98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

Analysis

max time kernel
151s
max time network
154s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
Size

1016KB
MD5

83012038f33c82a4209126b7df31ea40
SHA1

710e4df1969abe00951616113e486ce5223cd2e3
SHA256

98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53
SHA512

f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9
SSDEEP

6144:OIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHU:OIXsgtvm1De5YlOx6lzBH46U

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	cbjqafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	cbjqafp.exe

UAC bypass 3 TTPs 10 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cbjqafp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cbjqafp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cbjqafp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cbjqafp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cbjqafp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cbjqafp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cbjqafp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cbjqafp.exe

Adds policy Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cbjqafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ojn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbwqnfcxohtzipbydqlx.exe"	cbjqafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ojn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjaqjxqhujrtybjc.exe"	cbjqafp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnuajn = "ernigzxtlfszjreciwsfb.exe"	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnuajn = "rbumhxslarbfmrbwzk.exe"	cbjqafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ojn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbumhxslarbfmrbwzk.exe"	cbjqafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnuajn = "ernigzxtlfszjreciwsfb.exe"	cbjqafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ojn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irjaujdvjzilrveya.exe"	cbjqafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnuajn = "bjaqjxqhujrtybjc.exe"	cbjqafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ojn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbumhxslarbfmrbwzk.exe"	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnuajn = "pbwqnfcxohtzipbydqlx.exe"	cbjqafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ojn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbumhxslarbfmrbwzk.exe"	cbjqafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnuajn = "pbwqnfcxohtzipbydqlx.exe"	cbjqafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnuajn = "cnhawnjdtlwbjpawamg.exe"	cbjqafp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cbjqafp.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	iffdguquspp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cbjqafp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cbjqafp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cbjqafp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cbjqafp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	iffdguquspp.exe

Executes dropped EXE 3 IoCs

pid	Process
2036	iffdguquspp.exe
1064	cbjqafp.exe
544	cbjqafp.exe

Loads dropped DLL 6 IoCs

pid	Process
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
2036	iffdguquspp.exe
2036	iffdguquspp.exe
2036	iffdguquspp.exe
2036	iffdguquspp.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vrwa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjaqjxqhujrtybjc.exe"	cbjqafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ebhmu = "rbumhxslarbfmrbwzk.exe ."	cbjqafp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rraitzkt = "ernigzxtlfszjreciwsfb.exe ."	cbjqafp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	cbjqafp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	cbjqafp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rraitzkt = "irjaujdvjzilrveya.exe ."	cbjqafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ijtcovhrx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjaqjxqhujrtybjc.exe ."	cbjqafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ijtcovhrx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ernigzxtlfszjreciwsfb.exe ."	cbjqafp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ebhmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irjaujdvjzilrveya.exe ."	cbjqafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ebhmu = "bjaqjxqhujrtybjc.exe ."	cbjqafp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	iffdguquspp.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bdoyltgryh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irjaujdvjzilrveya.exe"	cbjqafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bdoyltgryh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbwqnfcxohtzipbydqlx.exe"	cbjqafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vrwa = "bjaqjxqhujrtybjc.exe"	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ebhmu = "ernigzxtlfszjreciwsfb.exe ."	cbjqafp.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	cbjqafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ebhmu = "ernigzxtlfszjreciwsfb.exe ."	cbjqafp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	cbjqafp.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	cbjqafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ijtcovhrx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbumhxslarbfmrbwzk.exe ."	cbjqafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ijtcovhrx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnhawnjdtlwbjpawamg.exe ."	iffdguquspp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vrwa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbwqnfcxohtzipbydqlx.exe"	iffdguquspp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ebhmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnhawnjdtlwbjpawamg.exe ."	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bdoyltgryh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjaqjxqhujrtybjc.exe"	cbjqafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bdoyltgryh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbumhxslarbfmrbwzk.exe"	cbjqafp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ebhmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbwqnfcxohtzipbydqlx.exe ."	cbjqafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vrwa = "ernigzxtlfszjreciwsfb.exe"	cbjqafp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	cbjqafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vrwa = "irjaujdvjzilrveya.exe"	cbjqafp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cbjqafp = "ernigzxtlfszjreciwsfb.exe"	iffdguquspp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ebhmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjaqjxqhujrtybjc.exe ."	cbjqafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ebhmu = "bjaqjxqhujrtybjc.exe ."	cbjqafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vrwa = "cnhawnjdtlwbjpawamg.exe"	cbjqafp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vrwa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbwqnfcxohtzipbydqlx.exe"	cbjqafp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ebhmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnhawnjdtlwbjpawamg.exe ."	cbjqafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vrwa = "rbumhxslarbfmrbwzk.exe"	cbjqafp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rraitzkt = "bjaqjxqhujrtybjc.exe ."	cbjqafp.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	cbjqafp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cbjqafp = "cnhawnjdtlwbjpawamg.exe"	cbjqafp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rraitzkt = "ernigzxtlfszjreciwsfb.exe ."	cbjqafp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rraitzkt = "cnhawnjdtlwbjpawamg.exe ."	cbjqafp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vrwa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnhawnjdtlwbjpawamg.exe"	cbjqafp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bdoyltgryh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbumhxslarbfmrbwzk.exe"	iffdguquspp.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	cbjqafp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cbjqafp = "ernigzxtlfszjreciwsfb.exe"	cbjqafp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cbjqafp = "irjaujdvjzilrveya.exe"	cbjqafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ijtcovhrx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbwqnfcxohtzipbydqlx.exe ."	cbjqafp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rraitzkt = "cnhawnjdtlwbjpawamg.exe ."	iffdguquspp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vrwa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbumhxslarbfmrbwzk.exe"	cbjqafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vrwa = "pbwqnfcxohtzipbydqlx.exe"	cbjqafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ijtcovhrx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnhawnjdtlwbjpawamg.exe ."	cbjqafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vrwa = "rbumhxslarbfmrbwzk.exe"	cbjqafp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rraitzkt = "irjaujdvjzilrveya.exe ."	cbjqafp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ebhmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ernigzxtlfszjreciwsfb.exe ."	cbjqafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ebhmu = "bjaqjxqhujrtybjc.exe ."	iffdguquspp.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	iffdguquspp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cbjqafp = "rbumhxslarbfmrbwzk.exe"	cbjqafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ijtcovhrx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irjaujdvjzilrveya.exe ."	cbjqafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vrwa = "ernigzxtlfszjreciwsfb.exe"	cbjqafp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cbjqafp = "pbwqnfcxohtzipbydqlx.exe"	cbjqafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ijtcovhrx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjaqjxqhujrtybjc.exe ."	cbjqafp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vrwa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnhawnjdtlwbjpawamg.exe"	cbjqafp.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cbjqafp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cbjqafp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	iffdguquspp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cbjqafp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cbjqafp.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	whatismyipaddress.com
1	whatismyip.everdot.org
2	www.showmyipaddress.com

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\cnhawnjdtlwbjpawamg.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\bjaqjxqhujrtybjc.exe	cbjqafp.exe
File opened for modification	C:\Windows\SysWOW64\vjgcbvurkftbmvjipebpmi.exe	cbjqafp.exe
File opened for modification	C:\Windows\SysWOW64\bjaqjxqhujrtybjc.exe	cbjqafp.exe
File opened for modification	C:\Windows\SysWOW64\irjaujdvjzilrveya.exe	cbjqafp.exe
File opened for modification	C:\Windows\SysWOW64\cnhawnjdtlwbjpawamg.exe	cbjqafp.exe
File opened for modification	C:\Windows\SysWOW64\bjaqjxqhujrtybjc.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\irjaujdvjzilrveya.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\pbwqnfcxohtzipbydqlx.exe	cbjqafp.exe
File opened for modification	C:\Windows\SysWOW64\ernigzxtlfszjreciwsfb.exe	cbjqafp.exe
File opened for modification	C:\Windows\SysWOW64\rbumhxslarbfmrbwzk.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\rbumhxslarbfmrbwzk.exe	cbjqafp.exe
File opened for modification	C:\Windows\SysWOW64\cnhawnjdtlwbjpawamg.exe	cbjqafp.exe
File opened for modification	C:\Windows\SysWOW64\pbwqnfcxohtzipbydqlx.exe	cbjqafp.exe
File opened for modification	C:\Windows\SysWOW64\ernigzxtlfszjreciwsfb.exe	cbjqafp.exe
File opened for modification	C:\Windows\SysWOW64\vjgcbvurkftbmvjipebpmi.exe	cbjqafp.exe
File opened for modification	C:\Windows\SysWOW64\ebhmuxflnrofzrowmkqntygjrxz.arl	cbjqafp.exe
File created	C:\Windows\SysWOW64\ebhmuxflnrofzrowmkqntygjrxz.arl	cbjqafp.exe
File opened for modification	C:\Windows\SysWOW64\ernigzxtlfszjreciwsfb.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\vjgcbvurkftbmvjipebpmi.exe	iffdguquspp.exe
File created	C:\Windows\SysWOW64\bjaqjxqhujrtybjcdmdlcslzsjwltvadlefofn.unb	cbjqafp.exe
File opened for modification	C:\Windows\SysWOW64\rbumhxslarbfmrbwzk.exe	cbjqafp.exe
File opened for modification	C:\Windows\SysWOW64\bjaqjxqhujrtybjcdmdlcslzsjwltvadlefofn.unb	cbjqafp.exe
File opened for modification	C:\Windows\SysWOW64\pbwqnfcxohtzipbydqlx.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\irjaujdvjzilrveya.exe	cbjqafp.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ebhmuxflnrofzrowmkqntygjrxz.arl	cbjqafp.exe
File opened for modification	C:\Program Files (x86)\bjaqjxqhujrtybjcdmdlcslzsjwltvadlefofn.unb	cbjqafp.exe
File created	C:\Program Files (x86)\bjaqjxqhujrtybjcdmdlcslzsjwltvadlefofn.unb	cbjqafp.exe
File opened for modification	C:\Program Files (x86)\ebhmuxflnrofzrowmkqntygjrxz.arl	cbjqafp.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rbumhxslarbfmrbwzk.exe	iffdguquspp.exe
File opened for modification	C:\Windows\pbwqnfcxohtzipbydqlx.exe	iffdguquspp.exe
File opened for modification	C:\Windows\cnhawnjdtlwbjpawamg.exe	cbjqafp.exe
File opened for modification	C:\Windows\irjaujdvjzilrveya.exe	cbjqafp.exe
File opened for modification	C:\Windows\cnhawnjdtlwbjpawamg.exe	cbjqafp.exe
File opened for modification	C:\Windows\cnhawnjdtlwbjpawamg.exe	iffdguquspp.exe
File opened for modification	C:\Windows\irjaujdvjzilrveya.exe	cbjqafp.exe
File opened for modification	C:\Windows\rbumhxslarbfmrbwzk.exe	cbjqafp.exe
File opened for modification	C:\Windows\bjaqjxqhujrtybjc.exe	cbjqafp.exe
File created	C:\Windows\ebhmuxflnrofzrowmkqntygjrxz.arl	cbjqafp.exe
File opened for modification	C:\Windows\bjaqjxqhujrtybjc.exe	iffdguquspp.exe
File opened for modification	C:\Windows\irjaujdvjzilrveya.exe	iffdguquspp.exe
File opened for modification	C:\Windows\pbwqnfcxohtzipbydqlx.exe	cbjqafp.exe
File opened for modification	C:\Windows\ernigzxtlfszjreciwsfb.exe	cbjqafp.exe
File opened for modification	C:\Windows\ernigzxtlfszjreciwsfb.exe	cbjqafp.exe
File opened for modification	C:\Windows\vjgcbvurkftbmvjipebpmi.exe	cbjqafp.exe
File opened for modification	C:\Windows\bjaqjxqhujrtybjcdmdlcslzsjwltvadlefofn.unb	cbjqafp.exe
File created	C:\Windows\bjaqjxqhujrtybjcdmdlcslzsjwltvadlefofn.unb	cbjqafp.exe
File opened for modification	C:\Windows\ernigzxtlfszjreciwsfb.exe	iffdguquspp.exe
File opened for modification	C:\Windows\vjgcbvurkftbmvjipebpmi.exe	iffdguquspp.exe
File opened for modification	C:\Windows\bjaqjxqhujrtybjc.exe	cbjqafp.exe
File opened for modification	C:\Windows\vjgcbvurkftbmvjipebpmi.exe	cbjqafp.exe
File opened for modification	C:\Windows\rbumhxslarbfmrbwzk.exe	cbjqafp.exe
File opened for modification	C:\Windows\pbwqnfcxohtzipbydqlx.exe	cbjqafp.exe
File opened for modification	C:\Windows\ebhmuxflnrofzrowmkqntygjrxz.arl	cbjqafp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
544	cbjqafp.exe
544	cbjqafp.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
544	cbjqafp.exe
544	cbjqafp.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	544	cbjqafp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 2036	848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe	27
PID 848 wrote to memory of 2036	848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe	27
PID 848 wrote to memory of 2036	848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe	27
PID 848 wrote to memory of 2036	848	98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe	27
PID 2036 wrote to memory of 1064	2036	iffdguquspp.exe	28
PID 2036 wrote to memory of 1064	2036	iffdguquspp.exe	28
PID 2036 wrote to memory of 1064	2036	iffdguquspp.exe	28
PID 2036 wrote to memory of 1064	2036	iffdguquspp.exe	28
PID 2036 wrote to memory of 544	2036	iffdguquspp.exe	29
PID 2036 wrote to memory of 544	2036	iffdguquspp.exe	29
PID 2036 wrote to memory of 544	2036	iffdguquspp.exe	29
PID 2036 wrote to memory of 544	2036	iffdguquspp.exe	29

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	cbjqafp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cbjqafp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	cbjqafp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cbjqafp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	cbjqafp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	cbjqafp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	iffdguquspp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cbjqafp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cbjqafp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	cbjqafp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cbjqafp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	cbjqafp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	cbjqafp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	cbjqafp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	cbjqafp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cbjqafp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cbjqafp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	cbjqafp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cbjqafp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cbjqafp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cbjqafp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	cbjqafp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	cbjqafp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	cbjqafp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cbjqafp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cbjqafp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	cbjqafp.exe

C:\Users\Admin\AppData\Local\Temp\98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe
"C:\Users\Admin\AppData\Local\Temp\98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:848
- C:\Users\Admin\AppData\Local\Temp\iffdguquspp.exe
  "C:\Users\Admin\AppData\Local\Temp\iffdguquspp.exe" "c:\users\admin\appdata\local\temp\98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2036
- - C:\Users\Admin\AppData\Local\Temp\cbjqafp.exe
    "C:\Users\Admin\AppData\Local\Temp\cbjqafp.exe" "-C:\Users\Admin\AppData\Local\Temp\bjaqjxqhujrtybjc.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1064
- - C:\Users\Admin\AppData\Local\Temp\cbjqafp.exe
    "C:\Users\Admin\AppData\Local\Temp\cbjqafp.exe" "-C:\Users\Admin\AppData\Local\Temp\bjaqjxqhujrtybjc.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bjaqjxqhujrtybjc.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbjqafp.exe

Filesize
712KB

MD5
b41bf3e9f67eb125bca6da174ffa2651

SHA1
b912bda85eb5c8a865107a9f0735a0f98104b4bc

SHA256
12e0115b87fbb6be03382f50293fb04f43d7815c9c79bc77367674076e2f9a1b

SHA512
7be74a4e966448e9b9c30b0f172015e9a89b3d6ed6078d6bc6184b50f62bc95221d5bd10be3b840f8eb768ab3170d54d182635f52d63313a4bc177881fcf04a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbjqafp.exe

Filesize
712KB

MD5
b41bf3e9f67eb125bca6da174ffa2651

SHA1
b912bda85eb5c8a865107a9f0735a0f98104b4bc

SHA256
12e0115b87fbb6be03382f50293fb04f43d7815c9c79bc77367674076e2f9a1b

SHA512
7be74a4e966448e9b9c30b0f172015e9a89b3d6ed6078d6bc6184b50f62bc95221d5bd10be3b840f8eb768ab3170d54d182635f52d63313a4bc177881fcf04a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cnhawnjdtlwbjpawamg.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ernigzxtlfszjreciwsfb.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\iffdguquspp.exe

Filesize
320KB

MD5
7326e037fad8241592fe95136e4e1456

SHA1
85e5f0ead3d54c556cf21548cfa0c1830b82510c

SHA256
1bdad6f045bcff094b768143d37061304c484c51a78e67479cca39d376989a81

SHA512
84f97d4148e9483989a6ae5bcfdb0a6e9fb8f3c13f817719e65e4e42c673125e7da2c4ba8d733d1b5c3bd85a54c5773c62180164c015c744b52054bd9a98c472

Download Submit
C:\Users\Admin\AppData\Local\Temp\iffdguquspp.exe

Filesize
320KB

MD5
7326e037fad8241592fe95136e4e1456

SHA1
85e5f0ead3d54c556cf21548cfa0c1830b82510c

SHA256
1bdad6f045bcff094b768143d37061304c484c51a78e67479cca39d376989a81

SHA512
84f97d4148e9483989a6ae5bcfdb0a6e9fb8f3c13f817719e65e4e42c673125e7da2c4ba8d733d1b5c3bd85a54c5773c62180164c015c744b52054bd9a98c472

Download Submit
C:\Users\Admin\AppData\Local\Temp\irjaujdvjzilrveya.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pbwqnfcxohtzipbydqlx.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\rbumhxslarbfmrbwzk.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vjgcbvurkftbmvjipebpmi.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\SysWOW64\bjaqjxqhujrtybjc.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\SysWOW64\cnhawnjdtlwbjpawamg.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\SysWOW64\ernigzxtlfszjreciwsfb.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\SysWOW64\irjaujdvjzilrveya.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\SysWOW64\pbwqnfcxohtzipbydqlx.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\SysWOW64\rbumhxslarbfmrbwzk.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\SysWOW64\vjgcbvurkftbmvjipebpmi.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\bjaqjxqhujrtybjc.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\bjaqjxqhujrtybjc.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\cnhawnjdtlwbjpawamg.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\cnhawnjdtlwbjpawamg.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\ernigzxtlfszjreciwsfb.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\ernigzxtlfszjreciwsfb.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\irjaujdvjzilrveya.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\irjaujdvjzilrveya.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\pbwqnfcxohtzipbydqlx.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\pbwqnfcxohtzipbydqlx.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\rbumhxslarbfmrbwzk.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\rbumhxslarbfmrbwzk.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\vjgcbvurkftbmvjipebpmi.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
C:\Windows\vjgcbvurkftbmvjipebpmi.exe

Filesize
1016KB

MD5
83012038f33c82a4209126b7df31ea40

SHA1
710e4df1969abe00951616113e486ce5223cd2e3

SHA256
98c2abe9dfc05a4726603fa812aa8c9000bce43475bb9d433841bdc2ba779b53

SHA512
f9e8889c2cc38d21ae6da994833a6ef7a1306a727e3c16ad8701cb1f25d9c193c7e5f4f804920736ee84e39ed61c62764cb3598028f341cd0e0d74ede3cb75d9

Download Submit
\Users\Admin\AppData\Local\Temp\cbjqafp.exe

Filesize
712KB

MD5
b41bf3e9f67eb125bca6da174ffa2651

SHA1
b912bda85eb5c8a865107a9f0735a0f98104b4bc

SHA256
12e0115b87fbb6be03382f50293fb04f43d7815c9c79bc77367674076e2f9a1b

SHA512
7be74a4e966448e9b9c30b0f172015e9a89b3d6ed6078d6bc6184b50f62bc95221d5bd10be3b840f8eb768ab3170d54d182635f52d63313a4bc177881fcf04a2

Download Submit
\Users\Admin\AppData\Local\Temp\cbjqafp.exe

Filesize
712KB

MD5
b41bf3e9f67eb125bca6da174ffa2651

SHA1
b912bda85eb5c8a865107a9f0735a0f98104b4bc

SHA256
12e0115b87fbb6be03382f50293fb04f43d7815c9c79bc77367674076e2f9a1b

SHA512
7be74a4e966448e9b9c30b0f172015e9a89b3d6ed6078d6bc6184b50f62bc95221d5bd10be3b840f8eb768ab3170d54d182635f52d63313a4bc177881fcf04a2

Download Submit
\Users\Admin\AppData\Local\Temp\cbjqafp.exe

Filesize
712KB

MD5
b41bf3e9f67eb125bca6da174ffa2651

SHA1
b912bda85eb5c8a865107a9f0735a0f98104b4bc

SHA256
12e0115b87fbb6be03382f50293fb04f43d7815c9c79bc77367674076e2f9a1b

SHA512
7be74a4e966448e9b9c30b0f172015e9a89b3d6ed6078d6bc6184b50f62bc95221d5bd10be3b840f8eb768ab3170d54d182635f52d63313a4bc177881fcf04a2

Download Submit
\Users\Admin\AppData\Local\Temp\cbjqafp.exe

Filesize
712KB

MD5
b41bf3e9f67eb125bca6da174ffa2651

SHA1
b912bda85eb5c8a865107a9f0735a0f98104b4bc

SHA256
12e0115b87fbb6be03382f50293fb04f43d7815c9c79bc77367674076e2f9a1b

SHA512
7be74a4e966448e9b9c30b0f172015e9a89b3d6ed6078d6bc6184b50f62bc95221d5bd10be3b840f8eb768ab3170d54d182635f52d63313a4bc177881fcf04a2

Download Submit
\Users\Admin\AppData\Local\Temp\iffdguquspp.exe

Filesize
320KB

MD5
7326e037fad8241592fe95136e4e1456

SHA1
85e5f0ead3d54c556cf21548cfa0c1830b82510c

SHA256
1bdad6f045bcff094b768143d37061304c484c51a78e67479cca39d376989a81

SHA512
84f97d4148e9483989a6ae5bcfdb0a6e9fb8f3c13f817719e65e4e42c673125e7da2c4ba8d733d1b5c3bd85a54c5773c62180164c015c744b52054bd9a98c472

Download Submit
\Users\Admin\AppData\Local\Temp\iffdguquspp.exe

Filesize
320KB

MD5
7326e037fad8241592fe95136e4e1456

SHA1
85e5f0ead3d54c556cf21548cfa0c1830b82510c

SHA256
1bdad6f045bcff094b768143d37061304c484c51a78e67479cca39d376989a81

SHA512
84f97d4148e9483989a6ae5bcfdb0a6e9fb8f3c13f817719e65e4e42c673125e7da2c4ba8d733d1b5c3bd85a54c5773c62180164c015c744b52054bd9a98c472

Download Submit
memory/848-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download