Malware Analysis Report

2025-03-15 00:57

Sample ID 240626-nkymhssepd
Target 11d70692f4951c285da09737464c9eb3_JaffaCakes118
SHA256 cfc93766552ba4240ee547666e583553bfe0ef5f3e13fe4a4aa2e116587db359
Tags
upx defense_evasion evasion persistence
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

cfc93766552ba4240ee547666e583553bfe0ef5f3e13fe4a4aa2e116587db359

Threat Level: Likely malicious

The file 11d70692f4951c285da09737464c9eb3_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

upx defense_evasion evasion persistence

Nirsoft

Disables RegEdit via registry modification

Event Triggered Execution: Image File Execution Options Injection

Impair Defenses: Safe Mode Boot

UPX packed file

Loads dropped DLL

Modifies system executable filetype association

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Checks processor information in registry

System policy modification

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 11:28

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 11:27

Reported

2024-06-26 11:30

Platform

win7-20240508-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe"

Signatures

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\disableregistrytools = "0" C:\32788R22FWJFW\pev.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0" C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\disableregistrytools = "0" C:\32788R22FWJFW\PEV.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\disableregistrytools = "0" C:\32788R22FWJFW\PEV.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psexec.cfxxe C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\handle.cfxxe C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psexec.cfxxe C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TAIL.CFXXE C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swsc.exe C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psexec.cfxxe C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zip.cfxxe C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.cfxxe C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETPATH.CFXXE C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NIRCMD.EXE C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Findstr.exe C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SF.CFXXE C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\find.exe C:\32788R22FWJFW\pev.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SWSC.CFXXE C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NIRCMD.EXE C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MTEE.CFXXE C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SWSC.EXE C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\moveex.cfxxe C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CTFMON.EXE C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\expand.exe C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setpath.cfxxe C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pev.exe C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SWREG.EXE C:\32788R22FWJFW\pev.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HIDEC.EXE C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Findstr.exe C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nircmd.com C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HANDLE.CFXXE C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumphive.cfxxe C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nircmd.cfxxe C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LISTDLLS.CFXXE C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swreg.exe C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\listdlls.cfxxe C:\32788R22FWJFW\pev.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ERUNT.CFXXE C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\find.exe C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tail.com C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CATCHME.CFXXE C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LISTDLLS.CFXXE C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe C:\32788R22FWJFW\pev.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\REG.EXE C:\32788R22FWJFW\pev.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\REGT.CFXXE C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SWREG.CFXXE C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pev.cfxxe C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CHCP.COM C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SED.CFXXE C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tail.cfxxe C:\32788R22FWJFW\pev.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZIP.CFXXE C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chcp.com C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PEV.CFXXE C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fdsv.cfxxe C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swxcacls.cfxxe C:\32788R22FWJFW\pev.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FINDSTR.EXE C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Combo-Fix.exe C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSTRUI.EXE C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swreg.exe C:\32788R22FWJFW\pev.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MTEE.CFXXE C:\32788R22FWJFW\pev.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FDSV.CFXXE C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\32788R22FWJFW\pev.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\32788R22FWJFW\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\License\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\hidec.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\n.pif N/A
N/A N/A C:\32788R22FWJFW\n.pif N/A
N/A N/A C:\32788R22FWJFW\PEV.exe N/A
N/A N/A C:\32788R22FWJFW\hidec.exe N/A
N/A N/A C:\32788R22FWJFW\hidec.exe N/A
N/A N/A C:\32788R22FWJFW\hidec.exe N/A
N/A N/A C:\32788R22FWJFW\hidec.exe N/A
N/A N/A C:\32788R22FWJFW\PEV.exe N/A
N/A N/A C:\32788R22FWJFW\hidec.exe N/A
N/A N/A C:\32788R22FWJFW\n.pif N/A
N/A N/A C:\32788R22FWJFW\swreg.exe N/A
N/A N/A C:\32788R22FWJFW\swreg.exe N/A
N/A N/A C:\32788R22FWJFW\SWREG.exe N/A
N/A N/A C:\32788R22FWJFW\swreg.exe N/A
N/A N/A C:\32788R22FWJFW\SWXCACLS.cfxxe N/A
N/A N/A C:\32788R22FWJFW\hidec.exe N/A
N/A N/A C:\32788R22FWJFW\SWREG.exe N/A
N/A N/A C:\32788R22FWJFW\n.pif N/A
N/A N/A C:\32788R22FWJFW\SWREG.exe N/A
N/A N/A C:\32788R22FWJFW\hidec.exe N/A
N/A N/A C:\32788R22FWJFW\SWREG.exe N/A
N/A N/A C:\32788R22FWJFW\n.pif N/A
N/A N/A C:\32788R22FWJFW\n.pif N/A
N/A N/A C:\32788R22FWJFW\nircmd.cfxxe N/A
N/A N/A C:\32788R22FWJFW\swreg.exe N/A
N/A N/A C:\32788R22FWJFW\n.pif N/A
N/A N/A C:\32788R22FWJFW\GSAR.cfxxe N/A
N/A N/A C:\32788R22FWJFW\nircmd.cfxxe N/A
N/A N/A C:\32788R22FWJFW\GSAR.cfxxe N/A
N/A N/A C:\32788R22FWJFW\n.pif N/A
N/A N/A C:\32788R22FWJFW\nircmd.cfxxe N/A
N/A N/A C:\32788R22FWJFW\cmd.cfxxe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\grep.cfxxe N/A
N/A N/A C:\32788R22FWJFW\grep.cfxxe N/A
N/A N/A C:\32788R22FWJFW\grep.cfxxe N/A
N/A N/A C:\32788R22FWJFW\swreg.exe N/A
N/A N/A C:\32788R22FWJFW\grep.cfxxe N/A
N/A N/A C:\32788R22FWJFW\swreg.exe N/A
N/A N/A C:\32788R22FWJFW\NirCmd.cfxxe N/A
N/A N/A C:\32788R22FWJFW\NirCmd.cfxxe N/A
N/A N/A C:\32788R22FWJFW\swreg.exe N/A
N/A N/A C:\32788R22FWJFW\grep.cfxxe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\grep.cfxxe N/A
N/A N/A C:\32788R22FWJFW\SWREG.cfxxe N/A
N/A N/A C:\32788R22FWJFW\SWREG.cfxxe N/A
N/A N/A C:\32788R22FWJFW\NirCmd.cfxxe N/A
N/A N/A C:\32788R22FWJFW\cmd.cfxxe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys\ = "Driver" C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart C:\32788R22FWJFW\pev.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys\ = "Driver" C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart\ = "Service" C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys C:\32788R22FWJFW\pev.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart\ = "Service" C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart\ = "Service" C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys\ = "Driver" C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart C:\32788R22FWJFW\PEV.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe N/A
N/A N/A C:\32788R22FWJFW\iexplore.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe N/A
N/A N/A C:\32788R22FWJFW\hidec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe N/A
N/A N/A C:\32788R22FWJFW\n.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe N/A
N/A N/A C:\32788R22FWJFW\hidec.exe N/A
N/A N/A C:\32788R22FWJFW\hidec.exe N/A
N/A N/A C:\32788R22FWJFW\hidec.exe N/A
N/A N/A C:\32788R22FWJFW\hidec.exe N/A
N/A N/A C:\32788R22FWJFW\n.pif N/A
N/A N/A C:\32788R22FWJFW\hidec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe N/A
N/A N/A C:\32788R22FWJFW\n.pif N/A
N/A N/A C:\32788R22FWJFW\n.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe N/A
N/A N/A C:\32788R22FWJFW\nircmd.cfxxe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe N/A
N/A N/A C:\32788R22FWJFW\n.pif N/A
N/A N/A C:\32788R22FWJFW\cmd.cfxxe N/A
N/A N/A C:\32788R22FWJFW\cmd.cfxxe N/A
N/A N/A C:\32788R22FWJFW\cmd.cfxxe N/A
N/A N/A C:\32788R22FWJFW\cmd.cfxxe N/A
N/A N/A C:\32788R22FWJFW\cmd.cfxxe N/A
N/A N/A C:\32788R22FWJFW\cmd.cfxxe N/A
N/A N/A C:\32788R22FWJFW\cmd.cfxxe N/A
N/A N/A C:\32788R22FWJFW\cmd.cfxxe N/A
N/A N/A C:\32788R22FWJFW\cmd.cfxxe N/A
N/A N/A C:\32788R22FWJFW\cmd.cfxxe N/A
N/A N/A C:\32788R22FWJFW\cmd.cfxxe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\32788R22FWJFW\pev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"%1\" %*" C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\32788R22FWJFW\pev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\pev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"%1\" %*" C:\32788R22FWJFW\pev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"%1\" %*" C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\32788R22FWJFW\pev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\pev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"%1\" %*" C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\32788R22FWJFW\pev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\InfDefaultInstall.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUNONCEEX C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUNONCEEX C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUNONCEEX C:\32788R22FWJFW\pev.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.app.log C:\Windows\SysWOW64\InfDefaultInstall.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\runonce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\runonce.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor C:\32788R22FWJFW\pev.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\EnableExtensions = "1" C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor C:\32788R22FWJFW\PEV.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\EnableExtensions = "1" C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor C:\32788R22FWJFW\PEV.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\EnableExtensions = "1" C:\32788R22FWJFW\PEV.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "cmdfile" C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open\command C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\cfexefile C:\32788R22FWJFW\pev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cfxxe\ = "cfxxefile" C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "cmdfile" C:\32788R22FWJFW\pev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\pev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "piffile" C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.com\ = "comfile" C:\32788R22FWJFW\pev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile" C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open\command C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\PersistentHandler C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cfxxe C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.com C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"%1\" %*" C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}" C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cfexefile C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.com\ = "comfile" C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"%1\" %*" C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "\"%1\" %*" C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pif C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\cfexefile C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\pev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pif C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.com C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cfxxe\ = "cfxxefile" C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cfexe C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.com C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cfxxe C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "piffile" C:\32788R22FWJFW\pev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pif C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"%1\" %*" C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open\command C:\32788R22FWJFW\pev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "batfile" C:\32788R22FWJFW\PEV.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\32788R22FWJFW\License\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\License\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\License\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\License\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\License\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\NirCmd.cfxxe N/A
N/A N/A C:\32788R22FWJFW\NirCmd.cfxxe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\32788R22FWJFW\License\iexplore.exe N/A
Token: SeDebugPrivilege N/A C:\32788R22FWJFW\pev.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\SWXCACLS.cfxxe N/A
Token: SeTakeOwnershipPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeRestorePrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeRestorePrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeRestorePrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeRestorePrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeRestorePrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeRestorePrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeRestorePrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeRestorePrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeRestorePrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeRestorePrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeRestorePrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeRestorePrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeRestorePrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeRestorePrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeRestorePrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeRestorePrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeRestorePrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeRestorePrivilege N/A C:\32788R22FWJFW\swreg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1084 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 1084 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 1084 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 1084 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 1084 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 1084 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 1084 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 1084 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 1084 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 1084 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 1084 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 1084 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 1084 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 1084 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 1084 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 1084 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 1084 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 1084 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 1084 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 1084 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 1084 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 1084 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 1084 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 1084 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 1084 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 1084 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 1084 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 1084 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 1084 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\hidec.exe
PID 1084 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\hidec.exe
PID 1084 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\hidec.exe
PID 1084 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\hidec.exe
PID 3016 wrote to memory of 1984 N/A C:\32788R22FWJFW\iexplore.exe C:\32788R22FWJFW\License\iexplore.exe
PID 3016 wrote to memory of 1984 N/A C:\32788R22FWJFW\iexplore.exe C:\32788R22FWJFW\License\iexplore.exe
PID 3016 wrote to memory of 1984 N/A C:\32788R22FWJFW\iexplore.exe C:\32788R22FWJFW\License\iexplore.exe
PID 3016 wrote to memory of 1984 N/A C:\32788R22FWJFW\iexplore.exe C:\32788R22FWJFW\License\iexplore.exe
PID 3052 wrote to memory of 1108 N/A C:\32788R22FWJFW\hidec.exe C:\32788R22FWJFW\pev.exe
PID 3052 wrote to memory of 1108 N/A C:\32788R22FWJFW\hidec.exe C:\32788R22FWJFW\pev.exe
PID 3052 wrote to memory of 1108 N/A C:\32788R22FWJFW\hidec.exe C:\32788R22FWJFW\pev.exe
PID 3052 wrote to memory of 1108 N/A C:\32788R22FWJFW\hidec.exe C:\32788R22FWJFW\pev.exe
PID 1084 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\n.pif
PID 1084 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\n.pif
PID 1084 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\n.pif
PID 1084 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\n.pif
PID 2536 wrote to memory of 2540 N/A C:\32788R22FWJFW\n.pif C:\Windows\SysWOW64\InfDefaultInstall.exe
PID 2536 wrote to memory of 2540 N/A C:\32788R22FWJFW\n.pif C:\Windows\SysWOW64\InfDefaultInstall.exe
PID 2536 wrote to memory of 2540 N/A C:\32788R22FWJFW\n.pif C:\Windows\SysWOW64\InfDefaultInstall.exe
PID 2536 wrote to memory of 2540 N/A C:\32788R22FWJFW\n.pif C:\Windows\SysWOW64\InfDefaultInstall.exe
PID 2536 wrote to memory of 2540 N/A C:\32788R22FWJFW\n.pif C:\Windows\SysWOW64\InfDefaultInstall.exe
PID 2536 wrote to memory of 2540 N/A C:\32788R22FWJFW\n.pif C:\Windows\SysWOW64\InfDefaultInstall.exe
PID 2536 wrote to memory of 2540 N/A C:\32788R22FWJFW\n.pif C:\Windows\SysWOW64\InfDefaultInstall.exe
PID 2540 wrote to memory of 2180 N/A C:\Windows\SysWOW64\InfDefaultInstall.exe C:\Windows\SysWOW64\runonce.exe
PID 2540 wrote to memory of 2180 N/A C:\Windows\SysWOW64\InfDefaultInstall.exe C:\Windows\SysWOW64\runonce.exe
PID 2540 wrote to memory of 2180 N/A C:\Windows\SysWOW64\InfDefaultInstall.exe C:\Windows\SysWOW64\runonce.exe
PID 2540 wrote to memory of 2180 N/A C:\Windows\SysWOW64\InfDefaultInstall.exe C:\Windows\SysWOW64\runonce.exe
PID 2180 wrote to memory of 2532 N/A C:\Windows\SysWOW64\runonce.exe C:\Windows\SysWOW64\grpconv.exe
PID 2180 wrote to memory of 2532 N/A C:\Windows\SysWOW64\runonce.exe C:\Windows\SysWOW64\grpconv.exe
PID 2180 wrote to memory of 2532 N/A C:\Windows\SysWOW64\runonce.exe C:\Windows\SysWOW64\grpconv.exe
PID 2180 wrote to memory of 2532 N/A C:\Windows\SysWOW64\runonce.exe C:\Windows\SysWOW64\grpconv.exe
PID 1084 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\n.pif
PID 1084 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\n.pif
PID 1084 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\n.pif
PID 1084 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\n.pif
PID 2528 wrote to memory of 1588 N/A C:\32788R22FWJFW\n.pif C:\32788R22FWJFW\PEV.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\32788R22FWJFW\pev.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe"

C:\32788R22FWJFW\iexplore.exe

"C:\32788R22FWJFW\iexplore.exe" win close ititle " Security"

C:\32788R22FWJFW\iexplore.exe

"C:\32788R22FWJFW\iexplore.exe" win close ititle "SysInternals"

C:\32788R22FWJFW\iexplore.exe

"C:\32788R22FWJFW\iexplore.exe" win close ititle "Security Tool"

C:\32788R22FWJFW\iexplore.exe

"C:\32788R22FWJFW\iexplore.exe" win close ititle "Security Central"

C:\32788R22FWJFW\iexplore.exe

"C:\32788R22FWJFW\iexplore.exe" win close ititle "Security essentials"

C:\32788R22FWJFW\iexplore.exe

"C:\32788R22FWJFW\iexplore.exe" win close class consolewindowclass

C:\32788R22FWJFW\iexplore.exe

"C:\32788R22FWJFW\iexplore.exe" exec hide 32788R22FWJFW\License\iexplore.exe -loadline32788R22FWJFW\License\UnxUtilsDist.pif and not "C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe"

C:\32788R22FWJFW\hidec.exe

"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\pev.exe -loadline32788R22FWJFW\License\UnxUtilsDist.pif and not "C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe"

C:\32788R22FWJFW\License\iexplore.exe

32788R22FWJFW\License\iexplore.exe -loadline32788R22FWJFW\License\UnxUtilsDist.pif and not "C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe"

C:\32788R22FWJFW\pev.exe

32788R22FWJFW\pev.exe -loadline32788R22FWJFW\License\UnxUtilsDist.pif and not "C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe"

C:\32788R22FWJFW\n.pif

"C:\32788R22FWJFW\n.pif" shexec install 32788R22FWJFW\Prep.inf

C:\Windows\SysWOW64\InfDefaultInstall.exe

"C:\Windows\System32\InfDefaultInstall.exe" "C:\32788R22FWJFW\Prep.inf"

C:\Windows\SysWOW64\runonce.exe

"C:\Windows\system32\runonce.exe" -r

C:\Windows\SysWOW64\grpconv.exe

"C:\Windows\System32\grpconv.exe" -o

C:\32788R22FWJFW\n.pif

"C:\32788R22FWJFW\n.pif" exec hide 32788R22FWJFW\PEV.exe RIMPORT 32788R22FWJFW\EXE.reg

C:\32788R22FWJFW\PEV.exe

32788R22FWJFW\PEV.exe RIMPORT 32788R22FWJFW\EXE.reg

C:\32788R22FWJFW\hidec.exe

"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\PEV.exe RIMPORT 32788R22FWJFW\EXE.reg

C:\32788R22FWJFW\hidec.exe

"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /da:r /q

C:\32788R22FWJFW\hidec.exe

"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /reset /q

C:\32788R22FWJFW\PEV.exe

32788R22FWJFW\PEV.exe RIMPORT 32788R22FWJFW\EXE.reg

C:\32788R22FWJFW\hidec.exe

"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Command Processor" /reset /q

C:\32788R22FWJFW\hidec.exe

"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\SWXCACLS.cfxxe "C:\Windows\system32\cmd.exe" /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q

C:\32788R22FWJFW\n.pif

"C:\32788R22FWJFW\n.pif" exec hide 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q

C:\32788R22FWJFW\swreg.exe

32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /reset /q

C:\32788R22FWJFW\swreg.exe

32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Command Processor" /reset /q

C:\32788R22FWJFW\swreg.exe

32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /da:r /q

C:\32788R22FWJFW\SWXCACLS.cfxxe

32788R22FWJFW\SWXCACLS.cfxxe "C:\Windows\system32\cmd.exe" /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q

C:\32788R22FWJFW\SWREG.exe

32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q

C:\32788R22FWJFW\hidec.exe

"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q

C:\32788R22FWJFW\SWREG.exe

32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q

C:\32788R22FWJFW\n.pif

"C:\32788R22FWJFW\n.pif" cmdwait 150 exec hide 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q

C:\32788R22FWJFW\SWREG.exe

32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q

C:\32788R22FWJFW\hidec.exe

"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q

C:\32788R22FWJFW\SWREG.exe

32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q

C:\32788R22FWJFW\n.pif

"C:\32788R22FWJFW\n.pif" cmdwait 3000 exec hide 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /reset /q

C:\32788R22FWJFW\n.pif

"C:\32788R22FWJFW\n.pif" shellcopy C:\Windows\system32\en-us\cmd.exe.mui 32788R22FWJFW\EN-US\cmd.cfxxe.mui yestoall noerrorui silent nosecattr

C:\32788R22FWJFW\nircmd.cfxxe

"C:\32788R22FWJFW\nircmd.cfxxe" shellcopy C:\Windows\system32\en-us\cmd.exe.mui 32788R22FWJFW\EN-US\cmd.cfxxe.mui yestoall noerrorui silent nosecattr

C:\32788R22FWJFW\swreg.exe

32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /reset /q

C:\32788R22FWJFW\n.pif

"C:\32788R22FWJFW\n.pif" exec hide 32788R22FWJFW\GSAR.cfxxe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" "32788R22FWJFW\cmd.cfxxe"

C:\32788R22FWJFW\GSAR.cfxxe

32788R22FWJFW\GSAR.cfxxe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" "32788R22FWJFW\cmd.cfxxe"

C:\32788R22FWJFW\nircmd.cfxxe

"C:\32788R22FWJFW\nircmd.cfxxe" exec hide 32788R22FWJFW\GSAR.cfxxe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" "32788R22FWJFW\cmd.cfxxe"

C:\32788R22FWJFW\GSAR.cfxxe

32788R22FWJFW\GSAR.cfxxe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" "32788R22FWJFW\cmd.cfxxe"

C:\32788R22FWJFW\n.pif

"C:\32788R22FWJFW\n.pif" cmdwait 1000 exec hide "32788R22FWJFW\cmd.cfxxe" /c 32788R22FWJFW\p.cmd

C:\32788R22FWJFW\nircmd.cfxxe

"C:\32788R22FWJFW\nircmd.cfxxe" cmdwait 1700 exec hide "32788R22FWJFW\cmd.cfxxe" /c 32788R22FWJFW\p.cmd

C:\32788R22FWJFW\cmd.cfxxe

"32788R22FWJFW\cmd.cfxxe" /c 32788R22FWJFW\p.cmd

C:\32788R22FWJFW\pev.exe

32788R22FWJFW\PEV.exe RIMPORT 32788R22FWJFW\EXE.reg

C:\32788R22FWJFW\grep.cfxxe

GREP.cfxxe -F "5.1.2" OsVer

C:\32788R22FWJFW\grep.cfxxe

GREP.cfxxe -F "6.0.6" OsVer

C:\32788R22FWJFW\grep.cfxxe

GREP.cfxxe -F "6.1.7600" OsVer

C:\32788R22FWJFW\swreg.exe

SWREG.exe QUERY "hklm\software\microsoft\windows nt\currentversion" /v currentversion

C:\32788R22FWJFW\grep.cfxxe

GREP.cfxxe -is "currentversion.* 6.[01]" OsVer00

C:\32788R22FWJFW\swreg.exe

SWREG.exe QUERY "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000\Control" /v ActiveService

C:\32788R22FWJFW\NirCmd.cfxxe

NIRCMD.cfxxe WIN CLOSE CLASS "#32770"

C:\32788R22FWJFW\NirCmd.cfxxe

NIRCMD.cfxxe KILLPROCESS "C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe"

C:\32788R22FWJFW\swreg.exe

SWREG QUERY "HKLM\System\Currentcontrolset\Control\ProductOptions" /v ProductType

C:\32788R22FWJFW\grep.cfxxe

GREP.cfxxe -isq "ProductType.*WinNT" WinNT00

C:\32788R22FWJFW\pev.exe

PEV PLIST

C:\32788R22FWJFW\grep.cfxxe

GREP -Fis "C:\Windows\system32\csrss.exe"

C:\32788R22FWJFW\SWREG.cfxxe

SWREG ACL "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /RESET /Q

C:\32788R22FWJFW\SWREG.cfxxe

SWREG ACL "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /RO:F /RA:F /Q

C:\Windows\SysWOW64\chcp.com

CHCP 1252

C:\32788R22FWJFW\NirCmd.cfxxe

Nircmd.cfxxe infobox "Incompatible OS. ComboFix only works for workstations with Windows 2000 and XP~n~nOS incompatible. ComboFix ne fonctionne que pour Windows 2000 et XP~n~nOS niet compatibel. ComboFix kan enkel gebruikt worden voor Windows 2000 en XP~n~nInkompatibles Betriebssystem. ComboFix läuft nur unter Windows 2000 und XP~n~nKäyttöjärjestelmä ei ole yhteensopiva. ComboFix toimii vain Windows 2000- ja XP-käyttöjärjestelmissä.~n~nSistema Operativo Incompat¡vel. ComboFix apenas funciona em Windows 2000 e XP~n~nSO. Incompatible. ComboFix funciona únicamente en Windows 2000 y XP~n~nOS Incompatibile. Combofix funziona solo su windows 2000 e XP" "Error - Win32 only"

C:\32788R22FWJFW\cmd.cfxxe

"32788R22FWJFW\cmd.cfxxe" /c 32788R22FWJFW\p.cmd

Network

N/A

Files

memory/1084-0-0x0000000000400000-0x0000000000428000-memory.dmp

C:\32788R22FWJFW\n.pif

MD5 ae72e8619cb31d84da25e2435e55003c
SHA1 2ed893a9aa82da248b5f4344819fcf6ad2d28240
SHA256 eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24
SHA512 1013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982

memory/1084-343-0x0000000002140000-0x0000000002154000-memory.dmp

memory/1084-342-0x0000000002140000-0x0000000002154000-memory.dmp

memory/2880-354-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1084-352-0x0000000002150000-0x0000000002164000-memory.dmp

memory/1084-348-0x0000000002150000-0x0000000002164000-memory.dmp

memory/2880-346-0x0000000000400000-0x0000000000414000-memory.dmp

memory/708-368-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1084-365-0x0000000002150000-0x0000000002164000-memory.dmp

memory/1084-364-0x0000000002150000-0x0000000002164000-memory.dmp

memory/708-363-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1084-375-0x0000000002150000-0x0000000002164000-memory.dmp

memory/1084-378-0x0000000002150000-0x0000000002164000-memory.dmp

memory/1084-399-0x0000000002150000-0x0000000002164000-memory.dmp

memory/2404-398-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1084-405-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1084-411-0x0000000002140000-0x0000000002154000-memory.dmp

memory/1084-410-0x0000000002140000-0x0000000002154000-memory.dmp

C:\32788R22FWJFW\License\iexplore.exe

MD5 f1fba6185a6a2bc6456970914875078e
SHA1 a3a0da9b072ad4ceab9aec41af71a730d9b44744
SHA256 deaaab3b825ebadb6395e0be7671f96fd30ca8f76159b53c2d11da5c2ca7b7d0
SHA512 45cd68a2465d5aa24a693f5bdec9999fee1117e4329d4ae2e1d51a923d42d717e1d09eff9f9e11f3282ebc32422640028d64bf108f9d3d9c49bcd1df6b14212a

memory/1084-423-0x0000000002150000-0x0000000002152000-memory.dmp

memory/3016-422-0x0000000000230000-0x0000000000301000-memory.dmp

memory/1084-421-0x0000000002150000-0x0000000002152000-memory.dmp

C:\32788R22FWJFW\hidec.exe

MD5 abc6379205de2618851c4fcbf72112eb
SHA1 1ed7b1e965eab56f55efda975f9f7ade95337267
SHA256 22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512 180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

memory/3052-428-0x0000000000400000-0x0000000000402000-memory.dmp

memory/3052-431-0x0000000000320000-0x00000000003F1000-memory.dmp

memory/1108-433-0x0000000000BF0000-0x0000000000CC1000-memory.dmp

memory/1984-427-0x0000000000FB0000-0x0000000001081000-memory.dmp

memory/1984-437-0x0000000000FB0000-0x0000000001081000-memory.dmp

C:\\32788R22FWJFW\License\UnxUtilsDist.pif

MD5 50bf4c2f676d9f72739a3056f539c25b
SHA1 4343d7c0b00d433a278f455373df24e31110f13b
SHA256 cd13768a6e28bbebb7c11458965703a98df6c3722955f392ddbd555adf0ddd41
SHA512 dcdcede9fe9f282d77aa19008d7343ea793a66d152835cc86f133b9ff2b6490ce976c3abdb3538b0deff2db388b949937ed364ffe5f076a74d76cc743d9e2e28

memory/1108-439-0x0000000000BF0000-0x0000000000CC1000-memory.dmp

memory/1084-447-0x0000000003610000-0x0000000003624000-memory.dmp

C:\32788R22FWJFW\Prep.inf

MD5 f03267eaf036d409ef5a4be5d52fce0c
SHA1 6e3b554805deae14ef3d20b028608d5597b742b7
SHA256 6ac8ee793e2013b772c2ef5a93fafb27b058fff675a5ed5f29d4062775050aff
SHA512 9067c87977c6a89c4389add25235b58c828dcc0c0c88f85b5f7bc6f33913c21e4a0dbf1b659409354df9266e8f0dd6a30a34a062444f35ee1aa9b6be7fb35ebc

memory/2536-450-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2528-460-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1588-466-0x0000000001170000-0x0000000001241000-memory.dmp

memory/2528-465-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2528-464-0x0000000000420000-0x00000000004F1000-memory.dmp

C:\\32788R22FWJFW\EXE.reg

MD5 36cc97e6ad2062cf6ec87112f93a966b
SHA1 fa69d6fb867dd576c98c8f58f4ea088be99bb4b3
SHA256 053e62b47466216370865e22e0459ac32abc21b8265d2666dfd253996145741b
SHA512 7ae97e3ea54720856731ce85c46d67a160080aea8fbca21f5fb13a7a8ec81a164d313865aed4a1db23e2d3539ba97d8ca0fbfb21f5f95a6afe7e4c044d3c8135

memory/1588-469-0x0000000001170000-0x0000000001241000-memory.dmp

memory/2008-516-0x0000000000400000-0x0000000000402000-memory.dmp

\32788R22FWJFW\swreg.exe

MD5 01d95a1f8cf13d07cc564aabb36bcc0b
SHA1 be229bde90b82d21fe94c67e2b096334e93d78c2
SHA256 1eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3
SHA512 342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48

memory/1084-515-0x0000000003610000-0x0000000003612000-memory.dmp

memory/1084-509-0x0000000003610000-0x0000000003612000-memory.dmp

memory/1968-524-0x0000000000400000-0x000000000048B000-memory.dmp

C:\32788R22FWJFW\swxcacls.cfxxe

MD5 b1a9cf0b6f80611d31987c247ec630b4
SHA1 7299b3c370254e1e4bade26dc5fec818989d836a
SHA256 933756962d8a3530c50072e03af9e0eb0bede3c7af58feda3518240e851071ef
SHA512 152e24b5490c3e15ec7cf6db0e6573cd75846be6b1472165d055255a9b74a22d929bf8bef1c3f8e31333577d806d600239dde2dfbb463cc62987bac62706b9e1

memory/1260-527-0x00000000011E0000-0x00000000012B1000-memory.dmp

memory/1084-514-0x0000000003610000-0x0000000003612000-memory.dmp

memory/1084-513-0x0000000003610000-0x0000000003612000-memory.dmp

memory/1084-512-0x0000000003610000-0x0000000003612000-memory.dmp

memory/1260-511-0x00000000011E0000-0x00000000012B1000-memory.dmp

memory/988-530-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2300-529-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2340-532-0x0000000000400000-0x000000000048B000-memory.dmp

memory/1968-534-0x0000000000400000-0x000000000048B000-memory.dmp

memory/1248-536-0x0000000000400000-0x000000000048B000-memory.dmp

memory/1084-546-0x0000000003610000-0x0000000003624000-memory.dmp

memory/1084-545-0x0000000003610000-0x0000000003612000-memory.dmp

memory/1612-549-0x0000000000400000-0x000000000048B000-memory.dmp

memory/704-550-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2292-559-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1084-560-0x0000000003610000-0x0000000003624000-memory.dmp

memory/1756-561-0x0000000000400000-0x000000000048B000-memory.dmp

memory/1084-573-0x0000000003610000-0x0000000003624000-memory.dmp

memory/2384-578-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2384-580-0x0000000000400000-0x000000000048B000-memory.dmp

memory/1084-590-0x0000000003610000-0x0000000003624000-memory.dmp

memory/1084-598-0x0000000003610000-0x0000000003624000-memory.dmp

memory/1084-603-0x0000000003610000-0x0000000003624000-memory.dmp

memory/2184-605-0x00000000011E0000-0x00000000012B1000-memory.dmp

memory/2184-607-0x00000000011E0000-0x00000000012B1000-memory.dmp

memory/2740-609-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2512-610-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2660-611-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2864-612-0x0000000000400000-0x000000000048B000-memory.dmp

memory/1084-613-0x0000000003610000-0x0000000003624000-memory.dmp

memory/2492-616-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2484-620-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2484-619-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2380-623-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2320-626-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2356-627-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2608-629-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2936-636-0x00000000011E0000-0x00000000012B1000-memory.dmp

memory/2936-638-0x00000000011E0000-0x00000000012B1000-memory.dmp

memory/2908-637-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1560-641-0x0000000000400000-0x000000000048B000-memory.dmp

memory/1560-642-0x0000000000400000-0x000000000048B000-memory.dmp

memory/1544-644-0x0000000000400000-0x000000000048B000-memory.dmp

memory/1544-646-0x0000000000400000-0x000000000048B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 11:27

Reported

2024-06-26 11:30

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe"

Signatures

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\disableregistrytools = "0" C:\32788R22FWJFW\pev.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0" C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\disableregistrytools = "0" C:\32788R22FWJFW\PEV.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\disableregistrytools = "0" C:\32788R22FWJFW\PEV.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GSAR.CFXXE C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regt.cfxxe C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\COMBO-FIX.EXE C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zip.cfxxe C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\listdlls.cfxxe C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumphive.cfxxe C:\32788R22FWJFW\pev.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NIRCMD.EXE C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SETPATH.CFXXE C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.cfxxe C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chcp.com C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\HIDEC.EXE C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PEV.EXE C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swsc.exe C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Findstr.exe C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ATTRIB.EXE C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psexec.cfxxe C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mtee.cfxxe C:\32788R22FWJFW\pev.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\TAIL.COM C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXPAND.EXE C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\extract.cfxxe C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\erunt.cfxxe C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\COMBOFIX.EXE C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\grep.cfxxe C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PEV.CFXXE C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swxcacls.cfxxe C:\32788R22FWJFW\pev.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SWXCACLS.CFXXE C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swxcacls.cfxxe C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\XCOPY.EXE C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRUI.EXE C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mtee.cfxxe C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CSCRIPT.EXE C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NIRCMD.EXE C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\erunt.cfxxe C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nircmd.exe C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swreg.exe C:\32788R22FWJFW\pev.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CATCHME.CFXXE C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chcp.com C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\catchme.cfxxe C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gsar.cfxxe C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CMD.EXE C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ERUNT.CFXXE C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sed.cfxxe C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\handle.cfxxe C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tail.cfxxe C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hidec.exe C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MOVEEX.CFXXE C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ERDNT.EXE C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GSAR.CFXXE C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Combo-Fix.exe C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xcopy.exe C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gsar.cfxxe C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tail.com C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\COMBOFIX.EXE C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SWREG.EXE C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FINDSTR.EXE C:\32788R22FWJFW\pev.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\REGT.CFXXE C:\32788R22FWJFW\pev.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SWREG.CFXXE C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pev.cfxxe C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Findstr.exe C:\32788R22FWJFW\pev.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\32788R22FWJFW\n.pif N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\32788R22FWJFW\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\hidec.exe N/A
N/A N/A C:\32788R22FWJFW\License\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\n.pif N/A
N/A N/A C:\32788R22FWJFW\n.pif N/A
N/A N/A C:\32788R22FWJFW\PEV.exe N/A
N/A N/A C:\32788R22FWJFW\hidec.exe N/A
N/A N/A C:\32788R22FWJFW\hidec.exe N/A
N/A N/A C:\32788R22FWJFW\PEV.exe N/A
N/A N/A C:\32788R22FWJFW\hidec.exe N/A
N/A N/A C:\32788R22FWJFW\hidec.exe N/A
N/A N/A C:\32788R22FWJFW\swreg.exe N/A
N/A N/A C:\32788R22FWJFW\swreg.exe N/A
N/A N/A C:\32788R22FWJFW\swreg.exe N/A
N/A N/A C:\32788R22FWJFW\hidec.exe N/A
N/A N/A C:\32788R22FWJFW\SWXCACLS.cfxxe N/A
N/A N/A C:\32788R22FWJFW\n.pif N/A
N/A N/A C:\32788R22FWJFW\SWREG.exe N/A
N/A N/A C:\32788R22FWJFW\hidec.exe N/A
N/A N/A C:\32788R22FWJFW\SWREG.exe N/A
N/A N/A C:\32788R22FWJFW\n.pif N/A
N/A N/A C:\32788R22FWJFW\SWREG.exe N/A
N/A N/A C:\32788R22FWJFW\hidec.exe N/A
N/A N/A C:\32788R22FWJFW\n.pif N/A
N/A N/A C:\32788R22FWJFW\SWREG.exe N/A
N/A N/A C:\32788R22FWJFW\n.pif N/A
N/A N/A C:\32788R22FWJFW\nircmd.cfxxe N/A
N/A N/A C:\32788R22FWJFW\swreg.exe N/A
N/A N/A C:\32788R22FWJFW\n.pif N/A
N/A N/A C:\32788R22FWJFW\GSAR.cfxxe N/A
N/A N/A C:\32788R22FWJFW\nircmd.cfxxe N/A
N/A N/A C:\32788R22FWJFW\GSAR.cfxxe N/A
N/A N/A C:\32788R22FWJFW\n.pif N/A
N/A N/A C:\32788R22FWJFW\nircmd.cfxxe N/A
N/A N/A C:\32788R22FWJFW\cmd.cfxxe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\grep.cfxxe N/A
N/A N/A C:\32788R22FWJFW\grep.cfxxe N/A
N/A N/A C:\32788R22FWJFW\grep.cfxxe N/A
N/A N/A C:\32788R22FWJFW\swreg.exe N/A
N/A N/A C:\32788R22FWJFW\grep.cfxxe N/A
N/A N/A C:\32788R22FWJFW\grep.cfxxe N/A
N/A N/A C:\32788R22FWJFW\grep.cfxxe N/A
N/A N/A C:\32788R22FWJFW\NirCmd.cfxxe N/A
N/A N/A C:\32788R22FWJFW\n.pif N/A
N/A N/A C:\32788R22FWJFW\cmd.cfxxe N/A
N/A N/A C:\32788R22FWJFW\cmd.cfxxe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys\ = "Driver" C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys C:\32788R22FWJFW\pev.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys\ = "Driver" C:\32788R22FWJFW\pev.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart\ = "Service" C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys\ = "Driver" C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart\ = "Service" C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart C:\32788R22FWJFW\pev.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart\ = "Service" C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart C:\32788R22FWJFW\PEV.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\32788R22FWJFW\pev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\pev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\32788R22FWJFW\pev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"%1\" %*" C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"%1\" %*" C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\32788R22FWJFW\pev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"%1\" %*" C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"%1\" %*" C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\32788R22FWJFW\PEV.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEEX C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEEX C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEEX C:\32788R22FWJFW\pev.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\runonce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\runonce.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor C:\32788R22FWJFW\pev.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\EnableExtensions = "1" C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor C:\32788R22FWJFW\PEV.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\EnableExtensions = "1" C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor C:\32788R22FWJFW\PEV.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\EnableExtensions = "1" C:\32788R22FWJFW\PEV.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.com\ = "comfile" C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}" C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "cmdfile" C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"%1\" %*" C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.com C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\pev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile" C:\32788R22FWJFW\pev.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\cfexefile C:\32788R22FWJFW\pev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "cmdfile" C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.com\ = "comfile" C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\cfexefile C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.cfexe C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\32788R22FWJFW\pev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "batfile" C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\PersistentHandler C:\32788R22FWJFW\pev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "batfile" C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile" C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd C:\32788R22FWJFW\pev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "piffile" C:\32788R22FWJFW\pev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\pev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "\"%1\" %*" C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cfxxe\ = "cfxxefile" C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cfxxe C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cfxxe C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open\command C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "cmdfile" C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cfxxe\ = "cfxxefile" C:\32788R22FWJFW\pev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}" C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cfxxe\ = "cfxxefile" C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cfexefile C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile" C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cfexefile C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "piffile" C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "piffile" C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\32788R22FWJFW\PEV.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.cfexe C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\32788R22FWJFW\pev.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile\shell\open\command\ = "\"%1\" %*" C:\Windows\SysWOW64\InfDefaultInstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\PEV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pif C:\32788R22FWJFW\PEV.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\License\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\License\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\License\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\License\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\License\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\License\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\License\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\License\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\License\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\License\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\License\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\License\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\License\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\License\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\License\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\License\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\License\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\License\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\License\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\pev.exe N/A
N/A N/A C:\32788R22FWJFW\License\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\License\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\License\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\License\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\License\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\License\iexplore.exe N/A
N/A N/A C:\32788R22FWJFW\License\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\32788R22FWJFW\pev.exe N/A
Token: SeDebugPrivilege N/A C:\32788R22FWJFW\License\iexplore.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeRestorePrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\SWXCACLS.cfxxe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeRestorePrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeRestorePrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeRestorePrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeRestorePrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeRestorePrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeRestorePrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeRestorePrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeRestorePrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeRestorePrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeRestorePrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeRestorePrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeRestorePrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeRestorePrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeRestorePrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeRestorePrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeRestorePrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeRestorePrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeRestorePrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeRestorePrivilege N/A C:\32788R22FWJFW\swreg.exe N/A
Token: SeSecurityPrivilege N/A C:\32788R22FWJFW\swreg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 400 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 400 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 400 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 400 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 400 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 400 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 400 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 400 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 400 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 400 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 400 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 400 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 400 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 400 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 400 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 400 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 400 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 400 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 400 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 400 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 400 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\iexplore.exe
PID 400 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\hidec.exe
PID 400 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\hidec.exe
PID 400 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\hidec.exe
PID 2608 wrote to memory of 4840 N/A C:\32788R22FWJFW\iexplore.exe C:\32788R22FWJFW\License\iexplore.exe
PID 2608 wrote to memory of 4840 N/A C:\32788R22FWJFW\iexplore.exe C:\32788R22FWJFW\License\iexplore.exe
PID 2608 wrote to memory of 4840 N/A C:\32788R22FWJFW\iexplore.exe C:\32788R22FWJFW\License\iexplore.exe
PID 5072 wrote to memory of 2496 N/A C:\32788R22FWJFW\hidec.exe C:\32788R22FWJFW\pev.exe
PID 5072 wrote to memory of 2496 N/A C:\32788R22FWJFW\hidec.exe C:\32788R22FWJFW\pev.exe
PID 5072 wrote to memory of 2496 N/A C:\32788R22FWJFW\hidec.exe C:\32788R22FWJFW\pev.exe
PID 400 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\n.pif
PID 400 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\n.pif
PID 400 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\n.pif
PID 3376 wrote to memory of 4900 N/A C:\32788R22FWJFW\n.pif C:\Windows\SysWOW64\InfDefaultInstall.exe
PID 3376 wrote to memory of 4900 N/A C:\32788R22FWJFW\n.pif C:\Windows\SysWOW64\InfDefaultInstall.exe
PID 3376 wrote to memory of 4900 N/A C:\32788R22FWJFW\n.pif C:\Windows\SysWOW64\InfDefaultInstall.exe
PID 4900 wrote to memory of 2532 N/A C:\Windows\SysWOW64\InfDefaultInstall.exe C:\Windows\SysWOW64\runonce.exe
PID 4900 wrote to memory of 2532 N/A C:\Windows\SysWOW64\InfDefaultInstall.exe C:\Windows\SysWOW64\runonce.exe
PID 4900 wrote to memory of 2532 N/A C:\Windows\SysWOW64\InfDefaultInstall.exe C:\Windows\SysWOW64\runonce.exe
PID 2532 wrote to memory of 528 N/A C:\Windows\SysWOW64\runonce.exe C:\Windows\SysWOW64\grpconv.exe
PID 2532 wrote to memory of 528 N/A C:\Windows\SysWOW64\runonce.exe C:\Windows\SysWOW64\grpconv.exe
PID 2532 wrote to memory of 528 N/A C:\Windows\SysWOW64\runonce.exe C:\Windows\SysWOW64\grpconv.exe
PID 400 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\n.pif
PID 400 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\n.pif
PID 400 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\n.pif
PID 996 wrote to memory of 992 N/A C:\32788R22FWJFW\n.pif C:\32788R22FWJFW\PEV.exe
PID 996 wrote to memory of 992 N/A C:\32788R22FWJFW\n.pif C:\32788R22FWJFW\PEV.exe
PID 996 wrote to memory of 992 N/A C:\32788R22FWJFW\n.pif C:\32788R22FWJFW\PEV.exe
PID 400 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\hidec.exe
PID 400 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\hidec.exe
PID 400 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\hidec.exe
PID 400 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\hidec.exe
PID 400 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\hidec.exe
PID 400 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\hidec.exe
PID 4408 wrote to memory of 4016 N/A C:\32788R22FWJFW\hidec.exe C:\32788R22FWJFW\PEV.exe
PID 4408 wrote to memory of 4016 N/A C:\32788R22FWJFW\hidec.exe C:\32788R22FWJFW\PEV.exe
PID 4408 wrote to memory of 4016 N/A C:\32788R22FWJFW\hidec.exe C:\32788R22FWJFW\PEV.exe
PID 400 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\hidec.exe
PID 400 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\hidec.exe
PID 400 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\hidec.exe
PID 400 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\hidec.exe
PID 400 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\hidec.exe
PID 400 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe C:\32788R22FWJFW\hidec.exe
PID 716 wrote to memory of 548 N/A C:\32788R22FWJFW\hidec.exe C:\32788R22FWJFW\swreg.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\32788R22FWJFW\PEV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\32788R22FWJFW\pev.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\32788R22FWJFW\PEV.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe"

C:\32788R22FWJFW\iexplore.exe

"C:\32788R22FWJFW\iexplore.exe" win close ititle " Security"

C:\32788R22FWJFW\iexplore.exe

"C:\32788R22FWJFW\iexplore.exe" win close ititle "SysInternals"

C:\32788R22FWJFW\iexplore.exe

"C:\32788R22FWJFW\iexplore.exe" win close ititle "Security Tool"

C:\32788R22FWJFW\iexplore.exe

"C:\32788R22FWJFW\iexplore.exe" win close ititle "Security Central"

C:\32788R22FWJFW\iexplore.exe

"C:\32788R22FWJFW\iexplore.exe" win close ititle "Security essentials"

C:\32788R22FWJFW\iexplore.exe

"C:\32788R22FWJFW\iexplore.exe" win close class consolewindowclass

C:\32788R22FWJFW\iexplore.exe

"C:\32788R22FWJFW\iexplore.exe" exec hide 32788R22FWJFW\License\iexplore.exe -loadline32788R22FWJFW\License\UnxUtilsDist.pif and not "C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe"

C:\32788R22FWJFW\hidec.exe

"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\pev.exe -loadline32788R22FWJFW\License\UnxUtilsDist.pif and not "C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe"

C:\32788R22FWJFW\License\iexplore.exe

32788R22FWJFW\License\iexplore.exe -loadline32788R22FWJFW\License\UnxUtilsDist.pif and not "C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe"

C:\32788R22FWJFW\pev.exe

32788R22FWJFW\pev.exe -loadline32788R22FWJFW\License\UnxUtilsDist.pif and not "C:\Users\Admin\AppData\Local\Temp\11d70692f4951c285da09737464c9eb3_JaffaCakes118.exe"

C:\32788R22FWJFW\n.pif

"C:\32788R22FWJFW\n.pif" shexec install 32788R22FWJFW\Prep.inf

C:\Windows\SysWOW64\InfDefaultInstall.exe

"C:\Windows\System32\InfDefaultInstall.exe" "C:\32788R22FWJFW\Prep.inf"

C:\Windows\SysWOW64\runonce.exe

"C:\Windows\system32\runonce.exe" -r

C:\Windows\SysWOW64\grpconv.exe

"C:\Windows\System32\grpconv.exe" -o

C:\32788R22FWJFW\n.pif

"C:\32788R22FWJFW\n.pif" exec hide 32788R22FWJFW\PEV.exe RIMPORT 32788R22FWJFW\EXE.reg

C:\32788R22FWJFW\PEV.exe

32788R22FWJFW\PEV.exe RIMPORT 32788R22FWJFW\EXE.reg

C:\32788R22FWJFW\hidec.exe

"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\PEV.exe RIMPORT 32788R22FWJFW\EXE.reg

C:\32788R22FWJFW\hidec.exe

"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /da:r /q

C:\32788R22FWJFW\PEV.exe

32788R22FWJFW\PEV.exe RIMPORT 32788R22FWJFW\EXE.reg

C:\32788R22FWJFW\hidec.exe

"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /reset /q

C:\32788R22FWJFW\hidec.exe

"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Command Processor" /reset /q

C:\32788R22FWJFW\swreg.exe

32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /da:r /q

C:\32788R22FWJFW\swreg.exe

32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /reset /q

C:\32788R22FWJFW\swreg.exe

32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Command Processor" /reset /q

C:\32788R22FWJFW\hidec.exe

"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\SWXCACLS.cfxxe "C:\Windows\system32\cmd.exe" /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q

C:\32788R22FWJFW\SWXCACLS.cfxxe

32788R22FWJFW\SWXCACLS.cfxxe "C:\Windows\system32\cmd.exe" /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q

C:\32788R22FWJFW\n.pif

"C:\32788R22FWJFW\n.pif" exec hide 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q

C:\32788R22FWJFW\SWREG.exe

32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q

C:\32788R22FWJFW\hidec.exe

"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q

C:\32788R22FWJFW\SWREG.exe

32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /O Guest /Q

C:\32788R22FWJFW\n.pif

"C:\32788R22FWJFW\n.pif" cmdwait 150 exec hide 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q

C:\32788R22FWJFW\SWREG.exe

32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q

C:\32788R22FWJFW\hidec.exe

"C:\32788R22FWJFW\hidec.exe" 32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q

C:\32788R22FWJFW\n.pif

"C:\32788R22FWJFW\n.pif" cmdwait 3000 exec hide 32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /reset /q

C:\32788R22FWJFW\SWREG.exe

32788R22FWJFW\SWREG.exe acl "hklm\software\microsoft\windows nt\currentversion\windows" /DE:F /Q

C:\32788R22FWJFW\n.pif

"C:\32788R22FWJFW\n.pif" shellcopy C:\Windows\system32\en-us\cmd.exe.mui 32788R22FWJFW\EN-US\cmd.cfxxe.mui yestoall noerrorui silent nosecattr

C:\32788R22FWJFW\nircmd.cfxxe

"C:\32788R22FWJFW\nircmd.cfxxe" shellcopy C:\Windows\system32\en-us\cmd.exe.mui 32788R22FWJFW\EN-US\cmd.cfxxe.mui yestoall noerrorui silent nosecattr

C:\32788R22FWJFW\swreg.exe

32788R22FWJFW\swreg.exe acl "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /reset /q

C:\32788R22FWJFW\n.pif

"C:\32788R22FWJFW\n.pif" exec hide 32788R22FWJFW\GSAR.cfxxe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" "32788R22FWJFW\cmd.cfxxe"

C:\32788R22FWJFW\GSAR.cfxxe

32788R22FWJFW\GSAR.cfxxe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" "32788R22FWJFW\cmd.cfxxe"

C:\32788R22FWJFW\nircmd.cfxxe

"C:\32788R22FWJFW\nircmd.cfxxe" exec hide 32788R22FWJFW\GSAR.cfxxe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" "32788R22FWJFW\cmd.cfxxe"

C:\32788R22FWJFW\GSAR.cfxxe

32788R22FWJFW\GSAR.cfxxe -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" "32788R22FWJFW\cmd.cfxxe"

C:\32788R22FWJFW\n.pif

"C:\32788R22FWJFW\n.pif" cmdwait 1000 exec hide "32788R22FWJFW\cmd.cfxxe" /c 32788R22FWJFW\p.cmd

C:\32788R22FWJFW\nircmd.cfxxe

"C:\32788R22FWJFW\nircmd.cfxxe" cmdwait 1700 exec hide "32788R22FWJFW\cmd.cfxxe" /c 32788R22FWJFW\p.cmd

C:\32788R22FWJFW\cmd.cfxxe

"32788R22FWJFW\cmd.cfxxe" /c 32788R22FWJFW\p.cmd

C:\32788R22FWJFW\pev.exe

32788R22FWJFW\PEV.exe RIMPORT 32788R22FWJFW\EXE.reg

C:\32788R22FWJFW\grep.cfxxe

GREP.cfxxe -F "5.1.2" OsVer

C:\32788R22FWJFW\grep.cfxxe

GREP.cfxxe -F "6.0.6" OsVer

C:\32788R22FWJFW\grep.cfxxe

GREP.cfxxe -F "6.1.7600" OsVer

C:\32788R22FWJFW\swreg.exe

SWREG.exe QUERY "hklm\software\microsoft\windows nt\currentversion" /v currentversion

C:\32788R22FWJFW\grep.cfxxe

GREP.cfxxe -is "currentversion.* 6.[01]" OsVer00

C:\32788R22FWJFW\grep.cfxxe

GREP.cfxxe -F "5.00.2" OsVer

C:\32788R22FWJFW\grep.cfxxe

GREP.cfxxe -F "5.2." OsVer

C:\Windows\SysWOW64\chcp.com

CHCP 1252

C:\32788R22FWJFW\NirCmd.cfxxe

Nircmd.cfxxe infobox "Incompatible OS. ComboFix only works for workstations with Windows 2000 and XP~n~nOS incompatible. ComboFix ne fonctionne que pour Windows 2000 et XP~n~nOS niet compatibel. ComboFix kan enkel gebruikt worden voor Windows 2000 en XP~n~nInkompatibles Betriebssystem. ComboFix läuft nur unter Windows 2000 und XP~n~nKäyttöjärjestelmä ei ole yhteensopiva. ComboFix toimii vain Windows 2000- ja XP-käyttöjärjestelmissä.~n~nSistema Operativo Incompat¡vel. ComboFix apenas funciona em Windows 2000 e XP~n~nSO. Incompatible. ComboFix funciona únicamente en Windows 2000 y XP~n~nOS Incompatibile. Combofix funziona solo su windows 2000 e XP" "Error - Win32 only"

C:\32788R22FWJFW\n.pif

"C:\32788R22FWJFW\n.pif" cmdwait 2500 exec hide "32788R22FWJFW\cmd.cfxxe" /c 32788R22FWJFW\p.cmd

C:\32788R22FWJFW\cmd.cfxxe

"32788R22FWJFW\cmd.cfxxe" /c 32788R22FWJFW\p.cmd

C:\32788R22FWJFW\cmd.cfxxe

"32788R22FWJFW\cmd.cfxxe" /c 32788R22FWJFW\p.cmd

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

memory/400-0-0x0000000000400000-0x0000000000428000-memory.dmp

C:\32788R22FWJFW\n.pif

MD5 ae72e8619cb31d84da25e2435e55003c
SHA1 2ed893a9aa82da248b5f4344819fcf6ad2d28240
SHA256 eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24
SHA512 1013c5f0a25b3dfc3daa3d7dec9f16c0fc89e9672a7f400145973e4427db331cf8be6ea42a0d6cd225eccb2b88f05bf0237342a35276c8689f320121e386c982

memory/1512-352-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1860-356-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4304-358-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1512-355-0x0000000000400000-0x0000000000414000-memory.dmp

C:\32788R22FWJFW\hidec.exe

MD5 abc6379205de2618851c4fcbf72112eb
SHA1 1ed7b1e965eab56f55efda975f9f7ade95337267
SHA256 22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512 180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

memory/5072-377-0x0000000000400000-0x0000000000402000-memory.dmp

memory/4840-378-0x0000000000E10000-0x0000000000EE1000-memory.dmp

C:\32788R22FWJFW\pev.exe

MD5 f1fba6185a6a2bc6456970914875078e
SHA1 a3a0da9b072ad4ceab9aec41af71a730d9b44744
SHA256 deaaab3b825ebadb6395e0be7671f96fd30ca8f76159b53c2d11da5c2ca7b7d0
SHA512 45cd68a2465d5aa24a693f5bdec9999fee1117e4329d4ae2e1d51a923d42d717e1d09eff9f9e11f3282ebc32422640028d64bf108f9d3d9c49bcd1df6b14212a

memory/2496-381-0x0000000000F40000-0x0000000001011000-memory.dmp

C:\\32788R22FWJFW\License\UnxUtilsDist.pif

MD5 50bf4c2f676d9f72739a3056f539c25b
SHA1 4343d7c0b00d433a278f455373df24e31110f13b
SHA256 cd13768a6e28bbebb7c11458965703a98df6c3722955f392ddbd555adf0ddd41
SHA512 dcdcede9fe9f282d77aa19008d7343ea793a66d152835cc86f133b9ff2b6490ce976c3abdb3538b0deff2db388b949937ed364ffe5f076a74d76cc743d9e2e28

memory/2496-389-0x0000000000F40000-0x0000000001011000-memory.dmp

memory/4840-390-0x0000000000E10000-0x0000000000EE1000-memory.dmp

C:\32788R22FWJFW\Prep.inf

MD5 f03267eaf036d409ef5a4be5d52fce0c
SHA1 6e3b554805deae14ef3d20b028608d5597b742b7
SHA256 6ac8ee793e2013b772c2ef5a93fafb27b058fff675a5ed5f29d4062775050aff
SHA512 9067c87977c6a89c4389add25235b58c828dcc0c0c88f85b5f7bc6f33913c21e4a0dbf1b659409354df9266e8f0dd6a30a34a062444f35ee1aa9b6be7fb35ebc

C:\\32788R22FWJFW\EXE.reg

MD5 36cc97e6ad2062cf6ec87112f93a966b
SHA1 fa69d6fb867dd576c98c8f58f4ea088be99bb4b3
SHA256 053e62b47466216370865e22e0459ac32abc21b8265d2666dfd253996145741b
SHA512 7ae97e3ea54720856731ce85c46d67a160080aea8fbca21f5fb13a7a8ec81a164d313865aed4a1db23e2d3539ba97d8ca0fbfb21f5f95a6afe7e4c044d3c8135

memory/992-401-0x0000000000F40000-0x0000000001011000-memory.dmp

C:\32788R22FWJFW\swreg.exe

MD5 01d95a1f8cf13d07cc564aabb36bcc0b
SHA1 be229bde90b82d21fe94c67e2b096334e93d78c2
SHA256 1eed7a2498943b7303de1f085820edbabae4a414db6125862c1ba2db269ee3e3
SHA512 342c92b9e6d6870a43c973dd2b52549f8925eec9b153056db336184243f08eb932aa1e433e7d950bbb0d4e46faa95d04f0283b48d4361653d9b81311ab2b3a48

memory/548-415-0x0000000000400000-0x000000000048B000-memory.dmp

C:\32788R22FWJFW\swxcacls.cfxxe

MD5 b1a9cf0b6f80611d31987c247ec630b4
SHA1 7299b3c370254e1e4bade26dc5fec818989d836a
SHA256 933756962d8a3530c50072e03af9e0eb0bede3c7af58feda3518240e851071ef
SHA512 152e24b5490c3e15ec7cf6db0e6573cd75846be6b1472165d055255a9b74a22d929bf8bef1c3f8e31333577d806d600239dde2dfbb463cc62987bac62706b9e1

memory/400-414-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4016-425-0x0000000000F40000-0x0000000001011000-memory.dmp

memory/2844-426-0x0000000000400000-0x000000000043E000-memory.dmp

memory/548-428-0x0000000000400000-0x000000000048B000-memory.dmp

memory/3380-430-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2076-432-0x0000000000400000-0x000000000048B000-memory.dmp

memory/828-433-0x0000000000400000-0x000000000048B000-memory.dmp

memory/1108-440-0x0000000000400000-0x000000000048B000-memory.dmp

memory/3976-441-0x0000000000400000-0x000000000048B000-memory.dmp

memory/4980-446-0x0000000000400000-0x000000000048B000-memory.dmp

memory/528-457-0x0000000000400000-0x000000000048B000-memory.dmp

C:\32788R22FWJFW\gsar.cfxxe

MD5 d6a005f8facff88e260688ddb7ae00c1
SHA1 4e22c7a9fc89587addc4d5ddab71199e08ea5b50
SHA256 0ff5348012225418d31ded6d2eb43f081ad8f7035b24e20d3e158ba320a42d49
SHA512 7e3ba326c7c6a03cebece8e28cfdc75f89a9a541b07623b77a5825982c2c612477a0adc64eb29afea2faf49a211361fff9009b3979805514fd99163e218b18e7

C:\\32788R22FWJFW\cmd.cfxxe

MD5 29824dce144b6134797729005107ee1f
SHA1 d0bb9999154b87c32658b55c5c3bc2c5cbe156b6
SHA256 bf313ea50b8a199fe4482f83123af4a4b40f8a15a8899d05f036a00a74bdaba5
SHA512 f794953628bbd8e787a84705b61a5504f769f0aa5151771357a2fe5a3eec3e87597ed6f25d875c2beebf298ad79dded0dc133727156beaaebdfa7e23468fd6cd

C:\32788R22FWJFW\P.cmd

MD5 16c79348f25f4437390163d0b625133f
SHA1 442b8286359ff64a0001ec914cf0019777e88fa7
SHA256 346d883f24248acc4ccdf4fecf1084fdee0be47d9e6f86bc740dd60ff8f515f2
SHA512 c33bc09ce54ef662320c92f4f02a8bdbcbcba4736e1c33891436fd14c93050a5c1fb349f7deb40ff6e09275950de91639a48add4b2eb8474ee3c4f057c4c6946

memory/4836-478-0x0000000000F40000-0x0000000001011000-memory.dmp

memory/4836-480-0x0000000000F40000-0x0000000001011000-memory.dmp

C:\32788R22FWJFW\grep.cfxxe

MD5 9e05a9c264c8a908a8e79450fcbff047
SHA1 363b2ee171de15aeea793bd7fdffd68d0feb8ba4
SHA256 c2ef6fc419630d566154f8372e94859df8141d02805bc7bce39c726a1ffef7c1
SHA512 712892e9b08a22b795f9627f6d13412cb2a4610404de33c6f83a37178b920e7bb9d3042c3a2191e49d661a34a05202e18224c67811d8b52fa0fc2c757ef0f6fa

memory/3048-486-0x0000000000400000-0x0000000000417000-memory.dmp

C:\32788R22FWJFW\OsVer

MD5 81107438325dd733bb955160756d8c08
SHA1 fb50243b24da6daef8ae5671d7cbb1a30bd4c4ca
SHA256 29f6c98e2dc762764bce3fcd63826f7038170b4644e1a2e676463734e59a0ff6
SHA512 d4ed17c94ffb44bfac3ed5ea22f4c42cd39d6f87623a1e96cecca52b30caf1b745c4ce8bd5f04ca670ef71789af92a29db603a897be2e539c8745fb68a43b1ed

memory/3424-488-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2572-490-0x0000000000400000-0x0000000000417000-memory.dmp

memory/4436-492-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2748-495-0x0000000000400000-0x0000000000417000-memory.dmp

memory/4572-496-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1320-497-0x0000000000400000-0x0000000000417000-memory.dmp

memory/400-500-0x0000000000400000-0x0000000000428000-memory.dmp