgxsrkfqlvtbflllfg.exe"	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inzdjl = "kbzphvnjzrzrytyzcz.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnmdwlebslunvrxzdbz.exe"	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrslgxsrkfqlvtbflllfg.exe"	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibbtndxvnhrlurybgfex.exe"	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inzdjl = "kbzphvnjzrzrytyzcz.exe"	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujftjvlftjpfkdgf.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inzdjl = "ujftjvlftjpfkdgf.exe"	vbotadk.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vbotadk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vbotadk.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vbotadk.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vbotadk.exe

Executes dropped EXE 4 IoCs

pid	Process
4980	grrfdxtjqbb.exe
4916	vbotadk.exe
4884	vbotadk.exe
968	grrfdxtjqbb.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	grrfdxtjqbb.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xbmpu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujftjvlftjpfkdgf.exe ."	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xbmpu = "ujftjvlftjpfkdgf.exe ."	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xbmpu = "ujftjvlftjpfkdgf.exe ."	vbotadk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\krfltxfr = "ujftjvlftjpfkdgf.exe ."	vbotadk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xbmpu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\broduhytizgxdxbbd.exe ."	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\orbd = "kbzphvnjzrzrytyzcz.exe"	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjyfotcpw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibbtndxvnhrlurybgfex.exe ."	vbotadk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vbotadk = "broduhytizgxdxbbd.exe"	vbotadk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vbotadk = "ibbtndxvnhrlurybgfex.exe"	vbotadk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vbotadk = "vnmdwlebslunvrxzdbz.exe"	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\udtblrbpxh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujftjvlftjpfkdgf.exe"	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\orbd = "ujftjvlftjpfkdgf.exe"	vbotadk.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	vbotadk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vbotadk = "xrslgxsrkfqlvtbflllfg.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjyfotcpw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnmdwlebslunvrxzdbz.exe ."	vbotadk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vbotadk = "ibbtndxvnhrlurybgfex.exe"	grrfdxtjqbb.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\orbd = "ujftjvlftjpfkdgf.exe"	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vbotadk = "kbzphvnjzrzrytyzcz.exe"	vbotadk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\krfltxfr = "xrslgxsrkfqlvtbflllfg.exe ."	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\orbd = "broduhytizgxdxbbd.exe"	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjyfotcpw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbzphvnjzrzrytyzcz.exe ."	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xbmpu = "xrslgxsrkfqlvtbflllfg.exe ."	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjyfotcpw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibbtndxvnhrlurybgfex.exe ."	vbotadk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vbotadk = "ibbtndxvnhrlurybgfex.exe"	vbotadk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xbmpu = "xrslgxsrkfqlvtbflllfg.exe ."	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\udtblrbpxh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnmdwlebslunvrxzdbz.exe"	vbotadk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\orbd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnmdwlebslunvrxzdbz.exe"	vbotadk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\krfltxfr = "ujftjvlftjpfkdgf.exe ."	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\udtblrbpxh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibbtndxvnhrlurybgfex.exe"	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjyfotcpw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\broduhytizgxdxbbd.exe ."	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjyfotcpw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrslgxsrkfqlvtbflllfg.exe ."	vbotadk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjyfotcpw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujftjvlftjpfkdgf.exe ."	vbotadk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xbmpu = "ibbtndxvnhrlurybgfex.exe ."	vbotadk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\krfltxfr = "vnmdwlebslunvrxzdbz.exe ."	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\orbd = "xrslgxsrkfqlvtbflllfg.exe"	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjyfotcpw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnmdwlebslunvrxzdbz.exe ."	vbotadk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\krfltxfr = "broduhytizgxdxbbd.exe ."	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\orbd = "ibbtndxvnhrlurybgfex.exe"	vbotadk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\orbd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\broduhytizgxdxbbd.exe"	grrfdxtjqbb.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	grrfdxtjqbb.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	vbotadk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\krfltxfr = "ibbtndxvnhrlurybgfex.exe ."	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\orbd = "ujftjvlftjpfkdgf.exe"	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\orbd = "vnmdwlebslunvrxzdbz.exe"	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjyfotcpw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibbtndxvnhrlurybgfex.exe ."	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xbmpu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\broduhytizgxdxbbd.exe ."	vbotadk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vbotadk = "ujftjvlftjpfkdgf.exe"	vbotadk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\krfltxfr = "kbzphvnjzrzrytyzcz.exe ."	vbotadk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xbmpu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujftjvlftjpfkdgf.exe ."	grrfdxtjqbb.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	vbotadk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xbmpu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibbtndxvnhrlurybgfex.exe ."	vbotadk.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	grrfdxtjqbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xbmpu = "broduhytizgxdxbbd.exe ."	vbotadk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\krfltxfr = "kbzphvnjzrzrytyzcz.exe ."	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\udtblrbpxh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujftjvlftjpfkdgf.exe"	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\udtblrbpxh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujftjvlftjpfkdgf.exe"	vbotadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xbmpu = "vnmdwlebslunvrxzdbz.exe ."	vbotadk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vbotadk = "xrslgxsrkfqlvtbflllfg.exe"	vbotadk.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	grrfdxtjqbb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vbotadk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vbotadk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vbotadk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vbotadk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	grrfdxtjqbb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	grrfdxtjqbb.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	whatismyipaddress.com
32	whatismyip.everdot.org
36	www.showmyipaddress.com
40	whatismyip.everdot.org

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	vbotadk.exe
File created	C:\autorun.inf	vbotadk.exe

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\kbzphvnjzrzrytyzcz.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\vnmdwlebslunvrxzdbz.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\ojlfbtppjfrnyxglstuprl.exe	vbotadk.exe
File created	C:\Windows\SysWOW64\udtblrbpxhhrqdatodsbrzjpznvffpob.rmb	vbotadk.exe
File opened for modification	C:\Windows\SysWOW64\broduhytizgxdxbbd.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\ojlfbtppjfrnyxglstuprl.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\ujftjvlftjpfkdgf.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\ujftjvlftjpfkdgf.exe	vbotadk.exe
File opened for modification	C:\Windows\SysWOW64\kbzphvnjzrzrytyzcz.exe	vbotadk.exe
File opened for modification	C:\Windows\SysWOW64\ojlfbtppjfrnyxglstuprl.exe	vbotadk.exe
File opened for modification	C:\Windows\SysWOW64\ibbtndxvnhrlurybgfex.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\ujftjvlftjpfkdgf.exe	vbotadk.exe
File opened for modification	C:\Windows\SysWOW64\xrslgxsrkfqlvtbflllfg.exe	vbotadk.exe
File opened for modification	C:\Windows\SysWOW64\zxczytsvsrgftvhpzdhfk.gba	vbotadk.exe
File opened for modification	C:\Windows\SysWOW64\xrslgxsrkfqlvtbflllfg.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\ibbtndxvnhrlurybgfex.exe	vbotadk.exe
File opened for modification	C:\Windows\SysWOW64\xrslgxsrkfqlvtbflllfg.exe	vbotadk.exe
File opened for modification	C:\Windows\SysWOW64\vnmdwlebslunvrxzdbz.exe	vbotadk.exe
File opened for modification	C:\Windows\SysWOW64\vnmdwlebslunvrxzdbz.exe	vbotadk.exe
File created	C:\Windows\SysWOW64\zxczytsvsrgftvhpzdhfk.gba	vbotadk.exe
File opened for modification	C:\Windows\SysWOW64\ujftjvlftjpfkdgf.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\vnmdwlebslunvrxzdbz.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\ibbtndxvnhrlurybgfex.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\broduhytizgxdxbbd.exe	vbotadk.exe
File opened for modification	C:\Windows\SysWOW64\kbzphvnjzrzrytyzcz.exe	vbotadk.exe
File opened for modification	C:\Windows\SysWOW64\broduhytizgxdxbbd.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\ojlfbtppjfrnyxglstuprl.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\ibbtndxvnhrlurybgfex.exe	vbotadk.exe
File opened for modification	C:\Windows\SysWOW64\broduhytizgxdxbbd.exe	vbotadk.exe
File opened for modification	C:\Windows\SysWOW64\udtblrbpxhhrqdatodsbrzjpznvffpob.rmb	vbotadk.exe
File opened for modification	C:\Windows\SysWOW64\kbzphvnjzrzrytyzcz.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\SysWOW64\xrslgxsrkfqlvtbflllfg.exe	grrfdxtjqbb.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\zxczytsvsrgftvhpzdhfk.gba	vbotadk.exe
File created	C:\Program Files (x86)\zxczytsvsrgftvhpzdhfk.gba	vbotadk.exe
File opened for modification	C:\Program Files (x86)\udtblrbpxhhrqdatodsbrzjpznvffpob.rmb	vbotadk.exe
File created	C:\Program Files (x86)\udtblrbpxhhrqdatodsbrzjpznvffpob.rmb	vbotadk.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\kbzphvnjzrzrytyzcz.exe	vbotadk.exe
File created	C:\Windows\udtblrbpxhhrqdatodsbrzjpznvffpob.rmb	vbotadk.exe
File opened for modification	C:\Windows\ojlfbtppjfrnyxglstuprl.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\broduhytizgxdxbbd.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\kbzphvnjzrzrytyzcz.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\broduhytizgxdxbbd.exe	vbotadk.exe
File opened for modification	C:\Windows\ujftjvlftjpfkdgf.exe	vbotadk.exe
File opened for modification	C:\Windows\broduhytizgxdxbbd.exe	vbotadk.exe
File opened for modification	C:\Windows\vnmdwlebslunvrxzdbz.exe	vbotadk.exe
File opened for modification	C:\Windows\xrslgxsrkfqlvtbflllfg.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\ujftjvlftjpfkdgf.exe	vbotadk.exe
File opened for modification	C:\Windows\broduhytizgxdxbbd.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\ojlfbtppjfrnyxglstuprl.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\ibbtndxvnhrlurybgfex.exe	vbotadk.exe
File opened for modification	C:\Windows\vnmdwlebslunvrxzdbz.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\ibbtndxvnhrlurybgfex.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\ibbtndxvnhrlurybgfex.exe	vbotadk.exe
File opened for modification	C:\Windows\xrslgxsrkfqlvtbflllfg.exe	vbotadk.exe
File opened for modification	C:\Windows\xrslgxsrkfqlvtbflllfg.exe	vbotadk.exe
File opened for modification	C:\Windows\udtblrbpxhhrqdatodsbrzjpznvffpob.rmb	vbotadk.exe
File opened for modification	C:\Windows\ibbtndxvnhrlurybgfex.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\kbzphvnjzrzrytyzcz.exe	vbotadk.exe
File opened for modification	C:\Windows\ojlfbtppjfrnyxglstuprl.exe	vbotadk.exe
File opened for modification	C:\Windows\ojlfbtppjfrnyxglstuprl.exe	vbotadk.exe
File opened for modification	C:\Windows\kbzphvnjzrzrytyzcz.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\xrslgxsrkfqlvtbflllfg.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\vnmdwlebslunvrxzdbz.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\zxczytsvsrgftvhpzdhfk.gba	vbotadk.exe
File opened for modification	C:\Windows\ujftjvlftjpfkdgf.exe	grrfdxtjqbb.exe
File opened for modification	C:\Windows\vnmdwlebslunvrxzdbz.exe	vbotadk.exe
File created	C:\Windows\zxczytsvsrgftvhpzdhfk.gba	vbotadk.exe
File opened for modification	C:\Windows\ujftjvlftjpfkdgf.exe	grrfdxtjqbb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4916	vbotadk.exe
4916	vbotadk.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4916	vbotadk.exe
4916	vbotadk.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4916	vbotadk.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 4980	4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe	82
PID 4568 wrote to memory of 4980	4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe	82
PID 4568 wrote to memory of 4980	4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe	82
PID 4980 wrote to memory of 4916	4980	grrfdxtjqbb.exe	83
PID 4980 wrote to memory of 4916	4980	grrfdxtjqbb.exe	83
PID 4980 wrote to memory of 4916	4980	grrfdxtjqbb.exe	83
PID 4980 wrote to memory of 4884	4980	grrfdxtjqbb.exe	84
PID 4980 wrote to memory of 4884	4980	grrfdxtjqbb.exe	84
PID 4980 wrote to memory of 4884	4980	grrfdxtjqbb.exe	84
PID 4568 wrote to memory of 968	4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe	95
PID 4568 wrote to memory of 968	4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe	95
PID 4568 wrote to memory of 968	4568	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe	95

System policy modification 1 TTPs 41 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vbotadk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	vbotadk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vbotadk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vbotadk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vbotadk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	vbotadk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	vbotadk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	vbotadk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vbotadk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	vbotadk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vbotadk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	vbotadk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vbotadk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vbotadk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	vbotadk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	vbotadk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	vbotadk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vbotadk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vbotadk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vbotadk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	vbotadk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	vbotadk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	vbotadk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	grrfdxtjqbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	vbotadk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vbotadk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	vbotadk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	grrfdxtjqbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	grrfdxtjqbb.exe

C:\Users\Admin\AppData\Local\Temp\98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
"C:\Users\Admin\AppData\Local\Temp\98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe
  "C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe" "c:\users\admin\appdata\local\temp\98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4980
- - C:\Users\Admin\AppData\Local\Temp\vbotadk.exe
    "C:\Users\Admin\AppData\Local\Temp\vbotadk.exe" "-C:\Users\Admin\AppData\Local\Temp\ujftjvlftjpfkdgf.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:4916
- - C:\Users\Admin\AppData\Local\Temp\vbotadk.exe
    "C:\Users\Admin\AppData\Local\Temp\vbotadk.exe" "-C:\Users\Admin\AppData\Local\Temp\ujftjvlftjpfkdgf.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:4884
- C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe
  "C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe" "c:\users\admin\appdata\local\temp\98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System policy modification
  PID:968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\broduhytizgxdxbbd.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe

Filesize
320KB

MD5
efbc9ad9ac4b30c6546c83db25910a74

SHA1
1e357a6ae3084ba35b0ec062c1bb532a883ca486

SHA256
1ab7aa4f5916c9c6f0108a094bde52b5165fa540573157ffce572e7ceb337a38

SHA512
b7c17d3a64c48fd7473f15a5e6eed1bfec5c17d2c38af1f8cd75b468218aeb56eaee014a8e5542a9649a990ace7bebe9dfc856c1c178e70dc95c3744bc26e683

Download Submit
C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe

Filesize
320KB

MD5
efbc9ad9ac4b30c6546c83db25910a74

SHA1
1e357a6ae3084ba35b0ec062c1bb532a883ca486

SHA256
1ab7aa4f5916c9c6f0108a094bde52b5165fa540573157ffce572e7ceb337a38

SHA512
b7c17d3a64c48fd7473f15a5e6eed1bfec5c17d2c38af1f8cd75b468218aeb56eaee014a8e5542a9649a990ace7bebe9dfc856c1c178e70dc95c3744bc26e683

Download Submit
C:\Users\Admin\AppData\Local\Temp\grrfdxtjqbb.exe

Filesize
320KB

MD5
efbc9ad9ac4b30c6546c83db25910a74

SHA1
1e357a6ae3084ba35b0ec062c1bb532a883ca486

SHA256
1ab7aa4f5916c9c6f0108a094bde52b5165fa540573157ffce572e7ceb337a38

SHA512
b7c17d3a64c48fd7473f15a5e6eed1bfec5c17d2c38af1f8cd75b468218aeb56eaee014a8e5542a9649a990ace7bebe9dfc856c1c178e70dc95c3744bc26e683

Download Submit
C:\Users\Admin\AppData\Local\Temp\ibbtndxvnhrlurybgfex.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kbzphvnjzrzrytyzcz.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ojlfbtppjfrnyxglstuprl.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ujftjvlftjpfkdgf.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbotadk.exe

Filesize
700KB

MD5
1eeb6318b1e24260d05c6ae4f1397bf7

SHA1
c91a941df67ab741dbc272883ed6b1ebaec5b7f6

SHA256
787ac614464d5f40d3f18f8fb9c3d46354ac960861ae5301c2c944203b37767d

SHA512
b4dc980bf83bfa7a337cc2b225c0f4823a0b74628c4acfdb8ba2e5250d82298ca44d198f33881e9bee5d6370062836f0be0cff77c2f37fe981b88f570a562d3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbotadk.exe

Filesize
700KB

MD5
1eeb6318b1e24260d05c6ae4f1397bf7

SHA1
c91a941df67ab741dbc272883ed6b1ebaec5b7f6

SHA256
787ac614464d5f40d3f18f8fb9c3d46354ac960861ae5301c2c944203b37767d

SHA512
b4dc980bf83bfa7a337cc2b225c0f4823a0b74628c4acfdb8ba2e5250d82298ca44d198f33881e9bee5d6370062836f0be0cff77c2f37fe981b88f570a562d3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbotadk.exe

Filesize
700KB

MD5
1eeb6318b1e24260d05c6ae4f1397bf7

SHA1
c91a941df67ab741dbc272883ed6b1ebaec5b7f6

SHA256
787ac614464d5f40d3f18f8fb9c3d46354ac960861ae5301c2c944203b37767d

SHA512
b4dc980bf83bfa7a337cc2b225c0f4823a0b74628c4acfdb8ba2e5250d82298ca44d198f33881e9bee5d6370062836f0be0cff77c2f37fe981b88f570a562d3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnmdwlebslunvrxzdbz.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrslgxsrkfqlvtbflllfg.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\SysWOW64\broduhytizgxdxbbd.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\SysWOW64\ibbtndxvnhrlurybgfex.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\SysWOW64\kbzphvnjzrzrytyzcz.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\SysWOW64\ojlfbtppjfrnyxglstuprl.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\SysWOW64\ujftjvlftjpfkdgf.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\SysWOW64\vnmdwlebslunvrxzdbz.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\SysWOW64\xrslgxsrkfqlvtbflllfg.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\broduhytizgxdxbbd.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\broduhytizgxdxbbd.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\broduhytizgxdxbbd.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\ibbtndxvnhrlurybgfex.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\ibbtndxvnhrlurybgfex.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\ibbtndxvnhrlurybgfex.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\kbzphvnjzrzrytyzcz.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\kbzphvnjzrzrytyzcz.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\kbzphvnjzrzrytyzcz.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\ojlfbtppjfrnyxglstuprl.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\ojlfbtppjfrnyxglstuprl.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\ojlfbtppjfrnyxglstuprl.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\ujftjvlftjpfkdgf.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\ujftjvlftjpfkdgf.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\ujftjvlftjpfkdgf.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\vnmdwlebslunvrxzdbz.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\vnmdwlebslunvrxzdbz.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\vnmdwlebslunvrxzdbz.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\xrslgxsrkfqlvtbflllfg.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\xrslgxsrkfqlvtbflllfg.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\xrslgxsrkfqlvtbflllfg.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit