3da5a892a8bf4944182a32691bab0ef4f040d694b839118488f8dc38f34b2c53

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06-07-2024 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
Size

512KB
MD5

27883306f010718832c6ff2ecdce8d09
SHA1

03138202a970a4567699f2a0e145316bcc578622
SHA256

3da5a892a8bf4944182a32691bab0ef4f040d694b839118488f8dc38f34b2c53
SHA512

379b1bcd1020b087353ba2790eb6401266cc54c598db625de73a5b983017b4edf06caff5339071cf2f3373b0736580d88d50d75e1f4a090cae21556c320b13d3
SSDEEP

6144:28XXRUw9Oz5+iUPO4RJtvRx7HfnSzObtkLo5vOFTaLTGu0yvHcr+JB8aUh:NnRy+vvtHfRVxOFuPyAHcqrU

Score

10^/10

defense_evasion evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ncxtafuixmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ncxtafuixmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	cbqtadm.exe

UAC bypass 3 TTPs 13 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ncxtafuixmh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ncxtafuixmh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cbqtadm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cbqtadm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cbqtadm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cbqtadm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ncxtafuixmh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ncxtafuixmh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cbqtadm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cbqtadm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ncxtafuixmh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cbqtadm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cbqtadm.exe

Adds policy Run key to start application 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rrhltxht = "erulgxutpdxwbhynmksfi.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ebopu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbbphvplepgcehvhdy.exe"	cbqtadm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ncxtafuixmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ebopu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erulgxutpdxwbhynmksfi.exe"	ncxtafuixmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ebopu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irqduhavnxnijlyje.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ebopu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnodwlgdxjbybfuheag.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ebopu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbdtndzxsfywafvjhelx.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ebopu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjhtjvnhyhwqqrdn.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rrhltxht = "irqduhavnxnijlyje.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rrhltxht = "bjhtjvnhyhwqqrdn.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ebopu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irqduhavnxnijlyje.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ebopu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnodwlgdxjbybfuheag.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rrhltxht = "cnodwlgdxjbybfuheag.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rrhltxht = "pbdtndzxsfywafvjhelx.exe"	cbqtadm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ebopu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erulgxutpdxwbhynmksfi.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ebopu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjhtjvnhyhwqqrdn.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rrhltxht = "irqduhavnxnijlyje.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ebopu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erulgxutpdxwbhynmksfi.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rrhltxht = "rbbphvplepgcehvhdy.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ebopu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbdtndzxsfywafvjhelx.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rrhltxht = "rbbphvplepgcehvhdy.exe"	cbqtadm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ncxtafuixmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rrhltxht = "cnodwlgdxjbybfuheag.exe"	ncxtafuixmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rrhltxht = "bjhtjvnhyhwqqrdn.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ebopu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbbphvplepgcehvhdy.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rrhltxht = "erulgxutpdxwbhynmksfi.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rrhltxht = "pbdtndzxsfywafvjhelx.exe"	ncxtafuixmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ebopu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irqduhavnxnijlyje.exe"	ncxtafuixmh.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ncxtafuixmh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ncxtafuixmh.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cbqtadm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cbqtadm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cbqtadm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cbqtadm.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	ncxtafuixmh.exe

Executes dropped EXE 4 IoCs

pid	Process
2868	ncxtafuixmh.exe
3504	cbqtadm.exe
3720	cbqtadm.exe
4628	ncxtafuixmh.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	cbqtadm.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	cbqtadm.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	cbqtadm.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	cbqtadm.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	cbqtadm.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	cbqtadm.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pnbdjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erulgxutpdxwbhynmksfi.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\txrzlthxkpaq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbdtndzxsfywafvjhelx.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cbqtadm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irqduhavnxnijlyje.exe ."	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cbqtadm = "bjhtjvnhyhwqqrdn.exe ."	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\txrzlthxkpaq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbbphvplepgcehvhdy.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wzszkretfjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjhtjvnhyhwqqrdn.exe ."	cbqtadm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cbqtadm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irqduhavnxnijlyje.exe ."	cbqtadm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bdvblrdrcf = "pbdtndzxsfywafvjhelx.exe ."	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wzszkretfjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbbphvplepgcehvhdy.exe ."	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pnbdjl = "erulgxutpdxwbhynmksfi.exe"	ncxtafuixmh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bdvblrdrcf = "pbdtndzxsfywafvjhelx.exe ."	ncxtafuixmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pnbdjl = "pbdtndzxsfywafvjhelx.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\txrzlthxkpaq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjhtjvnhyhwqqrdn.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\txrzlthxkpaq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnodwlgdxjbybfuheag.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pnbdjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbdtndzxsfywafvjhelx.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pnbdjl = "erulgxutpdxwbhynmksfi.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bdvblrdrcf = "bjhtjvnhyhwqqrdn.exe ."	cbqtadm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ijafoterb = "bjhtjvnhyhwqqrdn.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cbqtadm = "pbdtndzxsfywafvjhelx.exe ."	ncxtafuixmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\txrzlthxkpaq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erulgxutpdxwbhynmksfi.exe"	ncxtafuixmh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pnbdjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erulgxutpdxwbhynmksfi.exe"	ncxtafuixmh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pnbdjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbbphvplepgcehvhdy.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cbqtadm = "cnodwlgdxjbybfuheag.exe ."	cbqtadm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cbqtadm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnodwlgdxjbybfuheag.exe ."	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pnbdjl = "cnodwlgdxjbybfuheag.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cbqtadm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbdtndzxsfywafvjhelx.exe ."	cbqtadm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cbqtadm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbbphvplepgcehvhdy.exe ."	cbqtadm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ijafoterb = "cnodwlgdxjbybfuheag.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bdvblrdrcf = "cnodwlgdxjbybfuheag.exe ."	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\txrzlthxkpaq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erulgxutpdxwbhynmksfi.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pnbdjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbdtndzxsfywafvjhelx.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bdvblrdrcf = "erulgxutpdxwbhynmksfi.exe ."	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pnbdjl = "bjhtjvnhyhwqqrdn.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cbqtadm = "pbdtndzxsfywafvjhelx.exe ."	ncxtafuixmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\txrzlthxkpaq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbbphvplepgcehvhdy.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pnbdjl = "irqduhavnxnijlyje.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wzszkretfjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbdtndzxsfywafvjhelx.exe ."	cbqtadm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ijafoterb = "rbbphvplepgcehvhdy.exe"	ncxtafuixmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cbqtadm = "irqduhavnxnijlyje.exe ."	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pnbdjl = "rbbphvplepgcehvhdy.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pnbdjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbbphvplepgcehvhdy.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ijafoterb = "cnodwlgdxjbybfuheag.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pnbdjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irqduhavnxnijlyje.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bdvblrdrcf = "rbbphvplepgcehvhdy.exe ."	ncxtafuixmh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cbqtadm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irqduhavnxnijlyje.exe ."	ncxtafuixmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pnbdjl = "erulgxutpdxwbhynmksfi.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bdvblrdrcf = "bjhtjvnhyhwqqrdn.exe ."	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cbqtadm = "rbbphvplepgcehvhdy.exe ."	cbqtadm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cbqtadm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbdtndzxsfywafvjhelx.exe ."	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wzszkretfjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irqduhavnxnijlyje.exe ."	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cbqtadm = "rbbphvplepgcehvhdy.exe ."	cbqtadm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ijafoterb = "bjhtjvnhyhwqqrdn.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pnbdjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irqduhavnxnijlyje.exe"	ncxtafuixmh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pnbdjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjhtjvnhyhwqqrdn.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cbqtadm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjhtjvnhyhwqqrdn.exe ."	cbqtadm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ijafoterb = "irqduhavnxnijlyje.exe"	ncxtafuixmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wzszkretfjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnodwlgdxjbybfuheag.exe ."	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pnbdjl = "rbbphvplepgcehvhdy.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wzszkretfjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irqduhavnxnijlyje.exe ."	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\txrzlthxkpaq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbdtndzxsfywafvjhelx.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wzszkretfjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnodwlgdxjbybfuheag.exe ."	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\txrzlthxkpaq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjhtjvnhyhwqqrdn.exe"	cbqtadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wzszkretfjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irqduhavnxnijlyje.exe ."	ncxtafuixmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cbqtadm = "pbdtndzxsfywafvjhelx.exe ."	cbqtadm.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cbqtadm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ncxtafuixmh.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ncxtafuixmh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ncxtafuixmh.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ncxtafuixmh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cbqtadm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cbqtadm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cbqtadm.exe

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	whatismyipaddress.com
21	www.whatismyip.ca
22	www.showmyipaddress.com
30	www.whatismyip.ca
34	www.whatismyip.ca
36	whatismyip.everdot.org

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	cbqtadm.exe
File opened for modification	F:\autorun.inf	cbqtadm.exe
File created	F:\autorun.inf	cbqtadm.exe
File opened for modification	C:\autorun.inf	cbqtadm.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rbbphvplepgcehvhdy.exe	ncxtafuixmh.exe
File created	C:\Windows\SysWOW64\vjnfbtrrodyyeldttsbptl.exe	cbqtadm.exe
File created	C:\Windows\SysWOW64\pbdtndzxsfywafvjhelx.exe	cbqtadm.exe
File opened for modification	C:\Windows\SysWOW64\gxezytuxxpnqzjexacofm.gbc	cbqtadm.exe
File opened for modification	C:\Windows\SysWOW64\vjnfbtrrodyyeldttsbptl.exe	ncxtafuixmh.exe
File created	C:\Windows\SysWOW64\vjnfbtrrodyyeldttsbptl.exe	ncxtafuixmh.exe
File created	C:\Windows\SysWOW64\gxezytuxxpnqzjexacofm.gbc	cbqtadm.exe
File created	C:\Windows\SysWOW64\rbbphvplepgcehvhdy.exe	cbqtadm.exe
File opened for modification	C:\Windows\SysWOW64\cnodwlgdxjbybfuheag.exe	cbqtadm.exe
File created	C:\Windows\SysWOW64\cnodwlgdxjbybfuheag.exe	cbqtadm.exe
File opened for modification	C:\Windows\SysWOW64\pbdtndzxsfywafvjhelx.exe	cbqtadm.exe
File opened for modification	C:\Windows\SysWOW64\vjnfbtrrodyyeldttsbptl.exe	cbqtadm.exe
File opened for modification	C:\Windows\SysWOW64\cnodwlgdxjbybfuheag.exe	ncxtafuixmh.exe
File opened for modification	C:\Windows\SysWOW64\pbdtndzxsfywafvjhelx.exe	cbqtadm.exe
File opened for modification	C:\Windows\SysWOW64\rbbphvplepgcehvhdy.exe	ncxtafuixmh.exe
File created	C:\Windows\SysWOW64\bjhtjvnhyhwqqrdn.exe	ncxtafuixmh.exe
File opened for modification	C:\Windows\SysWOW64\vjnfbtrrodyyeldttsbptl.exe	ncxtafuixmh.exe
File opened for modification	C:\Windows\SysWOW64\erulgxutpdxwbhynmksfi.exe	cbqtadm.exe
File opened for modification	C:\Windows\SysWOW64\irqduhavnxnijlyje.exe	ncxtafuixmh.exe
File opened for modification	C:\Windows\SysWOW64\erulgxutpdxwbhynmksfi.exe	cbqtadm.exe
File created	C:\Windows\SysWOW64\erulgxutpdxwbhynmksfi.exe	cbqtadm.exe
File created	C:\Windows\SysWOW64\erulgxutpdxwbhynmksfi.exe	cbqtadm.exe
File created	C:\Windows\SysWOW64\vjnfbtrrodyyeldttsbptl.exe	cbqtadm.exe
File opened for modification	C:\Windows\SysWOW64\cnodwlgdxjbybfuheag.exe	ncxtafuixmh.exe
File created	C:\Windows\SysWOW64\cnodwlgdxjbybfuheag.exe	cbqtadm.exe
File opened for modification	C:\Windows\SysWOW64\vjnfbtrrodyyeldttsbptl.exe	cbqtadm.exe
File opened for modification	C:\Windows\SysWOW64\rbbphvplepgcehvhdy.exe	cbqtadm.exe
File created	C:\Windows\SysWOW64\bjhtjvnhyhwqqrdn.exe	cbqtadm.exe
File created	C:\Windows\SysWOW64\pbdtndzxsfywafvjhelx.exe	cbqtadm.exe
File opened for modification	C:\Windows\SysWOW64\bjhtjvnhyhwqqrdn.exe	cbqtadm.exe
File created	C:\Windows\SysWOW64\irqduhavnxnijlyje.exe	cbqtadm.exe
File created	C:\Windows\SysWOW64\pbdtndzxsfywafvjhelx.exe	ncxtafuixmh.exe
File opened for modification	C:\Windows\SysWOW64\cnodwlgdxjbybfuheag.exe	cbqtadm.exe
File created	C:\Windows\SysWOW64\cnodwlgdxjbybfuheag.exe	ncxtafuixmh.exe
File created	C:\Windows\SysWOW64\pbdtndzxsfywafvjhelx.exe	ncxtafuixmh.exe
File opened for modification	C:\Windows\SysWOW64\rbbphvplepgcehvhdy.exe	cbqtadm.exe
File created	C:\Windows\SysWOW64\rbbphvplepgcehvhdy.exe	cbqtadm.exe
File created	C:\Windows\SysWOW64\erulgxutpdxwbhynmksfi.exe	ncxtafuixmh.exe
File created	C:\Windows\SysWOW64\rbbphvplepgcehvhdy.exe	ncxtafuixmh.exe
File opened for modification	C:\Windows\SysWOW64\pbdtndzxsfywafvjhelx.exe	ncxtafuixmh.exe
File opened for modification	C:\Windows\SysWOW64\erulgxutpdxwbhynmksfi.exe	ncxtafuixmh.exe
File opened for modification	C:\Windows\SysWOW64\bjhtjvnhyhwqqrdn.exe	ncxtafuixmh.exe
File opened for modification	C:\Windows\SysWOW64\bjhtjvnhyhwqqrdn.exe	cbqtadm.exe
File created	C:\Windows\SysWOW64\bjhtjvnhyhwqqrdn.exe	ncxtafuixmh.exe
File created	C:\Windows\SysWOW64\cnodwlgdxjbybfuheag.exe	ncxtafuixmh.exe
File opened for modification	C:\Windows\SysWOW64\pbdtndzxsfywafvjhelx.exe	ncxtafuixmh.exe
File opened for modification	C:\Windows\SysWOW64\erulgxutpdxwbhynmksfi.exe	ncxtafuixmh.exe
File created	C:\Windows\SysWOW64\irqduhavnxnijlyje.exe	cbqtadm.exe
File created	C:\Windows\SysWOW64\bjhtjvnhyhwqqrdn.exe	cbqtadm.exe
File opened for modification	C:\Windows\SysWOW64\bdvblrdrcfocwrxbpczbtzjpbpadmaup.zna	cbqtadm.exe
File created	C:\Windows\SysWOW64\bdvblrdrcfocwrxbpczbtzjpbpadmaup.zna	cbqtadm.exe
File opened for modification	C:\Windows\SysWOW64\rbbphvplepgcehvhdy.exe	ncxtafuixmh.exe
File opened for modification	C:\Windows\SysWOW64\irqduhavnxnijlyje.exe	cbqtadm.exe
File opened for modification	C:\Windows\SysWOW64\irqduhavnxnijlyje.exe	cbqtadm.exe
File opened for modification	C:\Windows\SysWOW64\irqduhavnxnijlyje.exe	ncxtafuixmh.exe
File created	C:\Windows\SysWOW64\vjnfbtrrodyyeldttsbptl.exe	ncxtafuixmh.exe
File created	C:\Windows\SysWOW64\erulgxutpdxwbhynmksfi.exe	ncxtafuixmh.exe
File opened for modification	C:\Windows\SysWOW64\bjhtjvnhyhwqqrdn.exe	ncxtafuixmh.exe
File created	C:\Windows\SysWOW64\irqduhavnxnijlyje.exe	ncxtafuixmh.exe
File created	C:\Windows\SysWOW64\irqduhavnxnijlyje.exe	ncxtafuixmh.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\gxezytuxxpnqzjexacofm.gbc	cbqtadm.exe
File created	C:\Program Files (x86)\gxezytuxxpnqzjexacofm.gbc	cbqtadm.exe
File opened for modification	C:\Program Files (x86)\bdvblrdrcfocwrxbpczbtzjpbpadmaup.zna	cbqtadm.exe
File created	C:\Program Files (x86)\bdvblrdrcfocwrxbpczbtzjpbpadmaup.zna	cbqtadm.exe

Drops file in Windows directory 39 IoCs

description	ioc	Process
File created	C:\Windows\erulgxutpdxwbhynmksfi.exe	ncxtafuixmh.exe
File opened for modification	C:\Windows\gxezytuxxpnqzjexacofm.gbc	cbqtadm.exe
File created	C:\Windows\bdvblrdrcfocwrxbpczbtzjpbpadmaup.zna	cbqtadm.exe
File opened for modification	C:\Windows\bdvblrdrcfocwrxbpczbtzjpbpadmaup.zna	cbqtadm.exe
File opened for modification	C:\Windows\irqduhavnxnijlyje.exe	ncxtafuixmh.exe
File opened for modification	C:\Windows\vjnfbtrrodyyeldttsbptl.exe	cbqtadm.exe
File opened for modification	C:\Windows\vjnfbtrrodyyeldttsbptl.exe	cbqtadm.exe
File created	C:\Windows\bjhtjvnhyhwqqrdn.exe	ncxtafuixmh.exe
File opened for modification	C:\Windows\cnodwlgdxjbybfuheag.exe	cbqtadm.exe
File opened for modification	C:\Windows\erulgxutpdxwbhynmksfi.exe	cbqtadm.exe
File created	C:\Windows\vjnfbtrrodyyeldttsbptl.exe	ncxtafuixmh.exe
File opened for modification	C:\Windows\rbbphvplepgcehvhdy.exe	cbqtadm.exe
File opened for modification	C:\Windows\rbbphvplepgcehvhdy.exe	ncxtafuixmh.exe
File opened for modification	C:\Windows\erulgxutpdxwbhynmksfi.exe	ncxtafuixmh.exe
File opened for modification	C:\Windows\bjhtjvnhyhwqqrdn.exe	ncxtafuixmh.exe
File created	C:\Windows\rbbphvplepgcehvhdy.exe	ncxtafuixmh.exe
File created	C:\Windows\cnodwlgdxjbybfuheag.exe	ncxtafuixmh.exe
File opened for modification	C:\Windows\irqduhavnxnijlyje.exe	ncxtafuixmh.exe
File opened for modification	C:\Windows\pbdtndzxsfywafvjhelx.exe	ncxtafuixmh.exe
File created	C:\Windows\pbdtndzxsfywafvjhelx.exe	ncxtafuixmh.exe
File opened for modification	C:\Windows\irqduhavnxnijlyje.exe	cbqtadm.exe
File opened for modification	C:\Windows\bjhtjvnhyhwqqrdn.exe	cbqtadm.exe
File opened for modification	C:\Windows\erulgxutpdxwbhynmksfi.exe	ncxtafuixmh.exe
File opened for modification	C:\Windows\cnodwlgdxjbybfuheag.exe	cbqtadm.exe
File opened for modification	C:\Windows\rbbphvplepgcehvhdy.exe	cbqtadm.exe
File created	C:\Windows\gxezytuxxpnqzjexacofm.gbc	cbqtadm.exe
File created	C:\Windows\irqduhavnxnijlyje.exe	ncxtafuixmh.exe
File opened for modification	C:\Windows\cnodwlgdxjbybfuheag.exe	ncxtafuixmh.exe
File opened for modification	C:\Windows\pbdtndzxsfywafvjhelx.exe	ncxtafuixmh.exe
File opened for modification	C:\Windows\irqduhavnxnijlyje.exe	cbqtadm.exe
File opened for modification	C:\Windows\pbdtndzxsfywafvjhelx.exe	cbqtadm.exe
File opened for modification	C:\Windows\bjhtjvnhyhwqqrdn.exe	ncxtafuixmh.exe
File opened for modification	C:\Windows\cnodwlgdxjbybfuheag.exe	ncxtafuixmh.exe
File opened for modification	C:\Windows\vjnfbtrrodyyeldttsbptl.exe	ncxtafuixmh.exe
File opened for modification	C:\Windows\rbbphvplepgcehvhdy.exe	ncxtafuixmh.exe
File opened for modification	C:\Windows\vjnfbtrrodyyeldttsbptl.exe	ncxtafuixmh.exe
File opened for modification	C:\Windows\pbdtndzxsfywafvjhelx.exe	cbqtadm.exe
File opened for modification	C:\Windows\bjhtjvnhyhwqqrdn.exe	cbqtadm.exe
File opened for modification	C:\Windows\erulgxutpdxwbhynmksfi.exe	cbqtadm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3504	cbqtadm.exe
3504	cbqtadm.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3504	cbqtadm.exe
3504	cbqtadm.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3504	cbqtadm.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3684 wrote to memory of 2868	3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe	92
PID 3684 wrote to memory of 2868	3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe	92
PID 3684 wrote to memory of 2868	3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe	92
PID 2868 wrote to memory of 3504	2868	ncxtafuixmh.exe	93
PID 2868 wrote to memory of 3504	2868	ncxtafuixmh.exe	93
PID 2868 wrote to memory of 3504	2868	ncxtafuixmh.exe	93
PID 2868 wrote to memory of 3720	2868	ncxtafuixmh.exe	94
PID 2868 wrote to memory of 3720	2868	ncxtafuixmh.exe	94
PID 2868 wrote to memory of 3720	2868	ncxtafuixmh.exe	94
PID 3684 wrote to memory of 4628	3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe	99
PID 3684 wrote to memory of 4628	3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe	99
PID 3684 wrote to memory of 4628	3684	27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe	99

System policy modification 1 TTPs 41 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ncxtafuixmh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ncxtafuixmh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cbqtadm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cbqtadm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ncxtafuixmh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	cbqtadm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	cbqtadm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cbqtadm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ncxtafuixmh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cbqtadm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ncxtafuixmh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cbqtadm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	cbqtadm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	cbqtadm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ncxtafuixmh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ncxtafuixmh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	cbqtadm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	cbqtadm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	cbqtadm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ncxtafuixmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cbqtadm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ncxtafuixmh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cbqtadm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ncxtafuixmh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ncxtafuixmh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ncxtafuixmh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cbqtadm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cbqtadm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	cbqtadm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cbqtadm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ncxtafuixmh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	cbqtadm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	cbqtadm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	cbqtadm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cbqtadm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ncxtafuixmh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cbqtadm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	cbqtadm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	cbqtadm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	cbqtadm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ncxtafuixmh.exe

C:\Users\Admin\AppData\Local\Temp\27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\27883306f010718832c6ff2ecdce8d09_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Users\Admin\AppData\Local\Temp\ncxtafuixmh.exe
  "C:\Users\Admin\AppData\Local\Temp\ncxtafuixmh.exe" "c:\users\admin\appdata\local\temp\27883306f010718832c6ff2ecdce8d09_jaffacakes118.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2868
- - C:\Users\Admin\AppData\Local\Temp\cbqtadm.exe
    "C:\Users\Admin\AppData\Local\Temp\cbqtadm.exe" "-c:\users\admin\appdata\local\temp\27883306f010718832c6ff2ecdce8d09_jaffacakes118.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:3504
- - C:\Users\Admin\AppData\Local\Temp\cbqtadm.exe
    "C:\Users\Admin\AppData\Local\Temp\cbqtadm.exe" "-c:\users\admin\appdata\local\temp\27883306f010718832c6ff2ecdce8d09_jaffacakes118.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:3720
- C:\Users\Admin\AppData\Local\Temp\ncxtafuixmh.exe
  "C:\Users\Admin\AppData\Local\Temp\ncxtafuixmh.exe" "c:\users\admin\appdata\local\temp\27883306f010718832c6ff2ecdce8d09_jaffacakes118.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System policy modification
  PID:4628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4384,i,5028538196072658126,13960315633709835247,262144 --variations-seed-version --mojo-platform-channel-handle=4376 /prefetch:8
1⤵
PID:936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\gxezytuxxpnqzjexacofm.gbc

Filesize
116B

MD5
4a1ace77c369ee306b04e2b7129437d6

SHA1
4c472534b1db3d401c6b3e0766cbd569515cdf1e

SHA256
9954ccf40c7d66f1373eab0966f5907d41b170386b236f06cbd307a8d294a6ef

SHA512
f44d541a26d6d0aedfe057fe3761ab1fa115e9836148275f2a735c9925105a4afeb1431dbb7400bb44717c2be690a9891d4593b501b1882d4f42de7cdd4ce77b

Download Submit
C:\Program Files (x86)\gxezytuxxpnqzjexacofm.gbc

Filesize
116B

MD5
ca93ea73cb3a70b092cc68da69963d35

SHA1
8ad751b31457181da27804fda1407926bb956fd3

SHA256
5b6b8663678673173ed2a88e14f5135bf59ff93adc9226626cc9562221fe24ee

SHA512
a963ae96491cf61c4b2883ddc3cfa84c5dc0185a2022d67edef7f9a427f75e54ae370981a5d0b6732b5a5fda42c9f7d633f3ea8575a3bac586262811b9f8c445

Download Submit
C:\Program Files (x86)\gxezytuxxpnqzjexacofm.gbc

Filesize
116B

MD5
d62c7c63d4cc84f15c16fceed6cbfdc3

SHA1
73c28a01bd06623f0703bc159253bfd877425ac8

SHA256
e7258fe4d3fe51c0141a20bec346fe4875d5a8180199f8f1693c1c00539e6d66

SHA512
1a09674edce533b64603de7b7f63ef353a90e78470a285364de65814ec11d78b06f08145b3b18005c9db7bebf0af3ecf878c98796362beb5fd14ce3768e1a5cc

Download Submit
C:\Program Files (x86)\gxezytuxxpnqzjexacofm.gbc

Filesize
116B

MD5
e5ff00bdb515a3fe6e75deb16d60321e

SHA1
348c364d9a90642e7d35bbabc85f844dbd833567

SHA256
f472bbb4cd86d2cf89f021f6997e0983b6c0ee001f8fc33b12146cf0a03df00f

SHA512
1b78f1ff4e394ee0d9e1abde8307e587c920f856f13aaa65a11d085e6c596c46589266742bcf2ef94316759b0811d6dbdc2cbc044ea7bb0e0895476fe995fa28

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbqtadm.exe

Filesize
696KB

MD5
8399399aba12aef83108640ddb863572

SHA1
9a1170ccf939baf08384d488f649d3587ce93d9b

SHA256
a0fcef5e6fcf3f433578d963367030bd9b39a59ae4b637408486d9fb3daac20b

SHA512
b83a21f10bd3bd0f82cf001931420748d345e24d40ccd9768250780675cd529798aedf035fb9f88345f174f670a1e1f012a5f238521e1b4ab5e4296e0a2d58db

Download Submit
C:\Users\Admin\AppData\Local\Temp\ncxtafuixmh.exe

Filesize
308KB

MD5
b58393335b3621bfb1fc631823248577

SHA1
315ffce8bae73f153679650cb580659cae1df77a

SHA256
6ea5753634bcae5b7fb519f8556eb8d09b0a7b547e3b0214e7141ce8e92302d9

SHA512
456450a5dceb3f1cdbafb7d5f65766b1c5c0a3de04abaa2601b178b330dcfb217c4f362285055a5bb1daa88fa0dbdfb7810b05d073cc04ea540f7a4b5b9dc053

Download Submit
C:\Users\Admin\AppData\Local\bdvblrdrcfocwrxbpczbtzjpbpadmaup.zna

Filesize
3KB

MD5
b3682b0ba27e7baae51055c94e024fe9

SHA1
1dd7473aaa05d4c79db1bd48ab2a27ab8f8e7a9b

SHA256
424454a0861a7b81da7d0d11e936fddeebebe654b06d0e40703159af5ef4903a

SHA512
145839df3c045b376b7dfda7ae1e18c2a6fe8d94be2604c408d24d7691a5d268acf0aaf3aa6f61e85c0487daac6078e09f0215a9cd5c590dab9ce2554c23bd22

Download Submit
C:\Users\Admin\AppData\Local\gxezytuxxpnqzjexacofm.gbc

Filesize
116B

MD5
a7f53104bc1a710ecfdd539be7e3f637

SHA1
7700d3495a7c11d0276f84e5b4bfaab1047ed3e1

SHA256
88aef6dcdd093a5fa1954f3fcbe471868aa094f8e69fc4b471463530d36900a9

SHA512
3d95c6f92e20d47a7730e145b28648505e1ca9fa119232af3c6d315bcd6c773d3878b7f701fda1c6781617b1511450a10dca3d6b1d749247e76e6372ee6e29cc

Download Submit
C:\Users\Admin\AppData\Local\gxezytuxxpnqzjexacofm.gbc

Filesize
116B

MD5
946e6b1af1d54e73eec7f668e79fa84c

SHA1
8b76d2cba919bd0c0a3290d2778f2007353a8706

SHA256
e7186d3c458f26e8f482fd9c7ffa890f6eb594d3a05c0fc527a0adc1fe2f81d1

SHA512
e026c266bff1ead760cc3357f5783fade2cc9eb5991e3d04466f12651b7da29e338000bccd05a58281c2995072dc71988755b9f962214b904f38dbf6744752ea

Download Submit
C:\Users\Admin\AppData\Local\gxezytuxxpnqzjexacofm.gbc

Filesize
116B

MD5
239d93cd7b1579baa755734688a44dfd

SHA1
5425b234e84bfb542a2001e500f541a66088ec0c

SHA256
d868ac1b1c8c827c8dcfacdb8ba22adf028e5ad93d6aa470e9d74a3de4370df4

SHA512
b4765175ade8809b51e0977c9b5ecb311f26d67f176b6f907e1b0e864dda7d76ecf5b8fa7222e0c435ba7a0cdba64d1938fa99d998f73139d0f70adf13c59672

Download Submit
C:\Windows\SysWOW64\gxezytuxxpnqzjexacofm.gbc

Filesize
116B

MD5
ad46a8c616e4c4bba2e7d6b42b4a4cc3

SHA1
124175ae5b099c1f7931dbac0d7fbe0dc5c9dc5a

SHA256
ae22ab5d864bc49dff60647104fba93697a29cb9573f9f32f249232eb7798230

SHA512
629ca61cc3adf669313ead65cb00d77141e19f34cd7594c900ed63583ed01e568453a4e3c9416178c2f4af74dd6eae93e569dba9897522a4699bb0c90e0b1a24

Download Submit
C:\Windows\SysWOW64\rbbphvplepgcehvhdy.exe

Filesize
512KB

MD5
27883306f010718832c6ff2ecdce8d09

SHA1
03138202a970a4567699f2a0e145316bcc578622

SHA256
3da5a892a8bf4944182a32691bab0ef4f040d694b839118488f8dc38f34b2c53

SHA512
379b1bcd1020b087353ba2790eb6401266cc54c598db625de73a5b983017b4edf06caff5339071cf2f3373b0736580d88d50d75e1f4a090cae21556c320b13d3

Download Submit