Analysis Overview
SHA256
590bb51bc11e8bb696170d2d70ea379e7bc57471d86b5e411e798afd32cd6a78
Threat Level: Known bad
The file 110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
UAC bypass
Adds policy Run key to start application
Disables RegEdit via registry modification
Impair Defenses: Safe Mode Boot
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Looks up external IP address via web service
Checks whether UAC is enabled
Drops file in System32 directory
Drops autorun.inf file
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
System policy modification
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 06:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 06:33
Reported
2024-06-26 06:35
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbiwmvhsfxks = "fvhavjaqifxkunlgd.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbiwmvhsfxks = "bvlihzuoklhymjlkluoeb.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fnrcpvemw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrfaxngysrlamhhedkc.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wgpaoqjpard = "piaurcetnniylhiggrkc.exe" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbiwmvhsfxks = "mfuqofzsnniylhiggohw.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fnrcpvemw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fvhavjaqifxkunlgd.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fnrcpvemw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofsmixpgzxqepjieci.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbiwmvhsfxks = "fvhavjaqifxkunlgd.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fnrcpvemw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofsmixpgzxqepjieci.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fnrcpvemw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fvhavjaqifxkunlgd.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fnrcpvemw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfuqofzsnniylhiggohw.exe" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fnrcpvemw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfuqofzsnniylhiggohw.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fnrcpvemw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrfaxngysrlamhhedkc.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbiwmvhsfxks = "ynyqkxnctpgsbtqk.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbiwmvhsfxks = "fvhavjaqifxkunlgd.exe" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbiwmvhsfxks = "bvlihzuoklhymjlkluoeb.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbiwmvhsfxks = "ofsmixpgzxqepjieci.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wgpaoqjpard = "culeaklzsrlamhhednf.exe" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ryemxwmp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\piaurcetnniylhiggrkc.exe" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ryemxwmp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyrmkwzpklhymjlklxrkf.exe" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbiwmvhsfxks = "ynyqkxnctpgsbtqk.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbiwmvhsfxks = "zrfaxngysrlamhhedkc.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbiwmvhsfxks = "mfuqofzsnniylhiggohw.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fnrcpvemw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ynyqkxnctpgsbtqk.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbiwmvhsfxks = "zrfaxngysrlamhhedkc.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fnrcpvemw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bvlihzuoklhymjlkluoeb.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fnrcpvemw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ynyqkxnctpgsbtqk.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ynyqkxnctpgsbtqk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfuqofzsnniylhiggohw.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yhmymtdmxn = "mfuqofzsnniylhiggohw.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ynyqkxnctpgsbtqk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ynyqkxnctpgsbtqk.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tdjwlteoard = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bvlihzuoklhymjlkluoeb.exe ." | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yhmymtdmxn = "ynyqkxnctpgsbtqk.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yhmymtdmxn = "bvlihzuoklhymjlkluoeb.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yhmymtdmxn = "zrfaxngysrlamhhedkc.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iqxgssjnw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\riyqluuhzxqepjiecl.exe" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbjypzmymftci = "ofsmixpgzxqepjieci.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbjypzmymftci = "mfuqofzsnniylhiggohw.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ynyqkxnctpgsbtqk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofsmixpgzxqepjieci.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teoapsmtfxks = "eyrmkwzpklhymjlklxrkf.exe" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbjypzmymftci = "zrfaxngysrlamhhedkc.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qdmcuftgvpeovl = "mfuqofzsnniylhiggohw.exe ." | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ynyqkxnctpgsbtqk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bvlihzuoklhymjlkluoeb.exe" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\thribncqgbrckbx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfuqofzsnniylhiggohw.exe ." | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbjypzmymftci = "fvhavjaqifxkunlgd.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\thribncqgbrckbx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ynyqkxnctpgsbtqk.exe ." | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qdmcuftgvpeovl = "ofsmixpgzxqepjieci.exe ." | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tdjwlteoard = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fvhavjaqifxkunlgd.exe ." | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbjypzmymftci = "ofsmixpgzxqepjieci.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bkscpqinxn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\culeaklzsrlamhhednf.exe ." | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdjwlteoard = "zrfaxngysrlamhhedkc.exe ." | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\thribncqgbrckbx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfuqofzsnniylhiggohw.exe ." | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ynyqkxnctpgsbtqk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bvlihzuoklhymjlkluoeb.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhmymtdmxn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrfaxngysrlamhhedkc.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhmymtdmxn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fvhavjaqifxkunlgd.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdjwlteoard = "ofsmixpgzxqepjieci.exe ." | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhmymtdmxn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrfaxngysrlamhhedkc.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yhmymtdmxn = "fvhavjaqifxkunlgd.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tdjwlteoard = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ynyqkxnctpgsbtqk.exe ." | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yhmymtdmxn = "zrfaxngysrlamhhedkc.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbjypzmymftci = "mfuqofzsnniylhiggohw.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ynyqkxnctpgsbtqk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrfaxngysrlamhhedkc.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qdmcuftgvpeovl = "fvhavjaqifxkunlgd.exe ." | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bkscpqinxn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iyneygfrifxkunlgd.exe ." | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhmymtdmxn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ynyqkxnctpgsbtqk.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tdjwlteoard = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrfaxngysrlamhhedkc.exe ." | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbjypzmymftci = "fvhavjaqifxkunlgd.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ynyqkxnctpgsbtqk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fvhavjaqifxkunlgd.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iqxgssjnw = "riyqluuhzxqepjiecl.exe" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iqxgssjnw = "culeaklzsrlamhhednf.exe" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdjwlteoard = "ofsmixpgzxqepjieci.exe ." | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tdjwlteoard = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofsmixpgzxqepjieci.exe ." | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bkscpqinxn = "riyqluuhzxqepjiecl.exe ." | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgsgxcyhvpeovl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqeunusdtpgsbtqk.exe ." | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yhmymtdmxn = "bvlihzuoklhymjlkluoeb.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbjypzmymftci = "bvlihzuoklhymjlkluoeb.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhmymtdmxn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfuqofzsnniylhiggohw.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sepcswrzmftci = "piaurcetnniylhiggrkc.exe ." | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhmymtdmxn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ynyqkxnctpgsbtqk.exe" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tdjwlteoard = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fvhavjaqifxkunlgd.exe ." | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdjwlteoard = "fvhavjaqifxkunlgd.exe ." | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yhmymtdmxn = "mfuqofzsnniylhiggohw.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qdmcuftgvpeovl = "ofsmixpgzxqepjieci.exe ." | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qdmcuftgvpeovl = "bvlihzuoklhymjlkluoeb.exe ." | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbjypzmymftci = "zrfaxngysrlamhhedkc.exe" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yhmymtdmxn = "ofsmixpgzxqepjieci.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yhmymtdmxn = "ofsmixpgzxqepjieci.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\thribncqgbrckbx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofsmixpgzxqepjieci.exe ." | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhmymtdmxn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofsmixpgzxqepjieci.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teoapsmtfxks = "culeaklzsrlamhhednf.exe" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\thribncqgbrckbx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fvhavjaqifxkunlgd.exe ." | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhmymtdmxn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfuqofzsnniylhiggohw.exe" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\ynyqkxnctpgsbtqkgkzkcwjzofbsenfcwswlwo.vla | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zrfaxngysrlamhhedkc.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fvhavjaqifxkunlgd.exe | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sneccvrmjliapnqqscxomm.exe | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bffmvxcgmxdecjvepimmtcejnte.ljq | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ynyqkxnctpgsbtqk.exe | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ynyqkxnctpgsbtqk.exe | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ofsmixpgzxqepjieci.exe | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sneccvrmjliapnqqscxomm.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sneccvrmjliapnqqscxomm.exe | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| File created | C:\Windows\SysWOW64\ynyqkxnctpgsbtqkgkzkcwjzofbsenfcwswlwo.vla | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ofsmixpgzxqepjieci.exe | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bvlihzuoklhymjlkluoeb.exe | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fvhavjaqifxkunlgd.exe | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ofsmixpgzxqepjieci.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bvlihzuoklhymjlkluoeb.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zrfaxngysrlamhhedkc.exe | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| File created | C:\Windows\SysWOW64\bffmvxcgmxdecjvepimmtcejnte.ljq | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mfuqofzsnniylhiggohw.exe | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ynyqkxnctpgsbtqk.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zrfaxngysrlamhhedkc.exe | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mfuqofzsnniylhiggohw.exe | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bvlihzuoklhymjlkluoeb.exe | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fvhavjaqifxkunlgd.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mfuqofzsnniylhiggohw.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\bffmvxcgmxdecjvepimmtcejnte.ljq | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| File created | C:\Program Files (x86)\bffmvxcgmxdecjvepimmtcejnte.ljq | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ynyqkxnctpgsbtqkgkzkcwjzofbsenfcwswlwo.vla | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| File created | C:\Program Files (x86)\ynyqkxnctpgsbtqkgkzkcwjzofbsenfcwswlwo.vla | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\bffmvxcgmxdecjvepimmtcejnte.ljq | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| File opened for modification | C:\Windows\ynyqkxnctpgsbtqk.exe | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| File opened for modification | C:\Windows\bvlihzuoklhymjlkluoeb.exe | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| File opened for modification | C:\Windows\zrfaxngysrlamhhedkc.exe | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| File created | C:\Windows\ynyqkxnctpgsbtqkgkzkcwjzofbsenfcwswlwo.vla | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| File opened for modification | C:\Windows\zrfaxngysrlamhhedkc.exe | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| File opened for modification | C:\Windows\mfuqofzsnniylhiggohw.exe | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| File opened for modification | C:\Windows\fvhavjaqifxkunlgd.exe | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| File opened for modification | C:\Windows\mfuqofzsnniylhiggohw.exe | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| File opened for modification | C:\Windows\sneccvrmjliapnqqscxomm.exe | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| File opened for modification | C:\Windows\bffmvxcgmxdecjvepimmtcejnte.ljq | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| File opened for modification | C:\Windows\ynyqkxnctpgsbtqk.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\ynyqkxnctpgsbtqk.exe | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| File opened for modification | C:\Windows\ofsmixpgzxqepjieci.exe | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| File opened for modification | C:\Windows\bvlihzuoklhymjlkluoeb.exe | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| File opened for modification | C:\Windows\zrfaxngysrlamhhedkc.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\sneccvrmjliapnqqscxomm.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\ofsmixpgzxqepjieci.exe | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| File opened for modification | C:\Windows\mfuqofzsnniylhiggohw.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\bvlihzuoklhymjlkluoeb.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\sneccvrmjliapnqqscxomm.exe | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| File opened for modification | C:\Windows\fvhavjaqifxkunlgd.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\ofsmixpgzxqepjieci.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\fvhavjaqifxkunlgd.exe | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| File opened for modification | C:\Windows\ynyqkxnctpgsbtqkgkzkcwjzofbsenfcwswlwo.vla | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe
"C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe" "c:\users\admin\appdata\local\temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_jaffacakes118.exe*"
C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe
"C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe" "-C:\Users\Admin\AppData\Local\Temp\ynyqkxnctpgsbtqk.exe"
C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe
"C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe" "-C:\Users\Admin\AppData\Local\Temp\ynyqkxnctpgsbtqk.exe"
C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe
"C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe" "c:\users\admin\appdata\local\temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_jaffacakes118.exe"
C:\Users\Admin\AppData\Local\Temp\eilqy.exe
"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"
C:\Users\Admin\AppData\Local\Temp\eilqy.exe
"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"
C:\Users\Admin\AppData\Local\Temp\eilqy.exe
"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"
C:\Users\Admin\AppData\Local\Temp\eilqy.exe
"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"
C:\Users\Admin\AppData\Local\Temp\eilqy.exe
"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"
C:\Users\Admin\AppData\Local\Temp\eilqy.exe
"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"
C:\Users\Admin\AppData\Local\Temp\eilqy.exe
"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"
C:\Users\Admin\AppData\Local\Temp\eilqy.exe
"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"
C:\Users\Admin\AppData\Local\Temp\eilqy.exe
"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"
C:\Users\Admin\AppData\Local\Temp\eilqy.exe
"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"
C:\Users\Admin\AppData\Local\Temp\eilqy.exe
"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"
C:\Users\Admin\AppData\Local\Temp\eilqy.exe
"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"
C:\Users\Admin\AppData\Local\Temp\eilqy.exe
"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"
C:\Users\Admin\AppData\Local\Temp\eilqy.exe
"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"
C:\Users\Admin\AppData\Local\Temp\eilqy.exe
"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"
C:\Users\Admin\AppData\Local\Temp\eilqy.exe
"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"
C:\Users\Admin\AppData\Local\Temp\eilqy.exe
"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"
C:\Users\Admin\AppData\Local\Temp\eilqy.exe
"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"
C:\Users\Admin\AppData\Local\Temp\eilqy.exe
"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"
C:\Users\Admin\AppData\Local\Temp\eilqy.exe
"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"
C:\Users\Admin\AppData\Local\Temp\eilqy.exe
"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"
C:\Users\Admin\AppData\Local\Temp\eilqy.exe
"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"
C:\Users\Admin\AppData\Local\Temp\eilqy.exe
"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"
C:\Users\Admin\AppData\Local\Temp\eilqy.exe
"C:\Users\Admin\AppData\Local\Temp\eilqy.exe" "-C:\Users\Admin\AppData\Local\Temp\bqeunusdtpgsbtqk.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 8.8.8.8:53 | www.baidu.com | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| US | 8.8.8.8:53 | www.ebay.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.bbc.co.uk | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe
| MD5 | b92314203327a733531042bc58e54f57 |
| SHA1 | 1f3d0081f308a82c9659f4a57fc1ad551167a181 |
| SHA256 | d936bfd3b4264fe1650dee22119858b9d0cc58598e7e956ebecf72fb82f7c7d3 |
| SHA512 | 2982559183e13830cd795c7badadb15b4dad50315155299d9713970aff034c827ade98c79d6da836aea743890aca71bc0f7d5348a32f2858b4f40884ecccf7f7 |
C:\Windows\SysWOW64\ofsmixpgzxqepjieci.exe
| MD5 | 110b4ea8f6a3ed43eb694bea1dfa7a9d |
| SHA1 | e3bdcb7fe39165012d2c2c08e22910ba5e7abe69 |
| SHA256 | 590bb51bc11e8bb696170d2d70ea379e7bc57471d86b5e411e798afd32cd6a78 |
| SHA512 | 794d08002db1f0ee168fcfba29db5a57f4cfb3ab1b2c0c9c21fcd5e8fc389c7308cf03dc38afb847606ffb27d0bc74e4530e10f8b39d46a403fe96773c9c277d |
C:\Users\Admin\AppData\Local\Temp\zfhqbfm.exe
| MD5 | 9518b138e323fa2909b73262912ec34f |
| SHA1 | 1da1cf60c54934dec3e8462e03492f74901a41bc |
| SHA256 | 203d66629d8604455edc1a883150a63ed4ad79396b2821e76d493a79c8959645 |
| SHA512 | 60dbb2a86cf7bce03b888cc63245a1ebf7e123b2c5f3f428ae2891fa411c229960a735cc461a28ced4c7f5786d55a833e0917594269b3b171702aa2749ac328b |
C:\Users\Admin\AppData\Local\bffmvxcgmxdecjvepimmtcejnte.ljq
| MD5 | 8ef496d985f88251755b23bc1d460d26 |
| SHA1 | 368eba5fa3b4774eeeab7f83833f5f7fa66090c9 |
| SHA256 | 6d3bb51207874ca17eee45cb04dd086145391cf30127637c852f32bfa7675e4e |
| SHA512 | ea28c9ad78c7adb7233893700c6060132ef35298c5c92329ff1fa721a82b5d687762f3c3e1149f2a335f809916e5e056c55acc0197995fa07ada8df0b62a810d |
C:\Users\Admin\AppData\Local\ynyqkxnctpgsbtqkgkzkcwjzofbsenfcwswlwo.vla
| MD5 | 82910bd4d9a2100f6f60f52e97f00623 |
| SHA1 | 4ac75a262c4d7a362726c32c4db7d6b7d476359b |
| SHA256 | 3f03d5f2bba1142cd192bf6db774c9f830678355eb5fad2eb01a2932c0392a0a |
| SHA512 | 9ec1b9922f0a0ababb63b824946354578036e1be05da5754d4f738295c6a600e1dfaa4788dcb2057a68ea1112c936f050430cb8afc03645c914fcead2ef0d34f |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 06:33
Reported
2024-06-26 06:35
Platform
win7-20231129-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pvchvcit = "gvlzwmbvgaxwdeaqe.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfjlw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arjzyqhdqmlmvywoene.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pvchvcit = "pfwljaqlxsqqyaxodl.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfjlw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zncplaohrkgekkfu.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfjlw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfyppiaxliikuyxqhrjb.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfjlw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvphicvtighkvaaumxqjd.exe" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pvchvcit = "zncplaohrkgekkfu.exe" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfjlw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfyppiaxliikuyxqhrjb.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfjlw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvphicvtighkvaaumxqjd.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pvchvcit = "nfyppiaxliikuyxqhrjb.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfjlw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gvlzwmbvgaxwdeaqe.exe" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfjlw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gvlzwmbvgaxwdeaqe.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfjlw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfwljaqlxsqqyaxodl.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pvchvcit = "pfwljaqlxsqqyaxodl.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pvchvcit = "zncplaohrkgekkfu.exe" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pvchvcit = "arjzyqhdqmlmvywoene.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pvchvcit = "nfyppiaxliikuyxqhrjb.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pvchvcit = "zncplaohrkgekkfu.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pvchvcit = "cvphicvtighkvaaumxqjd.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pvchvcit = "arjzyqhdqmlmvywoene.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfjlw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gvlzwmbvgaxwdeaqe.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfjlw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zncplaohrkgekkfu.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pvchvcit = "zncplaohrkgekkfu.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\nrwzlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gvlzwmbvgaxwdeaqe.exe" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aflpcin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gvlzwmbvgaxwdeaqe.exe ." | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zhqxnwervi = "arjzyqhdqmlmvywoene.exe ." | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rbmvnyixdske = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfyppiaxliikuyxqhrjb.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\nrwzlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfyppiaxliikuyxqhrjb.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\aflpcin = "cvphicvtighkvaaumxqjd.exe ." | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\nrwzlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zncplaohrkgekkfu.exe" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zhqxnwervi = "zncplaohrkgekkfu.exe ." | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zhqxnwervi = "arjzyqhdqmlmvywoene.exe ." | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\aflpcin = "pfwljaqlxsqqyaxodl.exe ." | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\nrwzlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arjzyqhdqmlmvywoene.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\aflpcin = "arjzyqhdqmlmvywoene.exe ." | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zhqxnwervi = "pfwljaqlxsqqyaxodl.exe ." | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\nrwzlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfwljaqlxsqqyaxodl.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nrwzlq = "zncplaohrkgekkfu.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\aflpcin = "cvphicvtighkvaaumxqjd.exe ." | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\udnvmwftymd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gvlzwmbvgaxwdeaqe.exe ." | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnvbqyfru = "arjzyqhdqmlmvywoene.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aflpcin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arjzyqhdqmlmvywoene.exe ." | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nrwzlq = "arjzyqhdqmlmvywoene.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aflpcin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gvlzwmbvgaxwdeaqe.exe ." | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aflpcin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvphicvtighkvaaumxqjd.exe ." | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\nrwzlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zncplaohrkgekkfu.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zhqxnwervi = "gvlzwmbvgaxwdeaqe.exe ." | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\nrwzlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvphicvtighkvaaumxqjd.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnvbqyfru = "nfyppiaxliikuyxqhrjb.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\aflpcin = "pfwljaqlxsqqyaxodl.exe ." | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rbmvnyixdske = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arjzyqhdqmlmvywoene.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnvbqyfru = "gvlzwmbvgaxwdeaqe.exe" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rbmvnyixdske = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gvlzwmbvgaxwdeaqe.exe" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nrwzlq = "pfwljaqlxsqqyaxodl.exe" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnvbqyfru = "pfwljaqlxsqqyaxodl.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\aflpcin = "gvlzwmbvgaxwdeaqe.exe ." | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnvbqyfru = "zncplaohrkgekkfu.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zhqxnwervi = "gvlzwmbvgaxwdeaqe.exe ." | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nrwzlq = "pfwljaqlxsqqyaxodl.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rbmvnyixdske = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gvlzwmbvgaxwdeaqe.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aflpcin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfwljaqlxsqqyaxodl.exe ." | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\udnvmwftymd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvphicvtighkvaaumxqjd.exe ." | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnvbqyfru = "pfwljaqlxsqqyaxodl.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\udnvmwftymd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfwljaqlxsqqyaxodl.exe ." | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\aflpcin = "zncplaohrkgekkfu.exe ." | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rbmvnyixdske = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfyppiaxliikuyxqhrjb.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nrwzlq = "cvphicvtighkvaaumxqjd.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aflpcin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gvlzwmbvgaxwdeaqe.exe ." | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aflpcin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvphicvtighkvaaumxqjd.exe ." | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\nrwzlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zncplaohrkgekkfu.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnvbqyfru = "nfyppiaxliikuyxqhrjb.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zhqxnwervi = "nfyppiaxliikuyxqhrjb.exe ." | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnvbqyfru = "pfwljaqlxsqqyaxodl.exe" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zhqxnwervi = "cvphicvtighkvaaumxqjd.exe ." | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\nrwzlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfwljaqlxsqqyaxodl.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nrwzlq = "arjzyqhdqmlmvywoene.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\udnvmwftymd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arjzyqhdqmlmvywoene.exe ." | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\nrwzlq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gvlzwmbvgaxwdeaqe.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rbmvnyixdske = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfwljaqlxsqqyaxodl.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rbmvnyixdske = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zncplaohrkgekkfu.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\aflpcin = "arjzyqhdqmlmvywoene.exe ." | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aflpcin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arjzyqhdqmlmvywoene.exe ." | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnvbqyfru = "arjzyqhdqmlmvywoene.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nrwzlq = "gvlzwmbvgaxwdeaqe.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nrwzlq = "gvlzwmbvgaxwdeaqe.exe" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zhqxnwervi = "arjzyqhdqmlmvywoene.exe ." | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\udnvmwftymd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zncplaohrkgekkfu.exe ." | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\zncplaohrkgekkfu.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gvlzwmbvgaxwdeaqe.exe | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pfwljaqlxsqqyaxodl.exe | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\arjzyqhdqmlmvywoene.exe | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cvphicvtighkvaaumxqjd.exe | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\uhvhcqdvewrotsmamrerfrmanfogbydcwkwbo.pbw | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gvlzwmbvgaxwdeaqe.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nfyppiaxliikuyxqhrjb.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pfwljaqlxsqqyaxodl.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cvphicvtighkvaaumxqjd.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pfwljaqlxsqqyaxodl.exe | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tnibdysrhgimyefatfztoh.exe | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tnibdysrhgimyefatfztoh.exe | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zncplaohrkgekkfu.exe | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File created | C:\Windows\SysWOW64\tvyzjmovtakwqenqrlnpstdgip.ueq | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zncplaohrkgekkfu.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\arjzyqhdqmlmvywoene.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\arjzyqhdqmlmvywoene.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nfyppiaxliikuyxqhrjb.exe | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tvyzjmovtakwqenqrlnpstdgip.ueq | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gvlzwmbvgaxwdeaqe.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pfwljaqlxsqqyaxodl.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nfyppiaxliikuyxqhrjb.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tnibdysrhgimyefatfztoh.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zncplaohrkgekkfu.exe | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gvlzwmbvgaxwdeaqe.exe | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nfyppiaxliikuyxqhrjb.exe | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File created | C:\Windows\SysWOW64\uhvhcqdvewrotsmamrerfrmanfogbydcwkwbo.pbw | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cvphicvtighkvaaumxqjd.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tnibdysrhgimyefatfztoh.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\arjzyqhdqmlmvywoene.exe | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cvphicvtighkvaaumxqjd.exe | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\tvyzjmovtakwqenqrlnpstdgip.ueq | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File created | C:\Program Files (x86)\tvyzjmovtakwqenqrlnpstdgip.ueq | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File opened for modification | C:\Program Files (x86)\uhvhcqdvewrotsmamrerfrmanfogbydcwkwbo.pbw | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File created | C:\Program Files (x86)\uhvhcqdvewrotsmamrerfrmanfogbydcwkwbo.pbw | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\zncplaohrkgekkfu.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\pfwljaqlxsqqyaxodl.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\zncplaohrkgekkfu.exe | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File opened for modification | C:\Windows\nfyppiaxliikuyxqhrjb.exe | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File opened for modification | C:\Windows\zncplaohrkgekkfu.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\gvlzwmbvgaxwdeaqe.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File created | C:\Windows\tvyzjmovtakwqenqrlnpstdgip.ueq | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File opened for modification | C:\Windows\uhvhcqdvewrotsmamrerfrmanfogbydcwkwbo.pbw | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File opened for modification | C:\Windows\gvlzwmbvgaxwdeaqe.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\cvphicvtighkvaaumxqjd.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\gvlzwmbvgaxwdeaqe.exe | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File opened for modification | C:\Windows\arjzyqhdqmlmvywoene.exe | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File opened for modification | C:\Windows\tnibdysrhgimyefatfztoh.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\tnibdysrhgimyefatfztoh.exe | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File opened for modification | C:\Windows\zncplaohrkgekkfu.exe | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File opened for modification | C:\Windows\arjzyqhdqmlmvywoene.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\gvlzwmbvgaxwdeaqe.exe | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File opened for modification | C:\Windows\arjzyqhdqmlmvywoene.exe | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File opened for modification | C:\Windows\tnibdysrhgimyefatfztoh.exe | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File created | C:\Windows\uhvhcqdvewrotsmamrerfrmanfogbydcwkwbo.pbw | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File opened for modification | C:\Windows\nfyppiaxliikuyxqhrjb.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\pfwljaqlxsqqyaxodl.exe | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File opened for modification | C:\Windows\cvphicvtighkvaaumxqjd.exe | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File opened for modification | C:\Windows\pfwljaqlxsqqyaxodl.exe | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File opened for modification | C:\Windows\pfwljaqlxsqqyaxodl.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\arjzyqhdqmlmvywoene.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\cvphicvtighkvaaumxqjd.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\tnibdysrhgimyefatfztoh.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\cvphicvtighkvaaumxqjd.exe | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File opened for modification | C:\Windows\nfyppiaxliikuyxqhrjb.exe | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File opened for modification | C:\Windows\tvyzjmovtakwqenqrlnpstdgip.ueq | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| File opened for modification | C:\Windows\nfyppiaxliikuyxqhrjb.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\cfjlw.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe
"C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe" "c:\users\admin\appdata\local\temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_jaffacakes118.exe*"
C:\Users\Admin\AppData\Local\Temp\cfjlw.exe
"C:\Users\Admin\AppData\Local\Temp\cfjlw.exe" "-C:\Users\Admin\AppData\Local\Temp\zncplaohrkgekkfu.exe"
C:\Users\Admin\AppData\Local\Temp\cfjlw.exe
"C:\Users\Admin\AppData\Local\Temp\cfjlw.exe" "-C:\Users\Admin\AppData\Local\Temp\zncplaohrkgekkfu.exe"
C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe
"C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe" "c:\users\admin\appdata\local\temp\110b4ea8f6a3ed43eb694bea1dfa7a9d_jaffacakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.adobe.com | udp |
| BE | 104.117.77.58:80 | www.adobe.com | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| GB | 163.70.147.35:80 | www.facebook.com | tcp |
| UA | 46.211.209.244:26561 | tcp | |
| US | 8.8.8.8:53 | vsdgddzap.org | udp |
| US | 162.249.65.164:80 | vsdgddzap.org | tcp |
| US | 8.8.8.8:53 | pojozadcb.net | udp |
| US | 8.8.8.8:53 | rqkiddmgnyj.info | udp |
| US | 8.8.8.8:53 | jpohvi.info | udp |
| RU | 79.105.112.2:20898 | tcp | |
| US | 8.8.8.8:53 | yjyaladocuc.net | udp |
| US | 8.8.8.8:53 | kwhfqnnejec.info | udp |
| US | 34.211.97.45:80 | kwhfqnnejec.info | tcp |
| US | 8.8.8.8:53 | mhdlstno.net | udp |
| US | 8.8.8.8:53 | ayusow.com | udp |
| BG | 78.83.228.9:36415 | tcp | |
| US | 8.8.8.8:53 | kvfspsrjxomr.net | udp |
| US | 8.8.8.8:53 | ksdple.info | udp |
| US | 8.8.8.8:53 | tszocqe.org | udp |
| BG | 78.90.46.101:28884 | tcp | |
| US | 8.8.8.8:53 | eomqiyui.org | udp |
| US | 162.249.65.164:80 | eomqiyui.org | tcp |
| US | 8.8.8.8:53 | hgzptxmlkx.net | udp |
| US | 8.8.8.8:53 | terwpjjwnn.net | udp |
| RU | 85.174.208.47:30722 | tcp | |
| US | 8.8.8.8:53 | fpsdjd.net | udp |
| US | 8.8.8.8:53 | hazzthxrziyh.net | udp |
| US | 8.8.8.8:53 | yyjtwiqh.net | udp |
| US | 8.8.8.8:53 | ssmufqvsjdx.info | udp |
| US | 8.8.8.8:53 | jawzfnq.org | udp |
| US | 162.249.65.164:80 | jawzfnq.org | tcp |
| RU | 178.207.38.201:37905 | tcp | |
| US | 8.8.8.8:53 | ddepjzmilwnm.info | udp |
| US | 8.8.8.8:53 | bcagsggzlmnj.info | udp |
| US | 8.8.8.8:53 | qtqixxfqe.net | udp |
| US | 8.8.8.8:53 | hrowho.net | udp |
| BG | 87.120.2.181:37437 | tcp | |
| US | 8.8.8.8:53 | gweunlh.info | udp |
| US | 8.8.8.8:53 | ceoawsgi.org | udp |
| LT | 80.240.8.186:20334 | tcp | |
| US | 8.8.8.8:53 | yzfudwbds.info | udp |
| US | 8.8.8.8:53 | fmovmdjejujj.net | udp |
| US | 8.8.8.8:53 | ikzszjxmq.info | udp |
| US | 208.100.26.245:80 | ikzszjxmq.info | tcp |
| US | 8.8.8.8:53 | gaeesqgwmc.com | udp |
| US | 8.8.8.8:53 | nibgvqqbg.net | udp |
| US | 87.121.84.132:21608 | tcp | |
| US | 8.8.8.8:53 | hirtgid.net | udp |
| US | 8.8.8.8:53 | zmzcdmb.info | udp |
| US | 8.8.8.8:53 | jlxwjrscdo.net | udp |
| RU | 178.141.102.108:34029 | tcp | |
| US | 8.8.8.8:53 | vdmdzrueyv.net | udp |
Files
\Users\Admin\AppData\Local\Temp\cfjlw.exe
| MD5 | 32f30482f787bb157e866fba8bd72d25 |
| SHA1 | 85146756523162be7779e93d5efa2f0163b4ebf3 |
| SHA256 | f47ecd66145c0cfa827e5656736101b558e8e29ec16b36663d9d7b5491368d7c |
| SHA512 | 2b1625f6b2325eb5ee629d906a4a9cbd4e3905fadda1008a2e41769ab54634a9ec466049eabd3ea8602066f86fe717555a974cbe5e84e62f91542f6d167ba782 |
C:\Windows\tnibdysrhgimyefatfztoh.exe
| MD5 | 110b4ea8f6a3ed43eb694bea1dfa7a9d |
| SHA1 | e3bdcb7fe39165012d2c2c08e22910ba5e7abe69 |
| SHA256 | 590bb51bc11e8bb696170d2d70ea379e7bc57471d86b5e411e798afd32cd6a78 |
| SHA512 | 794d08002db1f0ee168fcfba29db5a57f4cfb3ab1b2c0c9c21fcd5e8fc389c7308cf03dc38afb847606ffb27d0bc74e4530e10f8b39d46a403fe96773c9c277d |
C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe
| MD5 | b92314203327a733531042bc58e54f57 |
| SHA1 | 1f3d0081f308a82c9659f4a57fc1ad551167a181 |
| SHA256 | d936bfd3b4264fe1650dee22119858b9d0cc58598e7e956ebecf72fb82f7c7d3 |
| SHA512 | 2982559183e13830cd795c7badadb15b4dad50315155299d9713970aff034c827ade98c79d6da836aea743890aca71bc0f7d5348a32f2858b4f40884ecccf7f7 |
C:\Users\Admin\AppData\Local\tvyzjmovtakwqenqrlnpstdgip.ueq
| MD5 | 3c7e79912238792478984888682368ef |
| SHA1 | 520979801f5ec9d533c147f23322d89a04331171 |
| SHA256 | 9a85053e778382ffa63aed566fe2a9c931dde4c2834a27e89d17c299bb2ec7b7 |
| SHA512 | de806432ffe64cda07cf7465a33b66c706900e35cd3f3f7473f7fea4fd834c45f19936505e7fc0ea0967492c9d47970371e8a5de21e7a7ac12a1bf6dadd6665d |
C:\Users\Admin\AppData\Local\uhvhcqdvewrotsmamrerfrmanfogbydcwkwbo.pbw
| MD5 | 6b60f878a9472f2c12442eee27548d51 |
| SHA1 | 803930c98bc95cb24701e1852c2354e04c03fc7c |
| SHA256 | e2f61a4741a69c8bd24f344c20fd1a12f4b1132ffa2afd646479ced51a659415 |
| SHA512 | f4b99a6a6641324f81507287cfa5237946d4731175365119a40cb84793d319ae5d704b65c9a483db5cd800537a21b8b5e471453d976d7a68ef6f89a5407a257f |
C:\Program Files (x86)\tvyzjmovtakwqenqrlnpstdgip.ueq
| MD5 | 49e9e8a527af9a6d9d828e5680609513 |
| SHA1 | a4bdb17d23b6cd742fce89a891ed9a851ccfe2e8 |
| SHA256 | 7e084050255659c4fa5c4967f23d317f68f8ac16d1f31d6c25e8f53f6030f8ae |
| SHA512 | 659a2fdf15e6cfc264582b83794edc0d085c1b4e5693ab1c58c47e6b75ccbd1997b5e948d45ce471c5bc04d2606cfa147a6d780d2a67da6c3197875b20ad9d22 |
C:\Program Files (x86)\tvyzjmovtakwqenqrlnpstdgip.ueq
| MD5 | 1ea05da7d111fdf505744100e6744d83 |
| SHA1 | a6e2016d67e600e6365ec96706612e965dc8813e |
| SHA256 | a0bd01ae9b72e92da2ef2827e6b7c58ad917a382403b550263f2884a43a9ed6e |
| SHA512 | fbfa5195b22e50a36c7f4208fb78a406c728472dca85d10a1d976cfc8850d3566389ef81a70eccc11c5ebc11226f5d8e5cc0fb38038e6ec88ca3de8c1fc5c0ba |
C:\Program Files (x86)\tvyzjmovtakwqenqrlnpstdgip.ueq
| MD5 | 09a6f46de8ebab3a01104e1a148d048e |
| SHA1 | 3de97bddeb78a57db244011f9c3fb3b627316b39 |
| SHA256 | 34c131e5449ef309dd5d02250dadfc3379c683d04fe3381b4601a74040b6a43a |
| SHA512 | a51b8b8ff60e0c8009706760980c253013d61b4a023e1385cffb8532c609fe1da2af7e3c2dac315c098d3b1a71541be811c741db0fd9188b3a9f43078e8d578a |
C:\Program Files (x86)\tvyzjmovtakwqenqrlnpstdgip.ueq
| MD5 | 382ad4be580749bba246288783baa681 |
| SHA1 | e881b22ece7268aefe242dca6115e2ecbe442da7 |
| SHA256 | aefda953de59936e7721ee33c39ba2614804057da1124124d13d201cf6d8b4bd |
| SHA512 | 1111c65fa1f5e85164b189f20ca67b20f8b62b5e06aa42fb172c7d6fc7a87e11d0766c064349f05be0a34fa5011d60907980b60c2f8d029b5d3511686167f75a |