Malware Analysis Report

2025-03-15 00:57

Sample ID 240626-ha8f3sshqm
Target 110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118
SHA256 590bb51bc11e8bb696170d2d70ea379e7bc57471d86b5e411e798afd32cd6a78
Tags
defense_evasion evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

590bb51bc11e8bb696170d2d70ea379e7bc57471d86b5e411e798afd32cd6a78

Threat Level: Known bad

The file 110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

defense_evasion evasion persistence trojan

Modifies WinLogon for persistence

UAC bypass

Adds policy Run key to start application

Disables RegEdit via registry modification

Impair Defenses: Safe Mode Boot

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Checks whether UAC is enabled

Drops file in System32 directory

Drops autorun.inf file

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 06:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 06:33

Reported

2024-06-26 06:35

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbiwmvhsfxks = "fvhavjaqifxkunlgd.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbiwmvhsfxks = "bvlihzuoklhymjlkluoeb.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fnrcpvemw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrfaxngysrlamhhedkc.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wgpaoqjpard = "piaurcetnniylhiggrkc.exe" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbiwmvhsfxks = "mfuqofzsnniylhiggohw.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fnrcpvemw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fvhavjaqifxkunlgd.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fnrcpvemw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofsmixpgzxqepjieci.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbiwmvhsfxks = "fvhavjaqifxkunlgd.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fnrcpvemw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofsmixpgzxqepjieci.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fnrcpvemw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fvhavjaqifxkunlgd.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fnrcpvemw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfuqofzsnniylhiggohw.exe" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fnrcpvemw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfuqofzsnniylhiggohw.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fnrcpvemw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrfaxngysrlamhhedkc.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbiwmvhsfxks = "ynyqkxnctpgsbtqk.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbiwmvhsfxks = "fvhavjaqifxkunlgd.exe" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbiwmvhsfxks = "bvlihzuoklhymjlkluoeb.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbiwmvhsfxks = "ofsmixpgzxqepjieci.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wgpaoqjpard = "culeaklzsrlamhhednf.exe" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ryemxwmp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\piaurcetnniylhiggrkc.exe" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ryemxwmp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyrmkwzpklhymjlklxrkf.exe" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbiwmvhsfxks = "ynyqkxnctpgsbtqk.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbiwmvhsfxks = "zrfaxngysrlamhhedkc.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbiwmvhsfxks = "mfuqofzsnniylhiggohw.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fnrcpvemw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ynyqkxnctpgsbtqk.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbiwmvhsfxks = "zrfaxngysrlamhhedkc.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fnrcpvemw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bvlihzuoklhymjlkluoeb.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fnrcpvemw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ynyqkxnctpgsbtqk.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ynyqkxnctpgsbtqk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfuqofzsnniylhiggohw.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yhmymtdmxn = "mfuqofzsnniylhiggohw.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ynyqkxnctpgsbtqk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ynyqkxnctpgsbtqk.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tdjwlteoard = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bvlihzuoklhymjlkluoeb.exe ." C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yhmymtdmxn = "ynyqkxnctpgsbtqk.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yhmymtdmxn = "bvlihzuoklhymjlkluoeb.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yhmymtdmxn = "zrfaxngysrlamhhedkc.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iqxgssjnw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\riyqluuhzxqepjiecl.exe" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbjypzmymftci = "ofsmixpgzxqepjieci.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbjypzmymftci = "mfuqofzsnniylhiggohw.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ynyqkxnctpgsbtqk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofsmixpgzxqepjieci.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teoapsmtfxks = "eyrmkwzpklhymjlklxrkf.exe" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbjypzmymftci = "zrfaxngysrlamhhedkc.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qdmcuftgvpeovl = "mfuqofzsnniylhiggohw.exe ." C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ynyqkxnctpgsbtqk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bvlihzuoklhymjlkluoeb.exe" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\thribncqgbrckbx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfuqofzsnniylhiggohw.exe ." C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbjypzmymftci = "fvhavjaqifxkunlgd.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\thribncqgbrckbx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ynyqkxnctpgsbtqk.exe ." C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qdmcuftgvpeovl = "ofsmixpgzxqepjieci.exe ." C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tdjwlteoard = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fvhavjaqifxkunlgd.exe ." C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbjypzmymftci = "ofsmixpgzxqepjieci.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bkscpqinxn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\culeaklzsrlamhhednf.exe ." C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdjwlteoard = "zrfaxngysrlamhhedkc.exe ." C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\thribncqgbrckbx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfuqofzsnniylhiggohw.exe ." C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ynyqkxnctpgsbtqk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bvlihzuoklhymjlkluoeb.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhmymtdmxn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrfaxngysrlamhhedkc.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhmymtdmxn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fvhavjaqifxkunlgd.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdjwlteoard = "ofsmixpgzxqepjieci.exe ." C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhmymtdmxn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrfaxngysrlamhhedkc.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yhmymtdmxn = "fvhavjaqifxkunlgd.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tdjwlteoard = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ynyqkxnctpgsbtqk.exe ." C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yhmymtdmxn = "zrfaxngysrlamhhedkc.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbjypzmymftci = "mfuqofzsnniylhiggohw.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ynyqkxnctpgsbtqk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrfaxngysrlamhhedkc.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qdmcuftgvpeovl = "fvhavjaqifxkunlgd.exe ." C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bkscpqinxn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iyneygfrifxkunlgd.exe ." C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhmymtdmxn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ynyqkxnctpgsbtqk.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tdjwlteoard = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrfaxngysrlamhhedkc.exe ." C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbjypzmymftci = "fvhavjaqifxkunlgd.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ynyqkxnctpgsbtqk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fvhavjaqifxkunlgd.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iqxgssjnw = "riyqluuhzxqepjiecl.exe" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iqxgssjnw = "culeaklzsrlamhhednf.exe" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdjwlteoard = "ofsmixpgzxqepjieci.exe ." C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tdjwlteoard = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofsmixpgzxqepjieci.exe ." C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bkscpqinxn = "riyqluuhzxqepjiecl.exe ." C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgsgxcyhvpeovl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqeunusdtpgsbtqk.exe ." C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yhmymtdmxn = "bvlihzuoklhymjlkluoeb.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbjypzmymftci = "bvlihzuoklhymjlkluoeb.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhmymtdmxn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfuqofzsnniylhiggohw.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sepcswrzmftci = "piaurcetnniylhiggrkc.exe ." C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhmymtdmxn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ynyqkxnctpgsbtqk.exe" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tdjwlteoard = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fvhavjaqifxkunlgd.exe ." C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdjwlteoard = "fvhavjaqifxkunlgd.exe ." C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yhmymtdmxn = "mfuqofzsnniylhiggohw.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qdmcuftgvpeovl = "ofsmixpgzxqepjieci.exe ." C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qdmcuftgvpeovl = "bvlihzuoklhymjlkluoeb.exe ." C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbjypzmymftci = "zrfaxngysrlamhhedkc.exe" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yhmymtdmxn = "ofsmixpgzxqepjieci.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yhmymtdmxn = "ofsmixpgzxqepjieci.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\thribncqgbrckbx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofsmixpgzxqepjieci.exe ." C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhmymtdmxn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofsmixpgzxqepjieci.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teoapsmtfxks = "culeaklzsrlamhhednf.exe" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\thribncqgbrckbx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fvhavjaqifxkunlgd.exe ." C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhmymtdmxn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfuqofzsnniylhiggohw.exe" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A www.showmyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ynyqkxnctpgsbtqkgkzkcwjzofbsenfcwswlwo.vla C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
File opened for modification C:\Windows\SysWOW64\zrfaxngysrlamhhedkc.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\SysWOW64\fvhavjaqifxkunlgd.exe C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
File opened for modification C:\Windows\SysWOW64\sneccvrmjliapnqqscxomm.exe C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
File opened for modification C:\Windows\SysWOW64\bffmvxcgmxdecjvepimmtcejnte.ljq C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
File opened for modification C:\Windows\SysWOW64\ynyqkxnctpgsbtqk.exe C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
File opened for modification C:\Windows\SysWOW64\ynyqkxnctpgsbtqk.exe C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
File opened for modification C:\Windows\SysWOW64\ofsmixpgzxqepjieci.exe C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
File opened for modification C:\Windows\SysWOW64\sneccvrmjliapnqqscxomm.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\SysWOW64\sneccvrmjliapnqqscxomm.exe C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
File created C:\Windows\SysWOW64\ynyqkxnctpgsbtqkgkzkcwjzofbsenfcwswlwo.vla C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
File opened for modification C:\Windows\SysWOW64\ofsmixpgzxqepjieci.exe C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
File opened for modification C:\Windows\SysWOW64\bvlihzuoklhymjlkluoeb.exe C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
File opened for modification C:\Windows\SysWOW64\fvhavjaqifxkunlgd.exe C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
File opened for modification C:\Windows\SysWOW64\ofsmixpgzxqepjieci.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\SysWOW64\bvlihzuoklhymjlkluoeb.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\SysWOW64\zrfaxngysrlamhhedkc.exe C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
File created C:\Windows\SysWOW64\bffmvxcgmxdecjvepimmtcejnte.ljq C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
File opened for modification C:\Windows\SysWOW64\mfuqofzsnniylhiggohw.exe C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
File opened for modification C:\Windows\SysWOW64\ynyqkxnctpgsbtqk.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\SysWOW64\zrfaxngysrlamhhedkc.exe C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
File opened for modification C:\Windows\SysWOW64\mfuqofzsnniylhiggohw.exe C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
File opened for modification C:\Windows\SysWOW64\bvlihzuoklhymjlkluoeb.exe C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
File opened for modification C:\Windows\SysWOW64\fvhavjaqifxkunlgd.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\SysWOW64\mfuqofzsnniylhiggohw.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\bffmvxcgmxdecjvepimmtcejnte.ljq C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
File created C:\Program Files (x86)\bffmvxcgmxdecjvepimmtcejnte.ljq C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
File opened for modification C:\Program Files (x86)\ynyqkxnctpgsbtqkgkzkcwjzofbsenfcwswlwo.vla C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
File created C:\Program Files (x86)\ynyqkxnctpgsbtqkgkzkcwjzofbsenfcwswlwo.vla C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\bffmvxcgmxdecjvepimmtcejnte.ljq C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
File opened for modification C:\Windows\ynyqkxnctpgsbtqk.exe C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
File opened for modification C:\Windows\bvlihzuoklhymjlkluoeb.exe C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
File opened for modification C:\Windows\zrfaxngysrlamhhedkc.exe C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
File created C:\Windows\ynyqkxnctpgsbtqkgkzkcwjzofbsenfcwswlwo.vla C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
File opened for modification C:\Windows\zrfaxngysrlamhhedkc.exe C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
File opened for modification C:\Windows\mfuqofzsnniylhiggohw.exe C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
File opened for modification C:\Windows\fvhavjaqifxkunlgd.exe C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
File opened for modification C:\Windows\mfuqofzsnniylhiggohw.exe C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
File opened for modification C:\Windows\sneccvrmjliapnqqscxomm.exe C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
File opened for modification C:\Windows\bffmvxcgmxdecjvepimmtcejnte.ljq C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
File opened for modification C:\Windows\ynyqkxnctpgsbtqk.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\ynyqkxnctpgsbtqk.exe C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
File opened for modification C:\Windows\ofsmixpgzxqepjieci.exe C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
File opened for modification C:\Windows\bvlihzuoklhymjlkluoeb.exe C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
File opened for modification C:\Windows\zrfaxngysrlamhhedkc.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\sneccvrmjliapnqqscxomm.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\ofsmixpgzxqepjieci.exe C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
File opened for modification C:\Windows\mfuqofzsnniylhiggohw.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\bvlihzuoklhymjlkluoeb.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\sneccvrmjliapnqqscxomm.exe C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
File opened for modification C:\Windows\fvhavjaqifxkunlgd.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\ofsmixpgzxqepjieci.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\fvhavjaqifxkunlgd.exe C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
File opened for modification C:\Windows\ynyqkxnctpgsbtqkgkzkcwjzofbsenfcwswlwo.vla C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4664 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe
PID 4664 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe
PID 4664 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe
PID 2456 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe
PID 2456 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe
PID 2456 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe
PID 2456 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe
PID 2456 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe
PID 2456 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe
PID 4664 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe
PID 4664 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe
PID 4664 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe

"C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe" "c:\users\admin\appdata\local\temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_jaffacakes118.exe*"

C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe

"C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe" "-C:\Users\Admin\AppData\Local\Temp\ynyqkxnctpgsbtqk.exe"

C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe

"C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe" "-C:\Users\Admin\AppData\Local\Temp\ynyqkxnctpgsbtqk.exe"

C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe

"C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe" "c:\users\admin\appdata\local\temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_jaffacakes118.exe"

C:\Users\Admin\AppData\Local\Temp\eilqy.exe

"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"

C:\Users\Admin\AppData\Local\Temp\eilqy.exe

"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"

C:\Users\Admin\AppData\Local\Temp\eilqy.exe

"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"

C:\Users\Admin\AppData\Local\Temp\eilqy.exe

"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"

C:\Users\Admin\AppData\Local\Temp\eilqy.exe

"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"

C:\Users\Admin\AppData\Local\Temp\eilqy.exe

"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"

C:\Users\Admin\AppData\Local\Temp\eilqy.exe

"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"

C:\Users\Admin\AppData\Local\Temp\eilqy.exe

"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"

C:\Users\Admin\AppData\Local\Temp\eilqy.exe

"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"

C:\Users\Admin\AppData\Local\Temp\eilqy.exe

"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"

C:\Users\Admin\AppData\Local\Temp\eilqy.exe

"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"

C:\Users\Admin\AppData\Local\Temp\eilqy.exe

"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"

C:\Users\Admin\AppData\Local\Temp\eilqy.exe

"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"

C:\Users\Admin\AppData\Local\Temp\eilqy.exe

"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"

C:\Users\Admin\AppData\Local\Temp\eilqy.exe

"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"

C:\Users\Admin\AppData\Local\Temp\eilqy.exe

"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"

C:\Users\Admin\AppData\Local\Temp\eilqy.exe

"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"

C:\Users\Admin\AppData\Local\Temp\eilqy.exe

"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"

C:\Users\Admin\AppData\Local\Temp\eilqy.exe

"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"

C:\Users\Admin\AppData\Local\Temp\eilqy.exe

"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"

C:\Users\Admin\AppData\Local\Temp\eilqy.exe

"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"

C:\Users\Admin\AppData\Local\Temp\eilqy.exe

"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"

C:\Users\Admin\AppData\Local\Temp\eilqy.exe

"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"

C:\Users\Admin\AppData\Local\Temp\eilqy.exe

"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.whatismyip.com udp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 whatismyipaddress.com udp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 www.ebay.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.bbc.co.uk udp
US 8.8.8.8:53 www.youtube.com udp

Files

C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe

MD5 b92314203327a733531042bc58e54f57
SHA1 1f3d0081f308a82c9659f4a57fc1ad551167a181
SHA256 d936bfd3b4264fe1650dee22119858b9d0cc58598e7e956ebecf72fb82f7c7d3
SHA512 2982559183e13830cd795c7badadb15b4dad50315155299d9713970aff034c827ade98c79d6da836aea743890aca71bc0f7d5348a32f2858b4f40884ecccf7f7

C:\Windows\SysWOW64\ofsmixpgzxqepjieci.exe

MD5 110b4ea8f6a3ed43eb694bea1dfa7a9d
SHA1 e3bdcb7fe39165012d2c2c08e22910ba5e7abe69
SHA256 590bb51bc11e8bb696170d2d70ea379e7bc57471d86b5e411e798afd32cd6a78
SHA512 794d08002db1f0ee168fcfba29db5a57f4cfb3ab1b2c0c9c21fcd5e8fc389c7308cf03dc38afb847606ffb27d0bc74e4530e10f8b39d46a403fe96773c9c277d

C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe

MD5 9518b138e323fa2909b73262912ec34f
SHA1 1da1cf60c54934dec3e8462e03492f74901a41bc
SHA256 203d66629d8604455edc1a883150a63ed4ad79396b2821e76d493a79c8959645
SHA512 60dbb2a86cf7bce03b888cc63245a1ebf7e123b2c5f3f428ae2891fa411c229960a735cc461a28ced4c7f5786d55a833e0917594269b3b171702aa2749ac328b

C:\Users\Admin\AppData\Local\bffmvxcgmxdecjvepimmtcejnte.ljq

MD5 8ef496d985f88251755b23bc1d460d26
SHA1 368eba5fa3b4774eeeab7f83833f5f7fa66090c9
SHA256 6d3bb51207874ca17eee45cb04dd086145391cf30127637c852f32bfa7675e4e
SHA512 ea28c9ad78c7adb7233893700c6060132ef35298c5c92329ff1fa721a82b5d687762f3c3e1149f2a335f809916e5e056c55acc0197995fa07ada8df0b62a810d

C:\Users\Admin\AppData\Local\ynyqkxnctpgsbtqkgkzkcwjzofbsenfcwswlwo.vla

MD5 82910bd4d9a2100f6f60f52e97f00623
SHA1 4ac75a262c4d7a362726c32c4db7d6b7d476359b
SHA256 3f03d5f2bba1142cd192bf6db774c9f830678355eb5fad2eb01a2932c0392a0a
SHA512 9ec1b9922f0a0ababb63b824946354578036e1be05da5754d4f738295c6a600e1dfaa4788dcb2057a68ea1112c936f050430cb8afc03645c914fcead2ef0d34f

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 06:33

Reported

2024-06-26 06:35

Platform

win7-20231129-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pvchvcit = "gvlzwmbvgaxwdeaqe.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfjlw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arjzyqhdqmlmvywoene.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pvchvcit = "pfwljaqlxsqqyaxodl.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfjlw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zncplaohrkgekkfu.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfjlw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfyppiaxliikuyxqhrjb.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfjlw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvphicvtighkvaaumxqjd.exe" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pvchvcit = "zncplaohrkgekkfu.exe" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfjlw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfyppiaxliikuyxqhrjb.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfjlw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvphicvtighkvaaumxqjd.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pvchvcit = "nfyppiaxliikuyxqhrjb.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfjlw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gvlzwmbvgaxwdeaqe.exe" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfjlw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gvlzwmbvgaxwdeaqe.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfjlw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfwljaqlxsqqyaxodl.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pvchvcit = "pfwljaqlxsqqyaxodl.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pvchvcit = "zncplaohrkgekkfu.exe" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pvchvcit = "arjzyqhdqmlmvywoene.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pvchvcit = "nfyppiaxliikuyxqhrjb.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pvchvcit = "zncplaohrkgekkfu.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pvchvcit = "cvphicvtighkvaaumxqjd.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pvchvcit = "arjzyqhdqmlmvywoene.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfjlw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gvlzwmbvgaxwdeaqe.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfjlw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zncplaohrkgekkfu.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pvchvcit = "zncplaohrkgekkfu.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\nrwzlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gvlzwmbvgaxwdeaqe.exe" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aflpcin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gvlzwmbvgaxwdeaqe.exe ." C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zhqxnwervi = "arjzyqhdqmlmvywoene.exe ." C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rbmvnyixdske = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfyppiaxliikuyxqhrjb.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\nrwzlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfyppiaxliikuyxqhrjb.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\aflpcin = "cvphicvtighkvaaumxqjd.exe ." C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\nrwzlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zncplaohrkgekkfu.exe" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zhqxnwervi = "zncplaohrkgekkfu.exe ." C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zhqxnwervi = "arjzyqhdqmlmvywoene.exe ." C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\aflpcin = "pfwljaqlxsqqyaxodl.exe ." C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\nrwzlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arjzyqhdqmlmvywoene.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\aflpcin = "arjzyqhdqmlmvywoene.exe ." C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zhqxnwervi = "pfwljaqlxsqqyaxodl.exe ." C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\nrwzlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfwljaqlxsqqyaxodl.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nrwzlq = "zncplaohrkgekkfu.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\aflpcin = "cvphicvtighkvaaumxqjd.exe ." C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\udnvmwftymd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gvlzwmbvgaxwdeaqe.exe ." C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnvbqyfru = "arjzyqhdqmlmvywoene.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aflpcin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arjzyqhdqmlmvywoene.exe ." C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nrwzlq = "arjzyqhdqmlmvywoene.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aflpcin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gvlzwmbvgaxwdeaqe.exe ." C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aflpcin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvphicvtighkvaaumxqjd.exe ." C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\nrwzlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zncplaohrkgekkfu.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zhqxnwervi = "gvlzwmbvgaxwdeaqe.exe ." C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\nrwzlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvphicvtighkvaaumxqjd.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnvbqyfru = "nfyppiaxliikuyxqhrjb.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\aflpcin = "pfwljaqlxsqqyaxodl.exe ." C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rbmvnyixdske = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arjzyqhdqmlmvywoene.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnvbqyfru = "gvlzwmbvgaxwdeaqe.exe" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rbmvnyixdske = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gvlzwmbvgaxwdeaqe.exe" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nrwzlq = "pfwljaqlxsqqyaxodl.exe" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnvbqyfru = "pfwljaqlxsqqyaxodl.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\aflpcin = "gvlzwmbvgaxwdeaqe.exe ." C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnvbqyfru = "zncplaohrkgekkfu.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zhqxnwervi = "gvlzwmbvgaxwdeaqe.exe ." C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nrwzlq = "pfwljaqlxsqqyaxodl.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rbmvnyixdske = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gvlzwmbvgaxwdeaqe.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aflpcin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfwljaqlxsqqyaxodl.exe ." C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\udnvmwftymd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvphicvtighkvaaumxqjd.exe ." C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnvbqyfru = "pfwljaqlxsqqyaxodl.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\udnvmwftymd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfwljaqlxsqqyaxodl.exe ." C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\aflpcin = "zncplaohrkgekkfu.exe ." C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rbmvnyixdske = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfyppiaxliikuyxqhrjb.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nrwzlq = "cvphicvtighkvaaumxqjd.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aflpcin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gvlzwmbvgaxwdeaqe.exe ." C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aflpcin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvphicvtighkvaaumxqjd.exe ." C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\nrwzlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zncplaohrkgekkfu.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnvbqyfru = "nfyppiaxliikuyxqhrjb.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zhqxnwervi = "nfyppiaxliikuyxqhrjb.exe ." C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnvbqyfru = "pfwljaqlxsqqyaxodl.exe" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zhqxnwervi = "cvphicvtighkvaaumxqjd.exe ." C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\nrwzlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfwljaqlxsqqyaxodl.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nrwzlq = "arjzyqhdqmlmvywoene.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\udnvmwftymd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arjzyqhdqmlmvywoene.exe ." C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\nrwzlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gvlzwmbvgaxwdeaqe.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rbmvnyixdske = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfwljaqlxsqqyaxodl.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rbmvnyixdske = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zncplaohrkgekkfu.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\aflpcin = "arjzyqhdqmlmvywoene.exe ." C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aflpcin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arjzyqhdqmlmvywoene.exe ." C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnvbqyfru = "arjzyqhdqmlmvywoene.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nrwzlq = "gvlzwmbvgaxwdeaqe.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nrwzlq = "gvlzwmbvgaxwdeaqe.exe" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zhqxnwervi = "arjzyqhdqmlmvywoene.exe ." C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\udnvmwftymd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zncplaohrkgekkfu.exe ." C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyipaddress.com N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A www.showmyipaddress.com N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\zncplaohrkgekkfu.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\SysWOW64\gvlzwmbvgaxwdeaqe.exe C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File opened for modification C:\Windows\SysWOW64\pfwljaqlxsqqyaxodl.exe C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File opened for modification C:\Windows\SysWOW64\arjzyqhdqmlmvywoene.exe C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File opened for modification C:\Windows\SysWOW64\cvphicvtighkvaaumxqjd.exe C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File opened for modification C:\Windows\SysWOW64\uhvhcqdvewrotsmamrerfrmanfogbydcwkwbo.pbw C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File opened for modification C:\Windows\SysWOW64\gvlzwmbvgaxwdeaqe.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\SysWOW64\nfyppiaxliikuyxqhrjb.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\SysWOW64\pfwljaqlxsqqyaxodl.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\SysWOW64\cvphicvtighkvaaumxqjd.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\SysWOW64\pfwljaqlxsqqyaxodl.exe C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File opened for modification C:\Windows\SysWOW64\tnibdysrhgimyefatfztoh.exe C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File opened for modification C:\Windows\SysWOW64\tnibdysrhgimyefatfztoh.exe C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File opened for modification C:\Windows\SysWOW64\zncplaohrkgekkfu.exe C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File created C:\Windows\SysWOW64\tvyzjmovtakwqenqrlnpstdgip.ueq C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File opened for modification C:\Windows\SysWOW64\zncplaohrkgekkfu.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\SysWOW64\arjzyqhdqmlmvywoene.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\SysWOW64\arjzyqhdqmlmvywoene.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\SysWOW64\nfyppiaxliikuyxqhrjb.exe C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File opened for modification C:\Windows\SysWOW64\tvyzjmovtakwqenqrlnpstdgip.ueq C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File opened for modification C:\Windows\SysWOW64\gvlzwmbvgaxwdeaqe.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\SysWOW64\pfwljaqlxsqqyaxodl.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\SysWOW64\nfyppiaxliikuyxqhrjb.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\SysWOW64\tnibdysrhgimyefatfztoh.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\SysWOW64\zncplaohrkgekkfu.exe C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File opened for modification C:\Windows\SysWOW64\gvlzwmbvgaxwdeaqe.exe C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File opened for modification C:\Windows\SysWOW64\nfyppiaxliikuyxqhrjb.exe C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File created C:\Windows\SysWOW64\uhvhcqdvewrotsmamrerfrmanfogbydcwkwbo.pbw C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File opened for modification C:\Windows\SysWOW64\cvphicvtighkvaaumxqjd.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\SysWOW64\tnibdysrhgimyefatfztoh.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\SysWOW64\arjzyqhdqmlmvywoene.exe C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File opened for modification C:\Windows\SysWOW64\cvphicvtighkvaaumxqjd.exe C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\tvyzjmovtakwqenqrlnpstdgip.ueq C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File created C:\Program Files (x86)\tvyzjmovtakwqenqrlnpstdgip.ueq C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File opened for modification C:\Program Files (x86)\uhvhcqdvewrotsmamrerfrmanfogbydcwkwbo.pbw C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File created C:\Program Files (x86)\uhvhcqdvewrotsmamrerfrmanfogbydcwkwbo.pbw C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\zncplaohrkgekkfu.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\pfwljaqlxsqqyaxodl.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\zncplaohrkgekkfu.exe C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File opened for modification C:\Windows\nfyppiaxliikuyxqhrjb.exe C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File opened for modification C:\Windows\zncplaohrkgekkfu.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\gvlzwmbvgaxwdeaqe.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File created C:\Windows\tvyzjmovtakwqenqrlnpstdgip.ueq C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File opened for modification C:\Windows\uhvhcqdvewrotsmamrerfrmanfogbydcwkwbo.pbw C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File opened for modification C:\Windows\gvlzwmbvgaxwdeaqe.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\cvphicvtighkvaaumxqjd.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\gvlzwmbvgaxwdeaqe.exe C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File opened for modification C:\Windows\arjzyqhdqmlmvywoene.exe C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File opened for modification C:\Windows\tnibdysrhgimyefatfztoh.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\tnibdysrhgimyefatfztoh.exe C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File opened for modification C:\Windows\zncplaohrkgekkfu.exe C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File opened for modification C:\Windows\arjzyqhdqmlmvywoene.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\gvlzwmbvgaxwdeaqe.exe C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File opened for modification C:\Windows\arjzyqhdqmlmvywoene.exe C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File opened for modification C:\Windows\tnibdysrhgimyefatfztoh.exe C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File created C:\Windows\uhvhcqdvewrotsmamrerfrmanfogbydcwkwbo.pbw C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File opened for modification C:\Windows\nfyppiaxliikuyxqhrjb.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\pfwljaqlxsqqyaxodl.exe C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File opened for modification C:\Windows\cvphicvtighkvaaumxqjd.exe C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File opened for modification C:\Windows\pfwljaqlxsqqyaxodl.exe C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File opened for modification C:\Windows\pfwljaqlxsqqyaxodl.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\arjzyqhdqmlmvywoene.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\cvphicvtighkvaaumxqjd.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\tnibdysrhgimyefatfztoh.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\cvphicvtighkvaaumxqjd.exe C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File opened for modification C:\Windows\nfyppiaxliikuyxqhrjb.exe C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File opened for modification C:\Windows\tvyzjmovtakwqenqrlnpstdgip.ueq C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
File opened for modification C:\Windows\nfyppiaxliikuyxqhrjb.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2916 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe
PID 2916 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe
PID 2916 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe
PID 2916 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe
PID 3000 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe C:\Users\Admin\AppData\Local\Temp\cfjlw.exe
PID 3000 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe C:\Users\Admin\AppData\Local\Temp\cfjlw.exe
PID 3000 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe C:\Users\Admin\AppData\Local\Temp\cfjlw.exe
PID 3000 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe C:\Users\Admin\AppData\Local\Temp\cfjlw.exe
PID 3000 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe C:\Users\Admin\AppData\Local\Temp\cfjlw.exe
PID 3000 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe C:\Users\Admin\AppData\Local\Temp\cfjlw.exe
PID 3000 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe C:\Users\Admin\AppData\Local\Temp\cfjlw.exe
PID 3000 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe C:\Users\Admin\AppData\Local\Temp\cfjlw.exe
PID 2916 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe
PID 2916 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe
PID 2916 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe
PID 2916 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\cfjlw.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe

"C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe" "c:\users\admin\appdata\local\temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_jaffacakes118.exe*"

C:\Users\Admin\AppData\Local\Temp\cfjlw.exe

"C:\Users\Admin\AppData\Local\Temp\cfjlw.exe" "-C:\Users\Admin\AppData\Local\Temp\zncplaohrkgekkfu.exe"

C:\Users\Admin\AppData\Local\Temp\cfjlw.exe

"C:\Users\Admin\AppData\Local\Temp\cfjlw.exe" "-C:\Users\Admin\AppData\Local\Temp\zncplaohrkgekkfu.exe"

C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe

"C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe" "c:\users\admin\appdata\local\temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_jaffacakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 www.adobe.com udp
BE 104.117.77.58:80 www.adobe.com tcp
US 8.8.8.8:53 www.facebook.com udp
GB 163.70.147.35:80 www.facebook.com tcp
UA 46.211.209.244:26561 tcp
US 8.8.8.8:53 vsdgddzap.org udp
US 162.249.65.164:80 vsdgddzap.org tcp
US 8.8.8.8:53 pojozadcb.net udp
US 8.8.8.8:53 rqkiddmgnyj.info udp
US 8.8.8.8:53 jpohvi.info udp
RU 79.105.112.2:20898 tcp
US 8.8.8.8:53 yjyaladocuc.net udp
US 8.8.8.8:53 kwhfqnnejec.info udp
US 34.211.97.45:80 kwhfqnnejec.info tcp
US 8.8.8.8:53 mhdlstno.net udp
US 8.8.8.8:53 ayusow.com udp
BG 78.83.228.9:36415 tcp
US 8.8.8.8:53 kvfspsrjxomr.net udp
US 8.8.8.8:53 ksdple.info udp
US 8.8.8.8:53 tszocqe.org udp
BG 78.90.46.101:28884 tcp
US 8.8.8.8:53 eomqiyui.org udp
US 162.249.65.164:80 eomqiyui.org tcp
US 8.8.8.8:53 hgzptxmlkx.net udp
US 8.8.8.8:53 terwpjjwnn.net udp
RU 85.174.208.47:30722 tcp
US 8.8.8.8:53 fpsdjd.net udp
US 8.8.8.8:53 hazzthxrziyh.net udp
US 8.8.8.8:53 yyjtwiqh.net udp
US 8.8.8.8:53 ssmufqvsjdx.info udp
US 8.8.8.8:53 jawzfnq.org udp
US 162.249.65.164:80 jawzfnq.org tcp
RU 178.207.38.201:37905 tcp
US 8.8.8.8:53 ddepjzmilwnm.info udp
US 8.8.8.8:53 bcagsggzlmnj.info udp
US 8.8.8.8:53 qtqixxfqe.net udp
US 8.8.8.8:53 hrowho.net udp
BG 87.120.2.181:37437 tcp
US 8.8.8.8:53 gweunlh.info udp
US 8.8.8.8:53 ceoawsgi.org udp
LT 80.240.8.186:20334 tcp
US 8.8.8.8:53 yzfudwbds.info udp
US 8.8.8.8:53 fmovmdjejujj.net udp
US 8.8.8.8:53 ikzszjxmq.info udp
US 208.100.26.245:80 ikzszjxmq.info tcp
US 8.8.8.8:53 gaeesqgwmc.com udp
US 8.8.8.8:53 nibgvqqbg.net udp
US 87.121.84.132:21608 tcp
US 8.8.8.8:53 hirtgid.net udp
US 8.8.8.8:53 zmzcdmb.info udp
US 8.8.8.8:53 jlxwjrscdo.net udp
RU 178.141.102.108:34029 tcp
US 8.8.8.8:53 vdmdzrueyv.net udp

Files

\Users\Admin\AppData\Local\Temp\cfjlw.exe

MD5 32f30482f787bb157e866fba8bd72d25
SHA1 85146756523162be7779e93d5efa2f0163b4ebf3
SHA256 f47ecd66145c0cfa827e5656736101b558e8e29ec16b36663d9d7b5491368d7c
SHA512 2b1625f6b2325eb5ee629d906a4a9cbd4e3905fadda1008a2e41769ab54634a9ec466049eabd3ea8602066f86fe717555a974cbe5e84e62f91542f6d167ba782

C:\Windows\tnibdysrhgimyefatfztoh.exe

MD5 110b4ea8f6a3ed43eb694bea1dfa7a9d
SHA1 e3bdcb7fe39165012d2c2c08e22910ba5e7abe69
SHA256 590bb51bc11e8bb696170d2d70ea379e7bc57471d86b5e411e798afd32cd6a78
SHA512 794d08002db1f0ee168fcfba29db5a57f4cfb3ab1b2c0c9c21fcd5e8fc389c7308cf03dc38afb847606ffb27d0bc74e4530e10f8b39d46a403fe96773c9c277d

C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe

MD5 b92314203327a733531042bc58e54f57
SHA1 1f3d0081f308a82c9659f4a57fc1ad551167a181
SHA256 d936bfd3b4264fe1650dee22119858b9d0cc58598e7e956ebecf72fb82f7c7d3
SHA512 2982559183e13830cd795c7badadb15b4dad50315155299d9713970aff034c827ade98c79d6da836aea743890aca71bc0f7d5348a32f2858b4f40884ecccf7f7

C:\Users\Admin\AppData\Local\tvyzjmovtakwqenqrlnpstdgip.ueq

MD5 3c7e79912238792478984888682368ef
SHA1 520979801f5ec9d533c147f23322d89a04331171
SHA256 9a85053e778382ffa63aed566fe2a9c931dde4c2834a27e89d17c299bb2ec7b7
SHA512 de806432ffe64cda07cf7465a33b66c706900e35cd3f3f7473f7fea4fd834c45f19936505e7fc0ea0967492c9d47970371e8a5de21e7a7ac12a1bf6dadd6665d

C:\Users\Admin\AppData\Local\uhvhcqdvewrotsmamrerfrmanfogbydcwkwbo.pbw

MD5 6b60f878a9472f2c12442eee27548d51
SHA1 803930c98bc95cb24701e1852c2354e04c03fc7c
SHA256 e2f61a4741a69c8bd24f344c20fd1a12f4b1132ffa2afd646479ced51a659415
SHA512 f4b99a6a6641324f81507287cfa5237946d4731175365119a40cb84793d319ae5d704b65c9a483db5cd800537a21b8b5e471453d976d7a68ef6f89a5407a257f

C:\Program Files (x86)\tvyzjmovtakwqenqrlnpstdgip.ueq

MD5 49e9e8a527af9a6d9d828e5680609513
SHA1 a4bdb17d23b6cd742fce89a891ed9a851ccfe2e8
SHA256 7e084050255659c4fa5c4967f23d317f68f8ac16d1f31d6c25e8f53f6030f8ae
SHA512 659a2fdf15e6cfc264582b83794edc0d085c1b4e5693ab1c58c47e6b75ccbd1997b5e948d45ce471c5bc04d2606cfa147a6d780d2a67da6c3197875b20ad9d22

C:\Program Files (x86)\tvyzjmovtakwqenqrlnpstdgip.ueq

MD5 1ea05da7d111fdf505744100e6744d83
SHA1 a6e2016d67e600e6365ec96706612e965dc8813e
SHA256 a0bd01ae9b72e92da2ef2827e6b7c58ad917a382403b550263f2884a43a9ed6e
SHA512 fbfa5195b22e50a36c7f4208fb78a406c728472dca85d10a1d976cfc8850d3566389ef81a70eccc11c5ebc11226f5d8e5cc0fb38038e6ec88ca3de8c1fc5c0ba

C:\Program Files (x86)\tvyzjmovtakwqenqrlnpstdgip.ueq

MD5 09a6f46de8ebab3a01104e1a148d048e
SHA1 3de97bddeb78a57db244011f9c3fb3b627316b39
SHA256 34c131e5449ef309dd5d02250dadfc3379c683d04fe3381b4601a74040b6a43a
SHA512 a51b8b8ff60e0c8009706760980c253013d61b4a023e1385cffb8532c609fe1da2af7e3c2dac315c098d3b1a71541be811c741db0fd9188b3a9f43078e8d578a

C:\Program Files (x86)\tvyzjmovtakwqenqrlnpstdgip.ueq

MD5 382ad4be580749bba246288783baa681
SHA1 e881b22ece7268aefe242dca6115e2ecbe442da7
SHA256 aefda953de59936e7721ee33c39ba2614804057da1124124d13d201cf6d8b4bd
SHA512 1111c65fa1f5e85164b189f20ca67b20f8b62b5e06aa42fb172c7d6fc7a87e11d0766c064349f05be0a34fa5011d60907980b60c2f8d029b5d3511686167f75a