787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733

Analysis

max time kernel
154s
max time network
158s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 19:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
Size

1016KB
MD5

523c87bf5018c5910e80db98fb470380
SHA1

57b16953d631c70acc2a0f6d03f648e18b65df4c
SHA256

787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733
SHA512

5dbff5bae2cf94045ebdb37c612a79852cfb0357827689b64d3bf547b3f736eeefcaa4e90d7f15b4955bee6d92ebbcb7ac16c1ece0df556fb1d09ea90b1b13e3
SSDEEP

6144:HIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUzx84a2lXUW:HIXsgtvm1De5YlOx6lzBH46Uzf7lXUW

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	zelwwgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	zelwwgm.exe

UAC bypass 3 TTPs 11 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	zelwwgm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	zelwwgm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	zelwwgm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	zelwwgm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zelwwgm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zelwwgm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	zelwwgm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	zelwwgm.exe

Adds policy Run key to start application 2 TTPs 19 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bejsq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymcwfynhlnsvdwxg.exe"	zelwwgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bejsq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meywjgzxflubnkpcumge.exe"	zelwwgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bejsq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fulgqkavadjnwqscr.exe"	zelwwgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oucopaht = "fulgqkavadjnwqscr.exe"	iffdguquspp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	zelwwgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bejsq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oewsdyplrvchrmpaqg.exe"	zelwwgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oucopaht = "ymcwfynhlnsvdwxg.exe"	zelwwgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oucopaht = "fulgqkavadjnwqscr.exe"	zelwwgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bejsq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fulgqkavadjnwqscr.exe"	zelwwgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oucopaht = "meywjgzxflubnkpcumge.exe"	zelwwgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bejsq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymcwfynhlnsvdwxg.exe"	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oucopaht = "meywjgzxflubnkpcumge.exe"	zelwwgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bejsq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oewsdyplrvchrmpaqg.exe"	zelwwgm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	zelwwgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oucopaht = "bupocautcjtbomsgzsnma.exe"	zelwwgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bejsq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bupocautcjtbomsgzsnma.exe"	zelwwgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oucopaht = "bupocautcjtbomsgzsnma.exe"	zelwwgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bejsq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bupocautcjtbomsgzsnma.exe"	zelwwgm.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zelwwgm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zelwwgm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	iffdguquspp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zelwwgm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zelwwgm.exe

Executes dropped EXE 3 IoCs

pid	Process
1212	iffdguquspp.exe
1316	zelwwgm.exe
1472	zelwwgm.exe

Loads dropped DLL 6 IoCs

pid	Process
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1212	iffdguquspp.exe
1212	iffdguquspp.exe
1212	iffdguquspp.exe
1212	iffdguquspp.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fmvikwero = "bupocautcjtbomsgzsnma.exe"	iffdguquspp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\mqwgfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bupocautcjtbomsgzsnma.exe"	zelwwgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mqwgfo = "oewsdyplrvchrmpaqg.exe"	zelwwgm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zelwwgm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meywjgzxflubnkpcumge.exe ."	zelwwgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zelwwgm = "zqjgsogdkpxdokoarib.exe ."	zelwwgm.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	zelwwgm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ygqehudrpl = "ymcwfynhlnsvdwxg.exe ."	zelwwgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zelwwgm = "bupocautcjtbomsgzsnma.exe ."	zelwwgm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	zelwwgm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zelwwgm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meywjgzxflubnkpcumge.exe ."	zelwwgm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fmvikwero = "fulgqkavadjnwqscr.exe"	zelwwgm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zelwwgm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymcwfynhlnsvdwxg.exe ."	zelwwgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcncguetspp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bupocautcjtbomsgzsnma.exe ."	zelwwgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mqwgfo = "zqjgsogdkpxdokoarib.exe"	zelwwgm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zelwwgm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fulgqkavadjnwqscr.exe ."	zelwwgm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ygqehudrpl = "oewsdyplrvchrmpaqg.exe ."	zelwwgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mqwgfo = "bupocautcjtbomsgzsnma.exe"	zelwwgm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fmvikwero = "oewsdyplrvchrmpaqg.exe"	zelwwgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qamchwhxxvwv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymcwfynhlnsvdwxg.exe"	zelwwgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcncguetspp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymcwfynhlnsvdwxg.exe ."	zelwwgm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\mqwgfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oewsdyplrvchrmpaqg.exe"	zelwwgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mqwgfo = "zqjgsogdkpxdokoarib.exe"	iffdguquspp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zelwwgm.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	zelwwgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qamchwhxxvwv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meywjgzxflubnkpcumge.exe"	zelwwgm.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	iffdguquspp.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	zelwwgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcncguetspp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oewsdyplrvchrmpaqg.exe ."	zelwwgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qamchwhxxvwv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meywjgzxflubnkpcumge.exe"	zelwwgm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ygqehudrpl = "meywjgzxflubnkpcumge.exe ."	iffdguquspp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\mqwgfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bupocautcjtbomsgzsnma.exe"	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcncguetspp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqjgsogdkpxdokoarib.exe ."	zelwwgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zelwwgm = "fulgqkavadjnwqscr.exe ."	zelwwgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qamchwhxxvwv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fulgqkavadjnwqscr.exe"	zelwwgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcncguetspp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oewsdyplrvchrmpaqg.exe ."	zelwwgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mqwgfo = "meywjgzxflubnkpcumge.exe"	zelwwgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mqwgfo = "meywjgzxflubnkpcumge.exe"	zelwwgm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fmvikwero = "bupocautcjtbomsgzsnma.exe"	zelwwgm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fmvikwero = "meywjgzxflubnkpcumge.exe"	zelwwgm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zelwwgm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bupocautcjtbomsgzsnma.exe ."	zelwwgm.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	iffdguquspp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zelwwgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zelwwgm = "fulgqkavadjnwqscr.exe ."	zelwwgm.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	zelwwgm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zelwwgm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqjgsogdkpxdokoarib.exe ."	zelwwgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mqwgfo = "bupocautcjtbomsgzsnma.exe"	zelwwgm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ygqehudrpl = "fulgqkavadjnwqscr.exe ."	zelwwgm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\mqwgfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oewsdyplrvchrmpaqg.exe"	zelwwgm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ygqehudrpl = "meywjgzxflubnkpcumge.exe ."	zelwwgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zelwwgm = "ymcwfynhlnsvdwxg.exe ."	iffdguquspp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	zelwwgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qamchwhxxvwv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oewsdyplrvchrmpaqg.exe"	zelwwgm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zelwwgm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oewsdyplrvchrmpaqg.exe ."	zelwwgm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	iffdguquspp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fmvikwero = "ymcwfynhlnsvdwxg.exe"	zelwwgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qamchwhxxvwv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymcwfynhlnsvdwxg.exe"	zelwwgm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ygqehudrpl = "bupocautcjtbomsgzsnma.exe ."	zelwwgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcncguetspp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oewsdyplrvchrmpaqg.exe ."	iffdguquspp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zelwwgm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymcwfynhlnsvdwxg.exe ."	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mqwgfo = "ymcwfynhlnsvdwxg.exe"	zelwwgm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ygqehudrpl = "zqjgsogdkpxdokoarib.exe ."	zelwwgm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	iffdguquspp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\mqwgfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meywjgzxflubnkpcumge.exe"	zelwwgm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\mqwgfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meywjgzxflubnkpcumge.exe"	zelwwgm.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	zelwwgm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zelwwgm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	zelwwgm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	iffdguquspp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zelwwgm.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	whatismyipaddress.com
5	whatismyip.everdot.org
11	www.showmyipaddress.com

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\oewsdyplrvchrmpaqg.exe	zelwwgm.exe
File opened for modification	C:\Windows\SysWOW64\oewsdyplrvchrmpaqg.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\meywjgzxflubnkpcumge.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\smiixwrrbjudrqxmgawwlk.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\zqjgsogdkpxdokoarib.exe	zelwwgm.exe
File opened for modification	C:\Windows\SysWOW64\fulgqkavadjnwqscr.exe	zelwwgm.exe
File opened for modification	C:\Windows\SysWOW64\meywjgzxflubnkpcumge.exe	zelwwgm.exe
File opened for modification	C:\Windows\SysWOW64\oewsdyplrvchrmpaqg.exe	zelwwgm.exe
File opened for modification	C:\Windows\SysWOW64\zqjgsogdkpxdokoarib.exe	zelwwgm.exe
File opened for modification	C:\Windows\SysWOW64\bupocautcjtbomsgzsnma.exe	zelwwgm.exe
File opened for modification	C:\Windows\SysWOW64\smiixwrrbjudrqxmgawwlk.exe	zelwwgm.exe
File opened for modification	C:\Windows\SysWOW64\meywjgzxflubnkpcumge.exe	zelwwgm.exe
File opened for modification	C:\Windows\SysWOW64\bupocautcjtbomsgzsnma.exe	zelwwgm.exe
File opened for modification	C:\Windows\SysWOW64\fulgqkavadjnwqscr.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\zqjgsogdkpxdokoarib.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\ymcwfynhlnsvdwxg.exe	zelwwgm.exe
File opened for modification	C:\Windows\SysWOW64\smiixwrrbjudrqxmgawwlk.exe	zelwwgm.exe
File created	C:\Windows\SysWOW64\bejsqyclevphemcadglusaengxr.goe	zelwwgm.exe
File opened for modification	C:\Windows\SysWOW64\ymcwfynhlnsvdwxguiysbujdhjorzstcqeuoxq.zdf	zelwwgm.exe
File opened for modification	C:\Windows\SysWOW64\fulgqkavadjnwqscr.exe	zelwwgm.exe
File opened for modification	C:\Windows\SysWOW64\bejsqyclevphemcadglusaengxr.goe	zelwwgm.exe
File created	C:\Windows\SysWOW64\ymcwfynhlnsvdwxguiysbujdhjorzstcqeuoxq.zdf	zelwwgm.exe
File opened for modification	C:\Windows\SysWOW64\ymcwfynhlnsvdwxg.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\bupocautcjtbomsgzsnma.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\ymcwfynhlnsvdwxg.exe	zelwwgm.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\bejsqyclevphemcadglusaengxr.goe	zelwwgm.exe
File created	C:\Program Files (x86)\bejsqyclevphemcadglusaengxr.goe	zelwwgm.exe
File opened for modification	C:\Program Files (x86)\ymcwfynhlnsvdwxguiysbujdhjorzstcqeuoxq.zdf	zelwwgm.exe
File created	C:\Program Files (x86)\ymcwfynhlnsvdwxguiysbujdhjorzstcqeuoxq.zdf	zelwwgm.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\smiixwrrbjudrqxmgawwlk.exe	iffdguquspp.exe
File opened for modification	C:\Windows\fulgqkavadjnwqscr.exe	zelwwgm.exe
File opened for modification	C:\Windows\meywjgzxflubnkpcumge.exe	zelwwgm.exe
File opened for modification	C:\Windows\bupocautcjtbomsgzsnma.exe	zelwwgm.exe
File opened for modification	C:\Windows\smiixwrrbjudrqxmgawwlk.exe	zelwwgm.exe
File opened for modification	C:\Windows\fulgqkavadjnwqscr.exe	zelwwgm.exe
File opened for modification	C:\Windows\bejsqyclevphemcadglusaengxr.goe	zelwwgm.exe
File opened for modification	C:\Windows\fulgqkavadjnwqscr.exe	iffdguquspp.exe
File created	C:\Windows\bejsqyclevphemcadglusaengxr.goe	zelwwgm.exe
File opened for modification	C:\Windows\ymcwfynhlnsvdwxg.exe	zelwwgm.exe
File opened for modification	C:\Windows\oewsdyplrvchrmpaqg.exe	zelwwgm.exe
File opened for modification	C:\Windows\zqjgsogdkpxdokoarib.exe	zelwwgm.exe
File opened for modification	C:\Windows\meywjgzxflubnkpcumge.exe	zelwwgm.exe
File opened for modification	C:\Windows\bupocautcjtbomsgzsnma.exe	zelwwgm.exe
File opened for modification	C:\Windows\meywjgzxflubnkpcumge.exe	iffdguquspp.exe
File opened for modification	C:\Windows\zqjgsogdkpxdokoarib.exe	iffdguquspp.exe
File opened for modification	C:\Windows\oewsdyplrvchrmpaqg.exe	zelwwgm.exe
File opened for modification	C:\Windows\ymcwfynhlnsvdwxg.exe	zelwwgm.exe
File opened for modification	C:\Windows\smiixwrrbjudrqxmgawwlk.exe	zelwwgm.exe
File opened for modification	C:\Windows\oewsdyplrvchrmpaqg.exe	iffdguquspp.exe
File opened for modification	C:\Windows\bupocautcjtbomsgzsnma.exe	iffdguquspp.exe
File opened for modification	C:\Windows\zqjgsogdkpxdokoarib.exe	zelwwgm.exe
File opened for modification	C:\Windows\ymcwfynhlnsvdwxguiysbujdhjorzstcqeuoxq.zdf	zelwwgm.exe
File created	C:\Windows\ymcwfynhlnsvdwxguiysbujdhjorzstcqeuoxq.zdf	zelwwgm.exe
File opened for modification	C:\Windows\ymcwfynhlnsvdwxg.exe	iffdguquspp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1316	zelwwgm.exe
1316	zelwwgm.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1316	zelwwgm.exe
1316	zelwwgm.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1316	zelwwgm.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 1212	1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe	27
PID 1480 wrote to memory of 1212	1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe	27
PID 1480 wrote to memory of 1212	1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe	27
PID 1480 wrote to memory of 1212	1480	787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe	27
PID 1212 wrote to memory of 1316	1212	iffdguquspp.exe	28
PID 1212 wrote to memory of 1316	1212	iffdguquspp.exe	28
PID 1212 wrote to memory of 1316	1212	iffdguquspp.exe	28
PID 1212 wrote to memory of 1316	1212	iffdguquspp.exe	28
PID 1212 wrote to memory of 1472	1212	iffdguquspp.exe	29
PID 1212 wrote to memory of 1472	1212	iffdguquspp.exe	29
PID 1212 wrote to memory of 1472	1212	iffdguquspp.exe	29
PID 1212 wrote to memory of 1472	1212	iffdguquspp.exe	29

System policy modification 1 TTPs 31 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zelwwgm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	zelwwgm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	zelwwgm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	zelwwgm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	zelwwgm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	zelwwgm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	zelwwgm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zelwwgm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zelwwgm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zelwwgm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	zelwwgm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	zelwwgm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	zelwwgm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	zelwwgm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	zelwwgm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	zelwwgm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	zelwwgm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	zelwwgm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	zelwwgm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	zelwwgm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	zelwwgm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	zelwwgm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	zelwwgm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	zelwwgm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	zelwwgm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	zelwwgm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	iffdguquspp.exe

C:\Users\Admin\AppData\Local\Temp\787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe
"C:\Users\Admin\AppData\Local\Temp\787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Users\Admin\AppData\Local\Temp\iffdguquspp.exe
  "C:\Users\Admin\AppData\Local\Temp\iffdguquspp.exe" "c:\users\admin\appdata\local\temp\787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1212
- - C:\Users\Admin\AppData\Local\Temp\zelwwgm.exe
    "C:\Users\Admin\AppData\Local\Temp\zelwwgm.exe" "-C:\Users\Admin\AppData\Local\Temp\ymcwfynhlnsvdwxg.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1316
- - C:\Users\Admin\AppData\Local\Temp\zelwwgm.exe
    "C:\Users\Admin\AppData\Local\Temp\zelwwgm.exe" "-C:\Users\Admin\AppData\Local\Temp\ymcwfynhlnsvdwxg.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bupocautcjtbomsgzsnma.exe

Filesize
1016KB

MD5
523c87bf5018c5910e80db98fb470380

SHA1
57b16953d631c70acc2a0f6d03f648e18b65df4c

SHA256
787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733

SHA512
5dbff5bae2cf94045ebdb37c612a79852cfb0357827689b64d3bf547b3f736eeefcaa4e90d7f15b4955bee6d92ebbcb7ac16c1ece0df556fb1d09ea90b1b13e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\fulgqkavadjnwqscr.exe

Filesize
1016KB

MD5
523c87bf5018c5910e80db98fb470380

SHA1
57b16953d631c70acc2a0f6d03f648e18b65df4c

SHA256
787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733

SHA512
5dbff5bae2cf94045ebdb37c612a79852cfb0357827689b64d3bf547b3f736eeefcaa4e90d7f15b4955bee6d92ebbcb7ac16c1ece0df556fb1d09ea90b1b13e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\iffdguquspp.exe

Filesize
320KB

MD5
a59e8ea652466273b0e83ebd15b635f5

SHA1
7f20026b58e4287137e5e28d40b0245d07e7a408

SHA256
efffa1d5e4c2d38a6f3c976323017e6dc9768db0e39b2561c90c55bd1cc76728

SHA512
0873262e05d7442a6530622c463d872eec3fecd71cf31f49721203bb3454d4e65ec912a96f8461f6973108fdba4f891b922e7082d89737114437e7987c9d82af

Download Submit
C:\Users\Admin\AppData\Local\Temp\iffdguquspp.exe

Filesize
320KB

MD5
a59e8ea652466273b0e83ebd15b635f5

SHA1
7f20026b58e4287137e5e28d40b0245d07e7a408

SHA256
efffa1d5e4c2d38a6f3c976323017e6dc9768db0e39b2561c90c55bd1cc76728

SHA512
0873262e05d7442a6530622c463d872eec3fecd71cf31f49721203bb3454d4e65ec912a96f8461f6973108fdba4f891b922e7082d89737114437e7987c9d82af

Download Submit
C:\Users\Admin\AppData\Local\Temp\meywjgzxflubnkpcumge.exe

Filesize
1016KB

MD5
523c87bf5018c5910e80db98fb470380

SHA1
57b16953d631c70acc2a0f6d03f648e18b65df4c

SHA256
787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733

SHA512
5dbff5bae2cf94045ebdb37c612a79852cfb0357827689b64d3bf547b3f736eeefcaa4e90d7f15b4955bee6d92ebbcb7ac16c1ece0df556fb1d09ea90b1b13e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\oewsdyplrvchrmpaqg.exe

Filesize
1016KB

MD5
523c87bf5018c5910e80db98fb470380

SHA1
57b16953d631c70acc2a0f6d03f648e18b65df4c

SHA256
787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733

SHA512
5dbff5bae2cf94045ebdb37c612a79852cfb0357827689b64d3bf547b3f736eeefcaa4e90d7f15b4955bee6d92ebbcb7ac16c1ece0df556fb1d09ea90b1b13e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\smiixwrrbjudrqxmgawwlk.exe

Filesize
1016KB

MD5
523c87bf5018c5910e80db98fb470380

SHA1
57b16953d631c70acc2a0f6d03f648e18b65df4c

SHA256
787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733

SHA512
5dbff5bae2cf94045ebdb37c612a79852cfb0357827689b64d3bf547b3f736eeefcaa4e90d7f15b4955bee6d92ebbcb7ac16c1ece0df556fb1d09ea90b1b13e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymcwfynhlnsvdwxg.exe

Filesize
1016KB

MD5
523c87bf5018c5910e80db98fb470380

SHA1
57b16953d631c70acc2a0f6d03f648e18b65df4c

SHA256
787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733

SHA512
5dbff5bae2cf94045ebdb37c612a79852cfb0357827689b64d3bf547b3f736eeefcaa4e90d7f15b4955bee6d92ebbcb7ac16c1ece0df556fb1d09ea90b1b13e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zelwwgm.exe

Filesize
716KB

MD5
5cdd265aaa7b13153a6d071c05fd750b

SHA1
bc81ac30e49a5b86ccb136991660400ccdb5f64c

SHA256
6ff8a8789bdd34198707a894d76cabdc82cd543c1080dec092dc1e598bc34f62

SHA512
84a397a91d50496bbe323aa7af4e4ce1c9e7b3f8ac20c64757efe0b191966a6746bad58820096440bef1351527f1993ebd727b4912a16233e6f87ac1b2c09853

Download Submit
C:\Users\Admin\AppData\Local\Temp\zelwwgm.exe

Filesize
716KB

MD5
5cdd265aaa7b13153a6d071c05fd750b

SHA1
bc81ac30e49a5b86ccb136991660400ccdb5f64c

SHA256
6ff8a8789bdd34198707a894d76cabdc82cd543c1080dec092dc1e598bc34f62

SHA512
84a397a91d50496bbe323aa7af4e4ce1c9e7b3f8ac20c64757efe0b191966a6746bad58820096440bef1351527f1993ebd727b4912a16233e6f87ac1b2c09853

Download Submit
C:\Users\Admin\AppData\Local\Temp\zqjgsogdkpxdokoarib.exe

Filesize
1016KB

MD5
523c87bf5018c5910e80db98fb470380

SHA1
57b16953d631c70acc2a0f6d03f648e18b65df4c

SHA256
787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733

SHA512
5dbff5bae2cf94045ebdb37c612a79852cfb0357827689b64d3bf547b3f736eeefcaa4e90d7f15b4955bee6d92ebbcb7ac16c1ece0df556fb1d09ea90b1b13e3

Download Submit
C:\Windows\SysWOW64\bupocautcjtbomsgzsnma.exe

Filesize
1016KB

MD5
523c87bf5018c5910e80db98fb470380

SHA1
57b16953d631c70acc2a0f6d03f648e18b65df4c

SHA256
787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733

SHA512
5dbff5bae2cf94045ebdb37c612a79852cfb0357827689b64d3bf547b3f736eeefcaa4e90d7f15b4955bee6d92ebbcb7ac16c1ece0df556fb1d09ea90b1b13e3

Download Submit
C:\Windows\SysWOW64\fulgqkavadjnwqscr.exe

Filesize
1016KB

MD5
523c87bf5018c5910e80db98fb470380

SHA1
57b16953d631c70acc2a0f6d03f648e18b65df4c

SHA256
787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733

SHA512
5dbff5bae2cf94045ebdb37c612a79852cfb0357827689b64d3bf547b3f736eeefcaa4e90d7f15b4955bee6d92ebbcb7ac16c1ece0df556fb1d09ea90b1b13e3

Download Submit
C:\Windows\SysWOW64\meywjgzxflubnkpcumge.exe

Filesize
1016KB

MD5
523c87bf5018c5910e80db98fb470380

SHA1
57b16953d631c70acc2a0f6d03f648e18b65df4c

SHA256
787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733

SHA512
5dbff5bae2cf94045ebdb37c612a79852cfb0357827689b64d3bf547b3f736eeefcaa4e90d7f15b4955bee6d92ebbcb7ac16c1ece0df556fb1d09ea90b1b13e3

Download Submit
C:\Windows\SysWOW64\oewsdyplrvchrmpaqg.exe

Filesize
1016KB

MD5
523c87bf5018c5910e80db98fb470380

SHA1
57b16953d631c70acc2a0f6d03f648e18b65df4c

SHA256
787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733

SHA512
5dbff5bae2cf94045ebdb37c612a79852cfb0357827689b64d3bf547b3f736eeefcaa4e90d7f15b4955bee6d92ebbcb7ac16c1ece0df556fb1d09ea90b1b13e3

Download Submit
C:\Windows\SysWOW64\smiixwrrbjudrqxmgawwlk.exe

Filesize
1016KB

MD5
523c87bf5018c5910e80db98fb470380

SHA1
57b16953d631c70acc2a0f6d03f648e18b65df4c

SHA256
787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733

SHA512
5dbff5bae2cf94045ebdb37c612a79852cfb0357827689b64d3bf547b3f736eeefcaa4e90d7f15b4955bee6d92ebbcb7ac16c1ece0df556fb1d09ea90b1b13e3

Download Submit
C:\Windows\SysWOW64\ymcwfynhlnsvdwxg.exe

Filesize
1016KB

MD5
523c87bf5018c5910e80db98fb470380

SHA1
57b16953d631c70acc2a0f6d03f648e18b65df4c

SHA256
787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733

SHA512
5dbff5bae2cf94045ebdb37c612a79852cfb0357827689b64d3bf547b3f736eeefcaa4e90d7f15b4955bee6d92ebbcb7ac16c1ece0df556fb1d09ea90b1b13e3

Download Submit
C:\Windows\SysWOW64\zqjgsogdkpxdokoarib.exe

Filesize
1016KB

MD5
523c87bf5018c5910e80db98fb470380

SHA1
57b16953d631c70acc2a0f6d03f648e18b65df4c

SHA256
787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733

SHA512
5dbff5bae2cf94045ebdb37c612a79852cfb0357827689b64d3bf547b3f736eeefcaa4e90d7f15b4955bee6d92ebbcb7ac16c1ece0df556fb1d09ea90b1b13e3

Download Submit
C:\Windows\bupocautcjtbomsgzsnma.exe

Filesize
1016KB

MD5
523c87bf5018c5910e80db98fb470380

SHA1
57b16953d631c70acc2a0f6d03f648e18b65df4c

SHA256
787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733

SHA512
5dbff5bae2cf94045ebdb37c612a79852cfb0357827689b64d3bf547b3f736eeefcaa4e90d7f15b4955bee6d92ebbcb7ac16c1ece0df556fb1d09ea90b1b13e3

Download Submit
C:\Windows\bupocautcjtbomsgzsnma.exe

Filesize
1016KB

MD5
523c87bf5018c5910e80db98fb470380

SHA1
57b16953d631c70acc2a0f6d03f648e18b65df4c

SHA256
787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733

SHA512
5dbff5bae2cf94045ebdb37c612a79852cfb0357827689b64d3bf547b3f736eeefcaa4e90d7f15b4955bee6d92ebbcb7ac16c1ece0df556fb1d09ea90b1b13e3

Download Submit
C:\Windows\fulgqkavadjnwqscr.exe

Filesize
1016KB

MD5
523c87bf5018c5910e80db98fb470380

SHA1
57b16953d631c70acc2a0f6d03f648e18b65df4c

SHA256
787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733

SHA512
5dbff5bae2cf94045ebdb37c612a79852cfb0357827689b64d3bf547b3f736eeefcaa4e90d7f15b4955bee6d92ebbcb7ac16c1ece0df556fb1d09ea90b1b13e3

Download Submit
C:\Windows\fulgqkavadjnwqscr.exe

Filesize
1016KB

MD5
523c87bf5018c5910e80db98fb470380

SHA1
57b16953d631c70acc2a0f6d03f648e18b65df4c

SHA256
787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733

SHA512
5dbff5bae2cf94045ebdb37c612a79852cfb0357827689b64d3bf547b3f736eeefcaa4e90d7f15b4955bee6d92ebbcb7ac16c1ece0df556fb1d09ea90b1b13e3

Download Submit
C:\Windows\meywjgzxflubnkpcumge.exe

Filesize
1016KB

MD5
523c87bf5018c5910e80db98fb470380

SHA1
57b16953d631c70acc2a0f6d03f648e18b65df4c

SHA256
787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733

SHA512
5dbff5bae2cf94045ebdb37c612a79852cfb0357827689b64d3bf547b3f736eeefcaa4e90d7f15b4955bee6d92ebbcb7ac16c1ece0df556fb1d09ea90b1b13e3

Download Submit
C:\Windows\meywjgzxflubnkpcumge.exe

Filesize
1016KB

MD5
523c87bf5018c5910e80db98fb470380

SHA1
57b16953d631c70acc2a0f6d03f648e18b65df4c

SHA256
787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733

SHA512
5dbff5bae2cf94045ebdb37c612a79852cfb0357827689b64d3bf547b3f736eeefcaa4e90d7f15b4955bee6d92ebbcb7ac16c1ece0df556fb1d09ea90b1b13e3

Download Submit
C:\Windows\oewsdyplrvchrmpaqg.exe

Filesize
1016KB

MD5
523c87bf5018c5910e80db98fb470380

SHA1
57b16953d631c70acc2a0f6d03f648e18b65df4c

SHA256
787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733

SHA512
5dbff5bae2cf94045ebdb37c612a79852cfb0357827689b64d3bf547b3f736eeefcaa4e90d7f15b4955bee6d92ebbcb7ac16c1ece0df556fb1d09ea90b1b13e3

Download Submit
C:\Windows\oewsdyplrvchrmpaqg.exe

Filesize
1016KB

MD5
523c87bf5018c5910e80db98fb470380

SHA1
57b16953d631c70acc2a0f6d03f648e18b65df4c

SHA256
787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733

SHA512
5dbff5bae2cf94045ebdb37c612a79852cfb0357827689b64d3bf547b3f736eeefcaa4e90d7f15b4955bee6d92ebbcb7ac16c1ece0df556fb1d09ea90b1b13e3

Download Submit
C:\Windows\smiixwrrbjudrqxmgawwlk.exe

Filesize
1016KB

MD5
523c87bf5018c5910e80db98fb470380

SHA1
57b16953d631c70acc2a0f6d03f648e18b65df4c

SHA256
787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733

SHA512
5dbff5bae2cf94045ebdb37c612a79852cfb0357827689b64d3bf547b3f736eeefcaa4e90d7f15b4955bee6d92ebbcb7ac16c1ece0df556fb1d09ea90b1b13e3

Download Submit
C:\Windows\smiixwrrbjudrqxmgawwlk.exe

Filesize
1016KB

MD5
523c87bf5018c5910e80db98fb470380

SHA1
57b16953d631c70acc2a0f6d03f648e18b65df4c

SHA256
787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733

SHA512
5dbff5bae2cf94045ebdb37c612a79852cfb0357827689b64d3bf547b3f736eeefcaa4e90d7f15b4955bee6d92ebbcb7ac16c1ece0df556fb1d09ea90b1b13e3

Download Submit
C:\Windows\ymcwfynhlnsvdwxg.exe

Filesize
1016KB

MD5
523c87bf5018c5910e80db98fb470380

SHA1
57b16953d631c70acc2a0f6d03f648e18b65df4c

SHA256
787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733

SHA512
5dbff5bae2cf94045ebdb37c612a79852cfb0357827689b64d3bf547b3f736eeefcaa4e90d7f15b4955bee6d92ebbcb7ac16c1ece0df556fb1d09ea90b1b13e3

Download Submit
C:\Windows\ymcwfynhlnsvdwxg.exe

Filesize
1016KB

MD5
523c87bf5018c5910e80db98fb470380

SHA1
57b16953d631c70acc2a0f6d03f648e18b65df4c

SHA256
787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733

SHA512
5dbff5bae2cf94045ebdb37c612a79852cfb0357827689b64d3bf547b3f736eeefcaa4e90d7f15b4955bee6d92ebbcb7ac16c1ece0df556fb1d09ea90b1b13e3

Download Submit
C:\Windows\zqjgsogdkpxdokoarib.exe

Filesize
1016KB

MD5
523c87bf5018c5910e80db98fb470380

SHA1
57b16953d631c70acc2a0f6d03f648e18b65df4c

SHA256
787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733

SHA512
5dbff5bae2cf94045ebdb37c612a79852cfb0357827689b64d3bf547b3f736eeefcaa4e90d7f15b4955bee6d92ebbcb7ac16c1ece0df556fb1d09ea90b1b13e3

Download Submit
C:\Windows\zqjgsogdkpxdokoarib.exe

Filesize
1016KB

MD5
523c87bf5018c5910e80db98fb470380

SHA1
57b16953d631c70acc2a0f6d03f648e18b65df4c

SHA256
787924f9f1fc2ab829f494f33414da98849acf0484e3602448aec68abeb3e733

SHA512
5dbff5bae2cf94045ebdb37c612a79852cfb0357827689b64d3bf547b3f736eeefcaa4e90d7f15b4955bee6d92ebbcb7ac16c1ece0df556fb1d09ea90b1b13e3

Download Submit
\Users\Admin\AppData\Local\Temp\iffdguquspp.exe

Filesize
320KB

MD5
a59e8ea652466273b0e83ebd15b635f5

SHA1
7f20026b58e4287137e5e28d40b0245d07e7a408

SHA256
efffa1d5e4c2d38a6f3c976323017e6dc9768db0e39b2561c90c55bd1cc76728

SHA512
0873262e05d7442a6530622c463d872eec3fecd71cf31f49721203bb3454d4e65ec912a96f8461f6973108fdba4f891b922e7082d89737114437e7987c9d82af

Download Submit
\Users\Admin\AppData\Local\Temp\iffdguquspp.exe

Filesize
320KB

MD5
a59e8ea652466273b0e83ebd15b635f5

SHA1
7f20026b58e4287137e5e28d40b0245d07e7a408

SHA256
efffa1d5e4c2d38a6f3c976323017e6dc9768db0e39b2561c90c55bd1cc76728

SHA512
0873262e05d7442a6530622c463d872eec3fecd71cf31f49721203bb3454d4e65ec912a96f8461f6973108fdba4f891b922e7082d89737114437e7987c9d82af

Download Submit
\Users\Admin\AppData\Local\Temp\zelwwgm.exe

Filesize
716KB

MD5
5cdd265aaa7b13153a6d071c05fd750b

SHA1
bc81ac30e49a5b86ccb136991660400ccdb5f64c

SHA256
6ff8a8789bdd34198707a894d76cabdc82cd543c1080dec092dc1e598bc34f62

SHA512
84a397a91d50496bbe323aa7af4e4ce1c9e7b3f8ac20c64757efe0b191966a6746bad58820096440bef1351527f1993ebd727b4912a16233e6f87ac1b2c09853

Download Submit
\Users\Admin\AppData\Local\Temp\zelwwgm.exe

Filesize
716KB

MD5
5cdd265aaa7b13153a6d071c05fd750b

SHA1
bc81ac30e49a5b86ccb136991660400ccdb5f64c

SHA256
6ff8a8789bdd34198707a894d76cabdc82cd543c1080dec092dc1e598bc34f62

SHA512
84a397a91d50496bbe323aa7af4e4ce1c9e7b3f8ac20c64757efe0b191966a6746bad58820096440bef1351527f1993ebd727b4912a16233e6f87ac1b2c09853

Download Submit
\Users\Admin\AppData\Local\Temp\zelwwgm.exe

Filesize
716KB

MD5
5cdd265aaa7b13153a6d071c05fd750b

SHA1
bc81ac30e49a5b86ccb136991660400ccdb5f64c

SHA256
6ff8a8789bdd34198707a894d76cabdc82cd543c1080dec092dc1e598bc34f62

SHA512
84a397a91d50496bbe323aa7af4e4ce1c9e7b3f8ac20c64757efe0b191966a6746bad58820096440bef1351527f1993ebd727b4912a16233e6f87ac1b2c09853

Download Submit
\Users\Admin\AppData\Local\Temp\zelwwgm.exe

Filesize
716KB

MD5
5cdd265aaa7b13153a6d071c05fd750b

SHA1
bc81ac30e49a5b86ccb136991660400ccdb5f64c

SHA256
6ff8a8789bdd34198707a894d76cabdc82cd543c1080dec092dc1e598bc34f62

SHA512
84a397a91d50496bbe323aa7af4e4ce1c9e7b3f8ac20c64757efe0b191966a6746bad58820096440bef1351527f1993ebd727b4912a16233e6f87ac1b2c09853

Download Submit
memory/1480-54-0x00000000758B1000-0x00000000758B3000-memory.dmp

Filesize
8KB

Download