34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043

Analysis

max time kernel
56s
max time network
78s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2023 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Size

708KB
MD5

5f0f11d3c43ccfed72d58bfb1f5edffe
SHA1

ea29ffaa3366e1f859cbea33d66b6be9b800a167
SHA256

34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043
SHA512

12681f16d332c53519225ff3b4c17371e024f030e15b709e16a2101e4ab29816783ea9082aa672dc8e42142690da32bdb049aab29bc28895d9ccf76b55685b95
SSDEEP

12288:wXgvmzFHi0mo5aH0qMzd5807FSmPJQPDHvd:wXgvOHi0mGaH0qSdPFS44V

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	adpuwlr.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	adpuwlr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	adpuwlr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	adpuwlr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	adpuwlr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	adpuwlr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	adpuwlr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	adpuwlr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	adpuwlr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe

Adds policy Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zfuchzioxe = "apnestlasihqnwmhfla.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zfuchzioxe = "gtpeqpfsiwtavcqjf.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\adpuwlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdaqdduizomuqynhej.exe"	adpuwlr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	adpuwlr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\adpuwlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apnestlasihqnwmhfla.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\adpuwlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cttmcfzqkcdonyqnnvmmf.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zfuchzioxe = "zlgufdsetgcicivn.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\adpuwlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndcujleuneeomwnjipfe.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zfuchzioxe = "gtpeqpfsiwtavcqjf.exe"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zfuchzioxe = "gtpeqpfsiwtavcqjf.exe"	adpuwlr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	adpuwlr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zfuchzioxe = "ndcujleuneeomwnjipfe.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zfuchzioxe = "apnestlasihqnwmhfla.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zfuchzioxe = "cttmcfzqkcdonyqnnvmmf.exe"	adpuwlr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\adpuwlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndcujleuneeomwnjipfe.exe"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zfuchzioxe = "ndcujleuneeomwnjipfe.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zfuchzioxe = "cttmcfzqkcdonyqnnvmmf.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\adpuwlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlgufdsetgcicivn.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zfuchzioxe = "apnestlasihqnwmhfla.exe"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	adpuwlr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	adpuwlr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	adpuwlr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	adpuwlr.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe

Executes dropped EXE 2 IoCs

pid	Process
3256	adpuwlr.exe
2112	adpuwlr.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qzrckframwpsj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cttmcfzqkcdonyqnnvmmf.exe ."	adpuwlr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ptgmpfmq = "ndcujleuneeomwnjipfe.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\glzgkbjow = "zlgufdsetgcicivn.exe ."	adpuwlr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\glzgkbjow = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndcujleuneeomwnjipfe.exe ."	adpuwlr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ubragzjqaiz = "zlgufdsetgcicivn.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ptgmpfmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apnestlasihqnwmhfla.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rbugplyivgaewa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdaqdduizomuqynhej.exe"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ptgmpfmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdaqdduizomuqynhej.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ubragzjqaiz = "cttmcfzqkcdonyqnnvmmf.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ubragzjqaiz = "zlgufdsetgcicivn.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rbugplyivgaewa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apnestlasihqnwmhfla.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ptgmpfmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtpeqpfsiwtavcqjf.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ptgmpfmq = "pdaqdduizomuqynhej.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rbugplyivgaewa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdaqdduizomuqynhej.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\glzgkbjow = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apnestlasihqnwmhfla.exe ."	adpuwlr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rzqahbmufogi = "apnestlasihqnwmhfla.exe ."	adpuwlr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\glzgkbjow = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndcujleuneeomwnjipfe.exe ."	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rbugplyivgaewa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cttmcfzqkcdonyqnnvmmf.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ubragzjqaiz = "pdaqdduizomuqynhej.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rzqahbmufogi = "apnestlasihqnwmhfla.exe ."	adpuwlr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rbugplyivgaewa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cttmcfzqkcdonyqnnvmmf.exe"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ptgmpfmq = "cttmcfzqkcdonyqnnvmmf.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\glzgkbjow = "ndcujleuneeomwnjipfe.exe ."	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rbugplyivgaewa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndcujleuneeomwnjipfe.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qzrckframwpsj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndcujleuneeomwnjipfe.exe ."	adpuwlr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qzrckframwpsj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apnestlasihqnwmhfla.exe ."	adpuwlr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rbugplyivgaewa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apnestlasihqnwmhfla.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ptgmpfmq = "ndcujleuneeomwnjipfe.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\glzgkbjow = "gtpeqpfsiwtavcqjf.exe ."	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qzrckframwpsj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndcujleuneeomwnjipfe.exe ."	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qzrckframwpsj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdaqdduizomuqynhej.exe ."	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rzqahbmufogi = "pdaqdduizomuqynhej.exe ."	adpuwlr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ptgmpfmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndcujleuneeomwnjipfe.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qzrckframwpsj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdaqdduizomuqynhej.exe ."	adpuwlr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ptgmpfmq = "cttmcfzqkcdonyqnnvmmf.exe"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ptgmpfmq = "gtpeqpfsiwtavcqjf.exe"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\glzgkbjow = "cttmcfzqkcdonyqnnvmmf.exe ."	adpuwlr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ubragzjqaiz = "apnestlasihqnwmhfla.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\glzgkbjow = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cttmcfzqkcdonyqnnvmmf.exe ."	adpuwlr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\glzgkbjow = "ndcujleuneeomwnjipfe.exe ."	adpuwlr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rzqahbmufogi = "pdaqdduizomuqynhej.exe ."	adpuwlr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ptgmpfmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndcujleuneeomwnjipfe.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\glzgkbjow = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtpeqpfsiwtavcqjf.exe ."	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\glzgkbjow = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtpeqpfsiwtavcqjf.exe ."	adpuwlr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rzqahbmufogi = "zlgufdsetgcicivn.exe ."	adpuwlr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rzqahbmufogi = "zlgufdsetgcicivn.exe ."	adpuwlr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ubragzjqaiz = "apnestlasihqnwmhfla.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\glzgkbjow = "cttmcfzqkcdonyqnnvmmf.exe ."	adpuwlr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ptgmpfmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlgufdsetgcicivn.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ubragzjqaiz = "cttmcfzqkcdonyqnnvmmf.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rbugplyivgaewa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndcujleuneeomwnjipfe.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qzrckframwpsj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlgufdsetgcicivn.exe ."	adpuwlr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ptgmpfmq = "cttmcfzqkcdonyqnnvmmf.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ptgmpfmq = "zlgufdsetgcicivn.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\glzgkbjow = "zlgufdsetgcicivn.exe ."	adpuwlr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rzqahbmufogi = "zlgufdsetgcicivn.exe ."	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\glzgkbjow = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtpeqpfsiwtavcqjf.exe ."	adpuwlr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ptgmpfmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlgufdsetgcicivn.exe"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qzrckframwpsj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdaqdduizomuqynhej.exe ."	adpuwlr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\glzgkbjow = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdaqdduizomuqynhej.exe ."	adpuwlr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ubragzjqaiz = "pdaqdduizomuqynhej.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ubragzjqaiz = "gtpeqpfsiwtavcqjf.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ptgmpfmq = "apnestlasihqnwmhfla.exe"	adpuwlr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ubragzjqaiz = "zlgufdsetgcicivn.exe"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	adpuwlr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	adpuwlr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	adpuwlr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	adpuwlr.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	www.showmyipaddress.com
26	whatismyipaddress.com
36	whatismyip.everdot.org
45	whatismyip.everdot.org

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\rzqahbmufogiyajxonvmwdxiqbkceuwftk.ris	adpuwlr.exe
File created	C:\Windows\SysWOW64\rzqahbmufogiyajxonvmwdxiqbkceuwftk.ris	adpuwlr.exe
File opened for modification	C:\Windows\SysWOW64\ebhgclliignejaybhvsyxtc.zzx	adpuwlr.exe
File created	C:\Windows\SysWOW64\ebhgclliignejaybhvsyxtc.zzx	adpuwlr.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\rzqahbmufogiyajxonvmwdxiqbkceuwftk.ris	adpuwlr.exe
File opened for modification	C:\Program Files (x86)\ebhgclliignejaybhvsyxtc.zzx	adpuwlr.exe
File created	C:\Program Files (x86)\ebhgclliignejaybhvsyxtc.zzx	adpuwlr.exe
File opened for modification	C:\Program Files (x86)\rzqahbmufogiyajxonvmwdxiqbkceuwftk.ris	adpuwlr.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ebhgclliignejaybhvsyxtc.zzx	adpuwlr.exe
File created	C:\Windows\ebhgclliignejaybhvsyxtc.zzx	adpuwlr.exe
File opened for modification	C:\Windows\rzqahbmufogiyajxonvmwdxiqbkceuwftk.ris	adpuwlr.exe
File created	C:\Windows\rzqahbmufogiyajxonvmwdxiqbkceuwftk.ris	adpuwlr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings	adpuwlr.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings	adpuwlr.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3256	adpuwlr.exe
3256	adpuwlr.exe
3256	adpuwlr.exe
3256	adpuwlr.exe
3256	adpuwlr.exe
3256	adpuwlr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3256	adpuwlr.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3388 wrote to memory of 3256	3388	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe	91
PID 3388 wrote to memory of 3256	3388	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe	91
PID 3388 wrote to memory of 3256	3388	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe	91
PID 3388 wrote to memory of 2112	3388	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe	92
PID 3388 wrote to memory of 2112	3388	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe	92
PID 3388 wrote to memory of 2112	3388	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe	92

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	adpuwlr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	adpuwlr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	adpuwlr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	adpuwlr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	adpuwlr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	adpuwlr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	adpuwlr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	adpuwlr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	adpuwlr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	adpuwlr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	adpuwlr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	adpuwlr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	adpuwlr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	adpuwlr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	adpuwlr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	adpuwlr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	adpuwlr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	adpuwlr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	adpuwlr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	adpuwlr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	adpuwlr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	adpuwlr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	adpuwlr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	adpuwlr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	adpuwlr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	adpuwlr.exe

C:\Users\Admin\AppData\Local\Temp\34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
"C:\Users\Admin\AppData\Local\Temp\34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3388
- C:\Users\Admin\AppData\Local\Temp\adpuwlr.exe
  "C:\Users\Admin\AppData\Local\Temp\adpuwlr.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:3256
- C:\Users\Admin\AppData\Local\Temp\adpuwlr.exe
  "C:\Users\Admin\AppData\Local\Temp\adpuwlr.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Modifies registry class
  - System policy modification
  PID:2112

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ebhgclliignejaybhvsyxtc.zzx

Filesize
280B

MD5
15c89a2988efb4ed7a25fcbf72225287

SHA1
0b9aa08379d4081524916a2b28ce4d4f0aa0b3c8

SHA256
11155d13fbc18e72853c1ec4b8ad164697a9a38400c1275d7716310473fbf4b5

SHA512
eec04f1bb243fde8437cfce1b5d4308676559d6d6f9cca90096da8659719f35dd428e365d8da851987b2eb752f5a3ec595580630f0790e3d65978442ad2a2ac1

Download Submit
C:\Program Files (x86)\ebhgclliignejaybhvsyxtc.zzx

Filesize
280B

MD5
441a05d6c5c133c352e9ddeb1e9d7866

SHA1
3e602b3b9e8c3aaa3ef1acb8d8f095024599487d

SHA256
c292415fb0dee7c03de7ffc8d080d9cd5d9d1f33ef8fb7add50c3874e885832d

SHA512
878bd72338da4f3d3c8e1b79c52d047343b7700649a3db207f0a609d893070d9f561fc747d757536d572c129e224d379b50cf6ae71b2c496607f09a2acaf75a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\adpuwlr.exe

Filesize
1.3MB

MD5
9db8d8a87bae791c13b1070ba64575c8

SHA1
a062e730e49e57a9bbf831ee00be3b641226b751

SHA256
65a14c914f89a4971df07c10704e8b69b2a6cf02ef8b26e62e723a46f9200f9b

SHA512
f68a3dd5a086957a4407d0cc2b4c39e7097df66b01dbafe2a315db544c277e714834b1929bc570dca2d1e514ee5ee84d804cacc0702b8452bb9307392d8c3703

Download Submit
C:\Users\Admin\AppData\Local\Temp\adpuwlr.exe

Filesize
1.3MB

MD5
9db8d8a87bae791c13b1070ba64575c8

SHA1
a062e730e49e57a9bbf831ee00be3b641226b751

SHA256
65a14c914f89a4971df07c10704e8b69b2a6cf02ef8b26e62e723a46f9200f9b

SHA512
f68a3dd5a086957a4407d0cc2b4c39e7097df66b01dbafe2a315db544c277e714834b1929bc570dca2d1e514ee5ee84d804cacc0702b8452bb9307392d8c3703

Download Submit
C:\Users\Admin\AppData\Local\Temp\adpuwlr.exe

Filesize
1.3MB

MD5
9db8d8a87bae791c13b1070ba64575c8

SHA1
a062e730e49e57a9bbf831ee00be3b641226b751

SHA256
65a14c914f89a4971df07c10704e8b69b2a6cf02ef8b26e62e723a46f9200f9b

SHA512
f68a3dd5a086957a4407d0cc2b4c39e7097df66b01dbafe2a315db544c277e714834b1929bc570dca2d1e514ee5ee84d804cacc0702b8452bb9307392d8c3703

Download Submit
C:\Users\Admin\AppData\Local\Temp\adpuwlr.exe

Filesize
1.3MB

MD5
9db8d8a87bae791c13b1070ba64575c8

SHA1
a062e730e49e57a9bbf831ee00be3b641226b751

SHA256
65a14c914f89a4971df07c10704e8b69b2a6cf02ef8b26e62e723a46f9200f9b

SHA512
f68a3dd5a086957a4407d0cc2b4c39e7097df66b01dbafe2a315db544c277e714834b1929bc570dca2d1e514ee5ee84d804cacc0702b8452bb9307392d8c3703

Download Submit
C:\Users\Admin\AppData\Local\ebhgclliignejaybhvsyxtc.zzx

Filesize
280B

MD5
cbf6b8500dc8a6303bbdb889458a0b1b

SHA1
630e4617431957795ccec8be72415d4b2eabffc4

SHA256
8d82076388c8bc6542ec24ef17012fe42f742f7b1214cfa1d5632ada05aa7cca

SHA512
7640226660430e21429e54935dafc6ccf882bafb1edb3099fe70cf5023f3895d1c3630f2f81eec50dc852ab772eeda8269e7ba641725dee9bfc4e4b09d3bc1c7

Download Submit
C:\Users\Admin\AppData\Local\ebhgclliignejaybhvsyxtc.zzx

Filesize
280B

MD5
164bbf522e3e51be6c0480944b1f6d3b

SHA1
73e465216a4c58370f04b59dbf996d30363a4aae

SHA256
708e0dcbd8d0411c104a765019d39ed8d38997c33a3c5a7721aea29f141bce49

SHA512
7b72f0ceb6cf2f3d53803dd485cb54dded709435386592dd3ac7fedd0f60a8b59a1f82441eb2e06331186169db52a15ac1096da32809939a330681a4d30d6efb

Download Submit
C:\Users\Admin\AppData\Local\rzqahbmufogiyajxonvmwdxiqbkceuwftk.ris

Filesize
4KB

MD5
84ff32bf94008226d6ac2d28b5c22ce0

SHA1
f44ca8a53f1295948a3ce7b0f0d1706e0cf88aec

SHA256
5182b361fc0bce0a8ac393aaccdb098e50aac32d20c96b9b6a9d634d144554a0

SHA512
bc92261c639b8f52cab8d3180f049850cf2fe6f68bed365a948aec4cdde383f9fd758eec8cf1969434a88cf1a44b26c96557a5b4780950a9f718d2a806530a14

Download Submit