19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64

Analysis

max time kernel
65s
max time network
85s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2023 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Size

4.2MB
MD5

b55b2c17d2290d82fbf0628f1d312ede
SHA1

fa7126c01ac0c38f521273e67c0d077d7c45904f
SHA256

19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64
SHA512

75412c8519b237b529a3a8349533306ec9947e9454e3f27adfd689dbd69ab5981b8d84639cb6dd4406a30a8f23233c842043691435673ff4465cf641b2d19db8
SSDEEP

6144:/3ae8ySm8hQAAIfFrRXuEE+0l97mKwKKTHVgp86JQPDHDdx/Qtqa:R/zkFF+EExZmKbKzVgpPJQPDHvd

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vdoss.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vdoss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vdoss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vdoss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vdoss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vdoss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vdoss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vdoss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vdoss.exe

Adds policy Run key to start application 2 TTPs 21 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\flu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\slhwhdkcqjwsysyl.exe"	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\flu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpogutdyplbajgpfayx.exe"	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\flu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\slhwhdkcqjwsysyl.exe"	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gpbght = "vtuoefrohfxyjitliijhi.exe"	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\flu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\idbsfdmgwrgemiqfzw.exe"	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gpbght = "ztqgspxqfznkrmtha.exe"	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gpbght = "tpogutdyplbajgpfayx.exe"	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gpbght = "ztqgspxqfznkrmtha.exe"	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\flu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\idbsfdmgwrgemiqfzw.exe"	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gpbght = "gddwllwskhyyigqhdccz.exe"	vdoss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gpbght = "slhwhdkcqjwsysyl.exe"	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gpbght = "ztqgspxqfznkrmtha.exe"	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\flu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpogutdyplbajgpfayx.exe"	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\flu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gddwllwskhyyigqhdccz.exe"	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gpbght = "vtuoefrohfxyjitliijhi.exe"	vdoss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gpbght = "tpogutdyplbajgpfayx.exe"	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\flu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztqgspxqfznkrmtha.exe"	vdoss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\flu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\idbsfdmgwrgemiqfzw.exe"	vdoss.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vdoss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vdoss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vdoss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vdoss.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe

Executes dropped EXE 2 IoCs

pid	Process
3636	vdoss.exe
2960	vdoss.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mtdg = "ztqgspxqfznkrmtha.exe"	vdoss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtuoefrohfxyjitliijhi.exe"	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mtdg = "idbsfdmgwrgemiqfzw.exe"	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zlaimbbmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztqgspxqfznkrmtha.exe ."	vdoss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztqgspxqfznkrmtha.exe"	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfvejzamuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\slhwhdkcqjwsysyl.exe"	vdoss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vdoss = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gddwllwskhyyigqhdccz.exe ."	vdoss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ithorfeo = "ztqgspxqfznkrmtha.exe ."	vdoss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\slhwhdkcqjwsysyl.exe"	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfvejzamuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\slhwhdkcqjwsysyl.exe"	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gddwllwskhyyigqhdccz.exe"	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdoss = "slhwhdkcqjwsysyl.exe ."	vdoss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\idbsfdmgwrgemiqfzw.exe"	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdoss = "vtuoefrohfxyjitliijhi.exe ."	vdoss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vdoss = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtuoefrohfxyjitliijhi.exe ."	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mtdg = "slhwhdkcqjwsysyl.exe"	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdoss = "tpogutdyplbajgpfayx.exe ."	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tdqwylj = "gddwllwskhyyigqhdccz.exe"	vdoss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ithorfeo = "slhwhdkcqjwsysyl.exe ."	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mtdg = "vtuoefrohfxyjitliijhi.exe"	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdoss = "gddwllwskhyyigqhdccz.exe ."	vdoss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztqgspxqfznkrmtha.exe"	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfvejzamuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtuoefrohfxyjitliijhi.exe"	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdoss = "ztqgspxqfznkrmtha.exe ."	vdoss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vdoss = "C:\\Users\\Admin\\AppData\\Local\\Temp\\slhwhdkcqjwsysyl.exe ."	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mtdg = "vtuoefrohfxyjitliijhi.exe"	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zlaimbbmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gddwllwskhyyigqhdccz.exe ."	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vdoss = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpogutdyplbajgpfayx.exe ."	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ithorfeo = "ztqgspxqfznkrmtha.exe ."	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdoss = "gddwllwskhyyigqhdccz.exe ."	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfvejzamuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\idbsfdmgwrgemiqfzw.exe"	vdoss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpogutdyplbajgpfayx.exe"	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdoss = "slhwhdkcqjwsysyl.exe ."	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zlaimbbmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\idbsfdmgwrgemiqfzw.exe ."	vdoss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tdqwylj = "ztqgspxqfznkrmtha.exe"	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdoss = "idbsfdmgwrgemiqfzw.exe ."	vdoss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\slhwhdkcqjwsysyl.exe"	vdoss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpogutdyplbajgpfayx.exe"	vdoss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ithorfeo = "idbsfdmgwrgemiqfzw.exe ."	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zlaimbbmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\slhwhdkcqjwsysyl.exe ."	vdoss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gddwllwskhyyigqhdccz.exe"	vdoss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vdoss = "C:\\Users\\Admin\\AppData\\Local\\Temp\\slhwhdkcqjwsysyl.exe ."	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ithorfeo = "idbsfdmgwrgemiqfzw.exe ."	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdoss = "idbsfdmgwrgemiqfzw.exe ."	vdoss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ithorfeo = "tpogutdyplbajgpfayx.exe ."	vdoss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vdoss = "C:\\Users\\Admin\\AppData\\Local\\Temp\\idbsfdmgwrgemiqfzw.exe ."	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdoss = "vtuoefrohfxyjitliijhi.exe ."	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mtdg = "tpogutdyplbajgpfayx.exe"	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfvejzamuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztqgspxqfznkrmtha.exe"	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zlaimbbmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztqgspxqfznkrmtha.exe ."	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zlaimbbmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\slhwhdkcqjwsysyl.exe ."	vdoss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vdoss = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtuoefrohfxyjitliijhi.exe ."	vdoss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ithorfeo = "tpogutdyplbajgpfayx.exe ."	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mtdg = "ztqgspxqfznkrmtha.exe"	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mtdg = "slhwhdkcqjwsysyl.exe"	vdoss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tdqwylj = "ztqgspxqfznkrmtha.exe"	vdoss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tdqwylj = "slhwhdkcqjwsysyl.exe"	vdoss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tdqwylj = "tpogutdyplbajgpfayx.exe"	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfvejzamuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztqgspxqfznkrmtha.exe"	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfvejzamuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\idbsfdmgwrgemiqfzw.exe"	vdoss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tdqwylj = "slhwhdkcqjwsysyl.exe"	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfvejzamuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\slhwhdkcqjwsysyl.exe"	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zlaimbbmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtuoefrohfxyjitliijhi.exe ."	vdoss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfvejzamuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtuoefrohfxyjitliijhi.exe"	vdoss.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vdoss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vdoss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vdoss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vdoss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	whatismyipaddress.com
37	whatismyip.everdot.org
41	whatismyipaddress.com
44	whatismyip.everdot.org
52	www.showmyipaddress.com
64	whatismyip.everdot.org

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\xbiieldgfjhofkbzciptaaw.vyx	vdoss.exe
File created	C:\Windows\SysWOW64\xbiieldgfjhofkbzciptaaw.vyx	vdoss.exe
File opened for modification	C:\Windows\SysWOW64\kzrcjbescrasukmvjashzkrjmakziacsud.iap	vdoss.exe
File created	C:\Windows\SysWOW64\kzrcjbescrasukmvjashzkrjmakziacsud.iap	vdoss.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\xbiieldgfjhofkbzciptaaw.vyx	vdoss.exe
File created	C:\Program Files (x86)\xbiieldgfjhofkbzciptaaw.vyx	vdoss.exe
File opened for modification	C:\Program Files (x86)\kzrcjbescrasukmvjashzkrjmakziacsud.iap	vdoss.exe
File created	C:\Program Files (x86)\kzrcjbescrasukmvjashzkrjmakziacsud.iap	vdoss.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\xbiieldgfjhofkbzciptaaw.vyx	vdoss.exe
File opened for modification	C:\Windows\kzrcjbescrasukmvjashzkrjmakziacsud.iap	vdoss.exe
File created	C:\Windows\kzrcjbescrasukmvjashzkrjmakziacsud.iap	vdoss.exe
File opened for modification	C:\Windows\xbiieldgfjhofkbzciptaaw.vyx	vdoss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings	vdoss.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings	vdoss.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3636	vdoss.exe
3636	vdoss.exe
3636	vdoss.exe
3636	vdoss.exe
3636	vdoss.exe
3636	vdoss.exe
3636	vdoss.exe
3636	vdoss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3636	vdoss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 3636	964	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe	91
PID 964 wrote to memory of 3636	964	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe	91
PID 964 wrote to memory of 3636	964	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe	91
PID 964 wrote to memory of 2960	964	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe	92
PID 964 wrote to memory of 2960	964	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe	92
PID 964 wrote to memory of 2960	964	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe	92

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vdoss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vdoss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vdoss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	vdoss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vdoss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vdoss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vdoss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vdoss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	vdoss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	vdoss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	vdoss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	vdoss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vdoss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vdoss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vdoss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	vdoss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vdoss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	vdoss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	vdoss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	vdoss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	vdoss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vdoss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	vdoss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	vdoss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	vdoss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	vdoss.exe

C:\Users\Admin\AppData\Local\Temp\19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe
"C:\Users\Admin\AppData\Local\Temp\19e55a6539bdb89eebf9eb8524fd487bbbef17b780e134f0c1c3d014fcbe5f64.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:964
- C:\Users\Admin\AppData\Local\Temp\vdoss.exe
  "C:\Users\Admin\AppData\Local\Temp\vdoss.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:3636
- C:\Users\Admin\AppData\Local\Temp\vdoss.exe
  "C:\Users\Admin\AppData\Local\Temp\vdoss.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Modifies registry class
  - System policy modification
  PID:2960

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\xbiieldgfjhofkbzciptaaw.vyx

Filesize
272B

MD5
1225d506bf6f04fa6129561d83c45b87

SHA1
ee44dad31beb46d61ab70dcfbb94f5011f5bae34

SHA256
e52b16afd52e3a3b2dcfe674326a800fcf6f01f12918c9933b59771e6822399a

SHA512
92a9e65713d310a87e300740a346211768e1268babe589e369766b045ba349d99b08b117a57daf5e9b04c69a472e02f39e678887f1b80b3968a8a5d8e8f60acc

Download Submit
C:\Program Files (x86)\xbiieldgfjhofkbzciptaaw.vyx

Filesize
272B

MD5
776ba2fdd967672d7713129dc2c0ee2b

SHA1
505f7a3cd4846c775136022ec577a249fced6deb

SHA256
4160b1e149553f0679d4a84a591dd51c5fb8d86c0eac3400eac144b01594f15f

SHA512
6ced197e14bf19017cc6b977554fdbc4d620a57a42a49cfbe01bf24a199671a539ad958e26aee6a3d0774febb45c54cac1295112391f238a64df263c61773f59

Download Submit
C:\Program Files (x86)\xbiieldgfjhofkbzciptaaw.vyx

Filesize
272B

MD5
d8548a2fbc78fdcb43175485346c6ad5

SHA1
94969a7db7ff209ca7be2607988a8a1d2ed02c40

SHA256
dd908a719f7223feafb228d8016ac644393ce8758a1dadf49af9237aa28fd0f9

SHA512
ce585c2f975ee8b46d9375bc8525aa19c0b9463268a42bc0674bae4c74596f3440e41e87762d4252f522a57056ce14808dc064c71b53fdc20866d3b645df7a8d

Download Submit
C:\Program Files (x86)\xbiieldgfjhofkbzciptaaw.vyx

Filesize
272B

MD5
7950cb35b03ab240c41ceadb5c445a93

SHA1
d9b5d161537b9d0c58ec520b037c70dd6a762e78

SHA256
f91bd9350defd22200b13564198442742dad9e070f2de270bbfdf37b2f11f263

SHA512
b1793d68c5d8bb4be93b91d9afa51845d7931cfbc30f308daf7a58cfb4604a0670ad4576810ab8a9e9db77232b6d49f0027b862579ec0a0486c74b76969e83f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vdoss.exe

Filesize
5.7MB

MD5
9eebfdbe439edc76f954492618dfb186

SHA1
2e10417d279f888f435daad4b1624a74bd1309ca

SHA256
f684ab899dede95d60123a598e797079cc55e4aa664861bffb231782551578fd

SHA512
82b1f9b1f77ceff4868b3b9c4d4e1d4424ddfb4d5129495eb0dad36c0014385ee6f08e2a85bf78045a9131175a73546a878aff92224e61df4a21d097ccd672cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vdoss.exe

Filesize
5.7MB

MD5
9eebfdbe439edc76f954492618dfb186

SHA1
2e10417d279f888f435daad4b1624a74bd1309ca

SHA256
f684ab899dede95d60123a598e797079cc55e4aa664861bffb231782551578fd

SHA512
82b1f9b1f77ceff4868b3b9c4d4e1d4424ddfb4d5129495eb0dad36c0014385ee6f08e2a85bf78045a9131175a73546a878aff92224e61df4a21d097ccd672cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vdoss.exe

Filesize
5.7MB

MD5
9eebfdbe439edc76f954492618dfb186

SHA1
2e10417d279f888f435daad4b1624a74bd1309ca

SHA256
f684ab899dede95d60123a598e797079cc55e4aa664861bffb231782551578fd

SHA512
82b1f9b1f77ceff4868b3b9c4d4e1d4424ddfb4d5129495eb0dad36c0014385ee6f08e2a85bf78045a9131175a73546a878aff92224e61df4a21d097ccd672cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vdoss.exe

Filesize
5.7MB

MD5
9eebfdbe439edc76f954492618dfb186

SHA1
2e10417d279f888f435daad4b1624a74bd1309ca

SHA256
f684ab899dede95d60123a598e797079cc55e4aa664861bffb231782551578fd

SHA512
82b1f9b1f77ceff4868b3b9c4d4e1d4424ddfb4d5129495eb0dad36c0014385ee6f08e2a85bf78045a9131175a73546a878aff92224e61df4a21d097ccd672cf

Download Submit
C:\Users\Admin\AppData\Local\kzrcjbescrasukmvjashzkrjmakziacsud.iap

Filesize
3KB

MD5
9b6f1fa449b8f8c63aa2f0b696643943

SHA1
c8ec0ba3012a54fcadee14ff4d131f7128217b4c

SHA256
67d04996e8719a7022629ca646554d0e307502f34c908e8716db69faec6e7798

SHA512
840675122325751172185b04622e78069d8c71890bccfda2bdf980f97c101a590283ccabd191e01de2643e33f17c3cc8332b4e99fd8588ab961bdbda38275ee9

Download Submit
C:\Users\Admin\AppData\Local\xbiieldgfjhofkbzciptaaw.vyx

Filesize
272B

MD5
d97cbb4d317275c2c653b9f8361f3ca2

SHA1
09d93ec549f7a644df66b1bc85382939e9358917

SHA256
f9c00495b86ded14a498f14dc6e11117f29136133f1ab62a93a092d614e470e7

SHA512
2c52ff8253334f9aa7008475a71ac22081f1e73324db2b5827f57ff39ee0f0fbe1e9b6bf2258deb0e76ae5723e26b3b5685e5ce62f50eba993618f0d24ae1624

Download Submit